skip to Main Content


MCRCon 2016 Sets New Attendance Record

Ann Arbor, Mich. – Merit Network and the Michigan Cyber Range recently hosted the fourth annual MCRCon cybersecurity conference. The event set a new attendance record with more than 200 individuals from cybersecurity, state government, education and business organizations attending.

Cybersecurity experts, hackers and industry professionals presented on a wide variety of engaging topics at MCRCon, including the dark side of the internet, two-factor authentication, advanced cyber attacks, phishing, new technologies, best practices and more.

Many attendees participated in an exciting virtual capture-the-flag competition within the Michigan Cyber Range’s Alphaville environment, which challenged competitors to use their penetration testing and forensic skills to gather clues and earn flags and points along the way.

MCRCon is known for its dynamic featured speakers, and this year’s conference was no exception. The event featured keynote addresses from respected leaders in cybersecurity: David De Vries from the United States Department of Defense, Francesca Spidalieri from the Pell Center at Salve Regina University, Jon Oberheide from Duo Security, and J. Wolfgang Goerlich from CBI. Below are brief descriptions of their presentations.

Jon Oberheide

Co-founder and Chief Technology Officer, Duo Security

Jon Oberheide was the morning keynote speaker, offering several cybersecurity recommendations for organizations.
[visibility type=”hidden-phone”]

Jon Oberheide

Jon Oberheide, Duo Security

[/visibility] “Don’t buy security products… What I mean by this is that you shouldn’t be buying products generally. You should be focusing on streamlining your security operations. You should be working to reduce complexity in your infrastructure and your systems, and often times buying more products can make the problem worse instead of solving the problem,” Oberheide said.

“You look out at the market, and you’re like ‘what do I need to buy to solve my problems?’ You get a lot of noise from vendors. You get a lot of noise from analysts who say that ‘Hey, for every threat you have to buy the anti-threat tool.’ There’s malware, so you need anti-malware. There’s phishing, so you need anti-phishing. You deploy databases, so you need some type of database technology. You deploy networks, so you have to slap on a firewall, IDS, IPS, content filtering, a VPN. This is a challenging area for folks who might not be security experts themselves.”

He recommended that organizations remove complexity from the security programs.

“In the security industry, we preach defense in depth. There’s no silver bullet. Every security product is not going to completely solve your problems, so let’s line up nine or ten of them in sequence, and hope that the attacker can’t jump over all of those hurdles. What that actually results in is expense in depth, and you end up creating an unscalable security program because you don’t have the budget, you don’t have the staff, and you can’t recruit the staff. I know everyone in the audience feels the pain of trying to find qualified security practitioners. So you end up deploying a bunch of products that you can’t afford and you can’t manage. They don’t actually effectively solve your key security problems. There’s this inherent challenge that with complexity comes insecurity,” Oberheide stated.

He advised audience members to replace at least one of their old cybersecurity applications when buying a new product.

“Most of security is about reducing your attack surface. That’s 90 percent of security… One rule of thumb that I hope you can try take back as a promise to put in place is don’t buy a new security product unless it allows you to decommission two others. It’s kind of a cash for clunkers type of thing. You’ve got a rack of gear, and you really need to at least exchange one or two products when you get something new. Otherwise you end up with this continuing rack of boxes and blinking lights, and you don’t actually know which are providing security value and which are stopping attacks. I dare you guys to aggressively simplify your security program.”

Oberheide said that helping end users accomplish their work should be a goal of security professionals not just stopping cyber attacks.

“The way we need to be approaching security is not as a battle of good versus evil or us versus them. It’s that our jobs exist to make our users productive. It’s not the stopping of attacks. It’s enabling productivity.”

Oberheide said that the basics of strong authentication and keeping your devices and systems up to date can greatly improve security. He also recommended that organizations embrace the cloud and not be tied to hosting services on premises.

Francesca Spidalieri

Senior Fellow for Cyber Leadership, the Pell Center at Salve Regina University

Francesca Spidalieri discussed her research on cybersecurity leadership within state governments and emphasized that improving cybersecurity awareness among our leaders should be a priority.
[visibility type=”hidden-phone”]

Francesca Spidalieri

Francesca Spidalieri, Salve Regina University

[/visibility] “I still believe that the human factor is still the most important one (in cybersecurity), and if we don’t provide awareness and information from our leaders down to our children, that we will continue to be as strong as our weakest link,” Spidalieri said.

She noted how different industries are connecting their devices and machinery to the internet for convenience and for updates, which impacts cybersecurity.

“While it sounds really cool and innovative, if they can access it (using the internet), others can access it too. As we continue to embed all of these devices and connect every last mile of our states to the internet, we are also increasing the attack surface. That is going to continue to possibly degrade our economy and threaten our society. I think we are at a tipping point with the internet economy today. As we adopt the internet of things and we continue to embed all of those connected devices in every part of our lives, a lot of those devices are not well engineered. There are vulnerabilities that will be exploited, and we will become more vulnerable.”

She talked about her most recent study, State of the States on Cybersecurity, which provided snapshots of the cybersecurity implementations within state governments.

