Connect with us

Hi, what are you looking for?



DOE CIO Talks to SecurityWeek About Cybersecurity, Digital Transformation

Ann Dunkin, CIO at the Department of Energy, is more concerned about cyberattack speed than attack type or source.

SecurityWeek talks to Ann Dunkin, CIO at the Department of Energy

Ann Dunkin is CIO at the US Department of Energy (DOE). Among her responsibilities, she heads IT and oversees cybersecurity. This week she spoke at Israel’s Cyber Week, and SecurityWeek took the opportunity to speak with Dunkin.


The DOE can trace its origins to the World War II Manhattan (atomic bomb) Project under the US Army Corps of Engineers. As the DOE emerged, it retained its nuclear responsibilities. “We are responsible for managing and maintaining the US Government’s nuclear stockpile,” explained Dunkin, “and refreshing that because components of nuclear weapons become obsolete and must be replaced. We are responsible for nuclear non-proliferation and for working across the world to reduce the proliferation of nuclear material. And we build propulsion for nuclear submarines as a joint effort within the US Navy.”

The department also has responsibility for around 70 national laboratories – such as the Lawrence Livermore National Laboratory, the Los Alamos National Laboratory, and the Princeton Plasma Physics Laboratory. They undertake everything from basic scientific research to applied research and classified research. “They are,” she suggests, “the engine for innovation in the country and arguably the world.”

Ann Dunkin, Chief Information Officer at the U.S. Department of Energy

Beyond this, the department operates the electricity grid in 35 of the US states and is responsible for the radio frequency spectrum required to keep the grid – and other parts of the DOE – running.

“I’m responsible for all these things from an IT standpoint, including that part of the energy sector that the DOE owns and operates. I’m not responsible for the energy sector where DOE does not operate the assets. Private sector energy is not my responsibility, but I am responsible for the part that DOE owns and operates.”

Cybersecurity role

Part of this responsibility is cybersecurity oversight. This raises a fundamental question that has relevance beyond the DOE: how does an IT specialist acquire cybersecurity expertise?

“Every job I’ve had in the last 13 or 14 years as a CIO has included cybersecurity,” she says. This is fundamentally because security has, and still largely does, report to IT. But it flirts with an ongoing question among CISOs – should a CISO report to the CIO?

Advertisement. Scroll to continue reading.

Many CISOs think not, and believe there is an inherent and unavoidable conflict of interest between the two roles. Dunkin dismisses this and suggests that IT performance and security go hand-in-hand.

“CIOs are ultimately accountable for the success or failure of the security programs because they’re ultimately responsible for the success or failure of IT, and OT, and IoT in their organization. From my standpoint, it is critically important to me that I have a strong partner in the chief information security officer, and that we have a strong cybersecurity program.”

She doesn’t believe there is any conflict between IT and security – rather, they are two aspects of a successful system. “In fact,” she adds, “Congress believes this approach is so important they have mandated within the federal government that CISOs should report to CIOs. This is specifically to ensure that IT and security are in sync and have the same drivers for their performance.”

She believes there is more risk if you take security and put it in its own siloed part of the organization, potentially creating a situation where they each have different drivers and incentives. 

Digital transformation in the DOE

Dunkin used the current digital transformation program within the DOE to illustrate the inseparability of IT and security. “There are two things you’re trying to accomplish in digital transformation if you’re doing it right,” she said. “Firstly, you’re trying to design solutions that are more intuitive, more user friendly, and are focused on user experience – you don’t simply want to automate the paper process and you don’t even want to redesign. You don’t want to take the current process that may or may not be automated and pick it up and move it because in many cases, it’s not always user friendly.”

This part of digital transformation could almost be considered security agnostic. “But secondly,” she adds, “you want to get rid of a bunch of old legacy technologies and legacy systems that are hard to secure.” Between the options of rebuilding or automating an old system that wasn’t automated, or buying a new ‘off-the-shelf’ application, the latter is usually the best solution.

“That solution is now usually a cloud service. And one of the reasons you buy a cloud service is because you believe the vendor can do it better, faster, and cheaper than you can do it yourself. Part of ‘better’ is ‘more secure’.”

