The Kremlin had begun to withdraw Soviet troops from Afghanistan, the International Olympic Committee was officiating table tennis as a sport at the Seoul Games, and Rick Astley's "Never Gonna Give You Up" still topped the charts weekly. The year was 1988, and the first major computer virus was ravaging systems across a network of only 60,000 to 80,000 connected machines.
Robert Morris, a graduate student at Cornell University, had just unleashed the Morris Worm upon the internet, routing it through an MIT IP address to hide his identity. As the rudimentary bug spread across the country, it crashed between 10% and 20% of the computers hooked up to the internet and caused thousands of dollars in damages, exposing the safety flaws embedded in the bull-rush digitization of the '80s.
Across the country in Pittsburgh, Richard Pethia got a phone call from the Department of Defense two weeks later.
Pethia sat at the helm of Carnegie Mellon University's recently fledged Software Engineering Institute, which the Department of Defense had established just four years prior, to investigate the quality of the software the agency was buying.
The problems the Morris Worm highlighted required new solutions, so Pethia founded the world's first computer emergency response team to respond to similar crises in the future. This episode started the field of cybersecurity: what students and professionals call a cat-and-mouse game of attack and defense.
Trading steel for silicon
"We were the nation's frontline of incident triage and response," says Matthew Butkovic, the technical director of the Cyber Risk and Resilience Directorate in the Computer Emergency Response Teams (CERT) Division. "We have a legitimate claim that, at least in the network [or] internet security way of looking at it, we are the legitimate birthplace of cybersecurity."
Professionals and researchers in the cybersecurity space say Pittsburgh's entrenchment within the field helped pull the city out of economic doom and marked the start of the local tech sector's decades-long climb. But with large companies in other cities vacuuming up graduates from top area programs, some in the industry say they can’t find the talent they need to meet the demand.
Since Pethia established the CERT Division, it expanded its focus to include software development and research into cybersecurity defense and has served as a model for hundreds of similar departments globally.
Butkovic noted that the birth of cybersecurity trailed the birth of the internet by mere years — as long as it took for its security flaws to be made apparent. Before the Morris Worm, a 15-year-old high school student in South Hills created one of the first known computer viruses, Elk Cloner, which would infect Apple computer systems by attaching to 5.25-inch floppy disks.
The impact of the CERT Division wasn't strictly global. Butkovic muses that the program's establishment in Pittsburgh gave a lifeline to a city drained of blood.
The post-WWII decline of Pittsburgh-based U.S. Steel, once the largest company in the United States, steepened in the 1970s when mills began closing. Pittsburgh's unemployment rate peaked in the early 1980s at around 17%, marking a city in peril.
Butkovic employs Pittsburgh's common recovery catchphrase "meds and eds" to describe the conscious decision of city leaders in the '80s and '90s to bolster the University of Pittsburgh and CMU and invest in healthcare giant UPMC as a means to move away from the steel industry.
The rising prominence of CMU as a top school for computer science in the country dovetails with the founding of the CERT Division. Coupled with the spate of local tech startups founded in the following years that continues through today, Butkovic says a more appropriate description of the city's recovery is "meds, eds, and tech."
"These things were viewed as the future, and it turns out they were right that meds, eds, and tech really are the lifeblood of much of our economy now right here in Western Pennsylvania," Butkovic says.
Growing industry, growing need
John Kostuch's interest in computer systems blossomed as a teenager when he was walking through the now-shuttered Century III Mall in West Mifflin and watching people game on newly-minted Atari 400s. Still in the midst of the over two-decade career as a cybersecurity engineer that followed, Kostuch agrees with Butkovic that tech helped pull Pittsburgh out of ruin.
Kostuch says that initial investment into CMU gave Pittsburgh the technological foundation for further local development of the computer-science talent pool and ultimately attracted branches of tech giants Apple, Microsoft, and Google.
"Are there smart, intelligent people here in the tech space? Absolutely," Kostuch says. "Some of those people are some really, really smart people. And I know of a couple of companies that have come out of this area because [those] people were here."
