Shift5 warns America’s transport and weapons systems are vulnerable, claiming it has the best people in the world – former members of an elite NSA hacking unit – to protect them.
“No one on the planet knows more about how to attack and defend these systems than we do,” says Josh Lospinoso, CEO and cofounder of cybersecurity startup Shift5. He’s talking about protecting the kinds of technologies people rely on every day, from planes to trains, as well as the American military’s weapons systems, and it’s hard to argue with his claim. Lospinoso, alongside Shift5 cofounder Mike Weigand, were former agents in the National Security Agency’s Tailored Access Operations unit, which has the mission of hacking into foreign adversaries’ networks. A clandestine division of the NSA, it’s perhaps best known to the general public because of Edward Snowden, a former NSA contractor who leaked the intelligence agency’s internal documents in 2013, warning about the threats its hacking operations posed to global privacy.
Lospinoso and Weigand, alongside third cofounder and another military veteran technician James Correnti, are now applying their knowledge acquired during their time at the NSA and the U.S. Cyber Command at Shift5, which is promising to secure the technologies powering American transportation and military systems, which, Lospinoso says, are worryingly vulnerable to cyberattack. It’s announcing a $20 million funding round on Tuesday, as it plans to expand its 50-strong team of specialists and build out its product. The round was led by 645 Ventures, with additional funding from Squadra Ventures, General Advance and First In.
That cybersecurity is now a major part of modern espionage and warfare – and that parts of global critical infrastructure are vulnerable – is no secret. In Iran, for instance, drones have reportedly been hacked out of the sky, a uranium enrichment plant breached, and trains disrupted after displays at stations across the country were digitally defaced. In the U.S. Colonial Pipeline took its gasoline pipes offline after a ransomware attack, and another hack threatened to cut off meat supplies via a breach of JBS.
Based in Arlington, Virginia, Shift5’s tech monitors so-called operational technologies, such as systems that keep vehicles running or weapons systems online. It flags any anomalies so the military, train companies and other customers can ensure they’re safe, reliable and available. Explaining the threat, Lospinoso claimed that when his team had tested the security of various infrastructure systems, in every case they were vulnerable to significant attacks. Even when not connected to the web, it was possible to launch potential attacks that could be carried out from 100 miles away with a software-controlled radio and a directional antenna. “Given the gravity of those sorts of things, hackers are going to figure this out,” he added. “It’s just a matter of time before critical civilian infrastructure becomes a victim to these sorts of things.”
It’s already scored multi-million contracts with the U.S. military, most notably a project to develop a prototype vehicle security system for tanks. Today, it’s also announcing a new contract with the U.S. Army’s Rapid Capabilities and Critical Technologies Office to put Shift5’s commercial technology on Army combat vehicles. It’s also working with the U.S. Air Force on developing secure data transmission on fighter jets, and is putting together a data analytics prototype for the Air Force Cyber Resiliency of Weapon Systems office, according to public contracts records.
In the private realm, it’s had most success in the train industry. Though it declined to name customers, Lospinoso, who also worked for the Pentagon’s U.S. Cyber Command with Weigand, told Forbes Shift5 is helping protect trains from coast to coast with several of the largest U.S. passenger rail systems. “There’s a reasonable chance that if you’re riding on a locomotive, there’s Shift5 gear involved on that system, or there’s about to be.” As for planes, the company is yet to take flight, Lospinoso says, adding that the Federal Aviation Administration was highly risk averse when it came to allowing new technologies onto aircraft.
Jen Tisdale, senior principal for cyber physical systems at cybersecurity company GRIMM, tells Forbes that the military can’t sit back and wait to see if adversaries try to attack weapons systems or critical infrastructure, hence the need for companies like Shift5, though she hadn’t been able to test the startup’s tech to see just how well it protects the systems it claims it can secure.
“The general public should know threats exist,” Tisdale, a former cybersecurity strategy advisor for car maker Mazda, added. “The threats will change over time as technology and methodologies advance, so too must the cybersecurity solutions and practices.”