She uses Microsoft and Google as an example. “They can both probably secure an email system better than I can because it’s their core competency. They can certainly run it better than I can. So, I’m going to let them do it for me. And that transformation of going from an on premise email that I built and managed myself to a service from them is going to reduce my security risk, not increase it. While any new technology, or any new project, can introduce new risks, one of the primary goals of digital transformation is to reduce your risk and reduce your exposure.”

But digital transformation is not an example of trust and pray, but more a case of hope for the best and prepare for the worst. For example, digital transformation inevitably leads to at least some migration to the cloud. Cloud use leads to increased machine or user to machine communication, and this drives an increased reliance on APIs.

APIs are a risk,” she conceded. “But there are risks everywhere, and we simply don’t know what we don’t know. The cloud is just somebody else’s data center. If I take an application and put it in the cloud it is no riskier than if I keep it in my own data center. APIs may introduce new risks, but they and micro services offer great advantages – they help you get rid of old monolithic applications that have their own risks including the difficulty in modernizing and securing them.”

The cybersecurity solution, she says, is defense in depth, starting with evaluating the application. “We have the Federal Risk and Authorization Management Program (FedRAMP). Vendors must demonstrate their products are secure by going through this process.” FedRAMP provides a standard approach for security assessment and authorization of cloud products and services.

Further layers of defense are added. “We’ll use MFA wherever possible. Not everything supports MFA, but the challenges for MFA are much more on the side of our operational technologies than they are on enterprise applications and certainly on the things we’re buying now. And we’re never going to assume that anyone or anything is trusted.”

MFA is part of the concept of zero trust, which is mandatory for government departments. “I’m not going to let you through my network perimeter or into my cloud and just say, okay, run wild there. I’m going to make you reauthenticate yourself everywhere you go. And I’ll already have encrypted all my data. I will never be able to completely guarantee security from the unknown unknowns, from the zero day vulnerabilities we continue to see. But if we do everything possible to secure the applications through defense in depth, if we put them in the most modern and safe environment we can, and then we do everything we can to authenticate our users, secure all the entry points and patch vulnerabilities as quickly as possible, then we will be as secure as we can be.”

Emerging threats

We asked her where she thought these unknown, unknown threats might come from, and what she does to mitigate them. The supply chain is high on the list, and a threat that affects everyone.

“We have a supply chain risk management program in my office,” she said, “and there are multiple programs throughout the DOE. We share information across these programs, and we’re developing a center of excellence model to help coordinate them. It’s the way we already handle threat intelligence and threat information.”

Part of software supply chain risk mitigation comes from the use of SBOMs, although there have been many concerns over the current effectiveness of these. Dunkin points to the National Cybersecurity Strategy, which sets the tone for cybersecurity within government agencies. “One of the goals is to shift responsibility for vulnerabilities to those most able to handle them, and to those who are responsible for them. We’re working to encourage our vendors to follow best practices, to secure their systems and to give us good information about what’s in there.”

Elsewhere, she feels the biggest threat is not necessarily any specific type of attack or attacker, but the speed of the attacks. “I think the biggest challenge I see is that the time between the discovery of a zero day and the time that it’s exploited continues to decline, while the scale continues to increase.”

Many commentators believe the spurt in artificial intelligence over recent months, and especially large language models and generative AI such as that used by ChatGPT, will increase the speed and scale of adversarial attacks. Dunkin wouldn’t be drawn on the specifics, but commented, “Artificial intelligence helps everybody, regardless of which side of the game they’re playing. Artificial intelligence helps us get better and helps our adversaries get better.”

The implication is clear. We don’t yet know how AI will affect cybersecurity, but we do know that improvements in adversarial AI will need to be countered by improvements in defensive AI. Defensive AI may need to become another layer of defense in depth.

Related: A Russian Ransomware Gang Breaches the Energy Department and Other Federal Agencies

Related: Microsoft, Energy Department and Others Named as Victims of SolarWinds Attack

Related: U.S. Energy Department Invests Another $28 Million in Cybersecurity

Related: U.S. Energy Department Unveils Multiyear Cybersecurity Plan

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.