The number of informational technology companies, which includes cybersecurity service providers, in Southwestern Pennsylvania increased from 1,571 in 2013 to 1,874 in 2022, according to annual reports published by the Pittsburgh Technology Council, a membership-funded professional organization for tech companies in the region.
That 19% increase in IT companies is among many positive trendlines in other local tech sectors such as energy, health sciences, and environmental technology.
However, with a 521,827-person-sized hole in the United States cybersecurity industry workforce alone in 2023, according to the latest Cyber Workforce Study from ISC2, a nonprofit industry organization, many companies have difficulty finding the employees needed to expand.
As companies across fields migrated their operations online during the pandemic, the need for high-quality cybersecurity in Pittsburgh and elsewhere in the country increased, explains Rick Topping, the vice president of operations for Ceeva, a Pittsburgh-based IT company founded in 1992 that offers a suite of cybersecurity services.
Topping says Ceeva saw its largest uptick in demand in its history in just the last three years. He says what would have been a major growth opportunity for the company was bottlenecked by an inability to attract talent.
"It's never been harder for me to hire good people," Topping says. "The cybersecurity world is just begging, begging for more people to get educated and be able to fight against the bad guys."
Kostuch calls it the "age-old Pittsburgh problem": attracting and retaining talent. He says the talented graduates at the local universities often accept jobs at more prestigious, higher-paying companies in cities like San Francisco or Seattle.
Forging the future
Jay Bosamiya is a hacker and Ph.D. student in CMU's Computer Science Department focusing on cybersecurity. As a member and former president of the Plaid Parliament of Pwning, the school's hacking team, he is one of the best competitive hackers in the world. The team competes and often wins every year at DEF CON, a major annual hacking competition hosted in Las Vegas.
Bosamiya is researching the "mathematical guarantees of security." That is to say, he wants to make software, or at least certain corners of software, unhackable.
"If you want to defend a system, you have to understand how people break in, and in order to break into a system, you have to understand how people defend it," Bosamiya says. "The two things are so much more intertwined than most people realize."
But Bosamiya doesn't plan on staying in Pittsburgh after he graduates. Instead, he's eyeing jobs in the cities better recognized as tech capitals.
Audrey Russo, the president and CEO of the Pittsburgh Technology Council, quickly points out that Pittsburgh is not a desert in the eyes of large tech companies and notes that Duolingo was founded in the city.
Yet Russo says she understands why young professionals feel drawn toward cities better lauded for their tech scenes and admits that, for Pittsburgh, it's not a problem with a simple solution. She says for the city to retain the talent it attracts through programs at CMU, it needs to bring in more, larger companies.
Rohan Viswanathan, a graduate student in the Information Networking Institute at CMU, came to CMU from Texas A&M and plans to pursue cybersecurity after college. Unlike others, he says he can see himself staying in Pittsburgh.
"Just talking with the other people in the [Information Networking Institute], I have just heard of so many different companies and opportunities that people are taking up," Viswanathan, a member of the competitive U.S. Cyber Team, says.
The large number of tech startups and branches of larger tech companies, combined with the "hustle and bustle" of the city, are keeping Viswanathan in Pittsburgh, but CMU and its computer science programming brought him here in the first place. He says CMU is widely considered the best school for cybersecurity in the country and notes how it's constantly at the forefront of the field.
Thirty-five years after Pethia founded cybersecurity as a field with the establishment of the CERT Division, and seven years after he retired to a life of fishing along the coast of South Carolina, CMU staked another flag in the ground: the school's Software Engineering Institute announced the formation of one of the world's first Artificial Intelligence Security Incident Response Team in November of last year to analyze and respond to threats and security incidents emerging from advances in AI and machine learning.
By staying on the cutting edge of the tech world, CMU is aiding Pittsburgh in its decades-long mission to recover from the steel industry's collapse, Butkovic says.
"I do think that as a tech center, our story here at CERT is absolutely bound to the larger story of how Pittsburgh reinvented itself," Butkovic says.