“The states cannot just wait for the federal government to come up with all of the solutions and effective strategies. I believe that there is a lot that the states can do to protect critical infrastructure and to protect their people and citizens… Some of the challenges that I found across all 50 states, even those that have pretty well-developed programs, are insufficient funding, an increased volume of cyber attacks and a great shortage of qualified cybersecurity professionals. Today in the United States, there are 209,000 cybersecurity openings and not enough people to fill those jobs. By 2020, it is expected that the worldwide need for cybersecurity professionals will be 8 million, with a shortage of 1.5 million.”

Spidalieri identified several states that were leading in cybersecurity efforts: California, Colorado, Delaware, Indiana, Maryland, Michigan, Missouri, New Jersey, New York, Rhode Island, Texas, Virginia and Washington. She stated that Michigan scored the high in the study and that the strongest assets that the states possess include: strong charismatic leadership, geographic location, great universities, business policies and cybersecurity commissions. Many states had a cybersecurity leader within their IT department, but she said that the strongest states had their cybersecurity leader report directly to the governor. Michigan was the first to have a chief security officer that was responsible for physical security and cybersecurity.
[visibility type=”hidden-phone”]

J. Wolfgang Goerlich

J. Wolfgang Goerlich, CBI

[/visibility] She believes it is important for states to have a strategic cybersecurity plan that identifies specific threats to the state and initiatives to deal with the threats. She stated that most states possess information technology plans and that Michigan is the only state to have a cybersecurity strategic plan. It is also important for states to have incident response plans.

J. Wolfgang Goerlich

Director Security Strategy, CBI

J. Wolfgang Goerlich discussed how organizations can create a defensible security architecture. He recommended embedding security into an organization’s processes and to prioritize security based on value. He encouraged attendees to use encryption, to analyze process flows to improve security and to adapt their security programs when necessary.

David De Vries

Principal Deputy Chief Information Officer, United States Department of Defense

David De Vries began by discussing the complexity and scope of the information technology within the U.S. Department of Defense (DoD).
[visibility type=”hidden-phone”]

David De Vries

David De Vries, U.S. Department of Defense

[/visibility] “It’s the information that counts, and if you go through today’s presentations, whether it be in the breakout rooms or up here, it’s all about the information. We like to coin a word, like sector A, sector B, sector C—whether it be for housing or automotive or for this or for that. DoD represents all of those sectors rolled into one… That’s why we like to say we’re a fortune zero company. There’s no company that comes close to this thing,” De Vries said.

Cybersecurity is something that the DoD and federal government have been concerned with for many years, and other industries are now facing similar challenges.

“Welcome to my world. Why? Ten years ago nobody cared about cybersecurity, except DoD… Along came the last two years, and we’re in the same camp now… Now the challenge is ours. The challenge is ours together. How do I support this (infrastructure) and the nation as a whole? It’s about information security, and we need help now.”

He said that the DoD still has legacy systems that it must maintain and operate, but they are working to modernize their systems. De Vries said that the DoD is partnering with industry, looking for ways to modernize its infrastructure and processes.

“Gone are the days that the DoD and the federal government were the innovators of the world. A lot of the technology that we use today, whether it be from medical science to automotive, probably came with dollars and backing from the federal government. I think the dollars will still be there, but the innovation is going happen inside the private industry. We need to keep working that, especially the world of IT, the cyber and so forth.”

De Vries talked about sharing cybersecurity information and threat vectors between the private sector, the DoD and federal government.

“We’ve heard people talking about threat vectors out there. They didn’t say that they came from NSA, Cyber Command, and so forth. They came industry, industry out there today. The information is out there on the web. It’s on the highway. They’re seeing those threat vectors. You’re forming up groups to share that information, and I think that information needs to be shared more broadly and more freely. The best information may be that which is free or that which is coming out of a consortium, rather than that which is classified, highly classified within inside DoD, and you have to pay for it and be on a special access list.”

“If I can share the threat information that’s out there—if you can share the threat information that’s out there, then we all don’t have to pay as much to do the mediations, to do the safe-guarding and all of the other stuff. It’s a novel concept. Some of you I know are working on that. My encouragement is to keep on doing that and to keep on working with the federal civilian agencies and DoD.”

The next MCRCon cybersecurity conference will be held in May 2017.

About Michigan Cyber Range

The Michigan Cyber Range prepares cybersecurity professionals to detect, prevent and mitigate cyber-attacks in a real-world setting. Like a test track or a firing range, the Michigan Cyber Range enables individuals and organizations to conduct “live fire” exercises: simulations that test the detection and reaction skills of participants in a variety of situations. The Michigan Cyber Range also offers certification courses for a number of cybersecurity disciplines, with instruction available on-site and live online. A full training schedule may be found at the Merit Michigan Cyber Range web site.

The Michigan Cyber Range is hosted and facilitated by Merit Network in partnership with the State of Michigan and with the sponsorship of DTE Energy.

About Merit Network

Merit Network, Inc. is a nonprofit corporation owned and governed by Michigan’s public universities. Merit owns and operates America’s longest-running regional research and education network. In 1966, Michigan’s public universities created Merit as a shared resource to help meet their common need for networking assistance. Since its formation, Merit Network has remained on the forefront of research and education networking expertise and services. Merit provides high-performance networking and IT solutions to Michigan’s public universities, colleges, K-12 organizations, libraries, state government, healthcare, and other non-profit organizations.

For more information visit