Ann Dunkin is CIO at the US Department of Energy (DOE). Among her responsibilities, she heads IT and oversees cybersecurity. This week she spoke at Israel’s Cyber Week, and SecurityWeek took the opportunity to speak with Dunkin.
The DOE can trace its origins to the World War II Manhattan (atomic bomb) Project under the US Army Corps of Engineers. As the DOE emerged, it retained its nuclear responsibilities. “We are responsible for managing and maintaining the US Government’s nuclear stockpile,” explained Dunkin, “and refreshing that because components of nuclear weapons become obsolete and must be replaced. We are responsible for nuclear non-proliferation and for working across the world to reduce the proliferation of nuclear material. And we build propulsion for nuclear submarines as a joint effort within the US Navy.”
The department also has responsibility for around 70 national laboratories – such as the Lawrence Livermore National Laboratory, the Los Alamos National Laboratory, and the Princeton Plasma Physics Laboratory. They undertake everything from basic scientific research to applied research and classified research. “They are,” she suggests, “the engine for innovation in the country and arguably the world.”
Beyond this, the department operates the electricity grid in 35 of the US states and is responsible for the radio frequency spectrum required to keep the grid – and other parts of the DOE – running.
“I’m responsible for all these things from an IT standpoint, including that part of the energy sector that the DOE owns and operates. I’m not responsible for the energy sector where DOE does not operate the assets. Private sector energy is not my responsibility, but I am responsible for the part that DOE owns and operates.”
Part of this responsibility is cybersecurity oversight. This raises a fundamental question that has relevance beyond the DOE: how does an IT specialist acquire cybersecurity expertise?
“Every job I’ve had in the last 13 or 14 years as a CIO has included cybersecurity,” she says. This is fundamentally because security has, and still largely does, report to IT. But it flirts with an ongoing question among CISOs – should a CISO report to the CIO?
Many CISOs think not, and believe there is an inherent and unavoidable conflict of interest between the two roles. Dunkin dismisses this and suggests that IT performance and security go hand-in-hand.
“CIOs are ultimately accountable for the success or failure of the security programs because they’re ultimately responsible for the success or failure of IT, and OT, and IoT in their organization. From my standpoint, it is critically important to me that I have a strong partner in the chief information security officer, and that we have a strong cybersecurity program.”
She doesn’t believe there is any conflict between IT and security – rather, they are two aspects of a successful system. “In fact,” she adds, “Congress believes this approach is so important they have mandated within the federal government that CISOs should report to CIOs. This is specifically to ensure that IT and security are in sync and have the same drivers for their performance.”
She believes there is more risk if you take security and put it in its own siloed part of the organization, potentially creating a situation where they each have different drivers and incentives.
Digital transformation in the DOE
Dunkin used the current digital transformation program within the DOE to illustrate the inseparability of IT and security. “There are two things you’re trying to accomplish in digital transformation if you’re doing it right,” she said. “Firstly, you’re trying to design solutions that are more intuitive, more user friendly, and are focused on user experience – you don’t simply want to automate the paper process and you don’t even want to redesign. You don’t want to take the current process that may or may not be automated and pick it up and move it because in many cases, it’s not always user friendly.”
This part of digital transformation could almost be considered security agnostic. “But secondly,” she adds, “you want to get rid of a bunch of old legacy technologies and legacy systems that are hard to secure.” Between the options of rebuilding or automating an old system that wasn’t automated, or buying a new ‘off-the-shelf’ application, the latter is usually the best solution.
“That solution is now usually a cloud service. And one of the reasons you buy a cloud service is because you believe the vendor can do it better, faster, and cheaper than you can do it yourself. Part of ‘better’ is ‘more secure’.”
She uses Microsoft and Google as an example. “They can both probably secure an email system better than I can because it’s their core competency. They can certainly run it better than I can. So, I’m going to let them do it for me. And that transformation of going from an on premise email that I built and managed myself to a service from them is going to reduce my security risk, not increase it. While any new technology, or any new project, can introduce new risks, one of the primary goals of digital transformation is to reduce your risk and reduce your exposure.”
But digital transformation is not an example of trust and pray, but more a case of hope for the best and prepare for the worst. For example, digital transformation inevitably leads to at least some migration to the cloud. Cloud use leads to increased machine or user to machine communication, and this drives an increased reliance on APIs.
“APIs are a risk,” she conceded. “But there are risks everywhere, and we simply don’t know what we don’t know. The cloud is just somebody else’s data center. If I take an application and put it in the cloud it is no riskier than if I keep it in my own data center. APIs may introduce new risks, but they and micro services offer great advantages – they help you get rid of old monolithic applications that have their own risks including the difficulty in modernizing and securing them.”
The cybersecurity solution, she says, is defense in depth, starting with evaluating the application. “We have the Federal Risk and Authorization Management Program (FedRAMP). Vendors must demonstrate their products are secure by going through this process.” FedRAMP provides a standard approach for security assessment and authorization of cloud products and services.
Further layers of defense are added. “We’ll use MFA wherever possible. Not everything supports MFA, but the challenges for MFA are much more on the side of our operational technologies than they are on enterprise applications and certainly on the things we’re buying now. And we’re never going to assume that anyone or anything is trusted.”
MFA is part of the concept of zero trust, which is mandatory for government departments. “I’m not going to let you through my network perimeter or into my cloud and just say, okay, run wild there. I’m going to make you reauthenticate yourself everywhere you go. And I’ll already have encrypted all my data. I will never be able to completely guarantee security from the unknown unknowns, from the zero day vulnerabilities we continue to see. But if we do everything possible to secure the applications through defense in depth, if we put them in the most modern and safe environment we can, and then we do everything we can to authenticate our users, secure all the entry points and patch vulnerabilities as quickly as possible, then we will be as secure as we can be.”
We asked her where she thought these unknown, unknown threats might come from, and what she does to mitigate them. The supply chain is high on the list, and a threat that affects everyone.
“We have a supply chain risk management program in my office,” she said, “and there are multiple programs throughout the DOE. We share information across these programs, and we’re developing a center of excellence model to help coordinate them. It’s the way we already handle threat intelligence and threat information.”
Part of software supply chain risk mitigation comes from the use of SBOMs, although there have been many concerns over the current effectiveness of these. Dunkin points to the National Cybersecurity Strategy, which sets the tone for cybersecurity within government agencies. “One of the goals is to shift responsibility for vulnerabilities to those most able to handle them, and to those who are responsible for them. We’re working to encourage our vendors to follow best practices, to secure their systems and to give us good information about what’s in there.”
Elsewhere, she feels the biggest threat is not necessarily any specific type of attack or attacker, but the speed of the attacks. “I think the biggest challenge I see is that the time between the discovery of a zero day and the time that it’s exploited continues to decline, while the scale continues to increase.”
Many commentators believe the spurt in artificial intelligence over recent months, and especially large language models and generative AI such as that used by ChatGPT, will increase the speed and scale of adversarial attacks. Dunkin wouldn’t be drawn on the specifics, but commented, “Artificial intelligence helps everybody, regardless of which side of the game they’re playing. Artificial intelligence helps us get better and helps our adversaries get better.”
The implication is clear. We don’t yet know how AI will affect cybersecurity, but we do know that improvements in adversarial AI will need to be countered by improvements in defensive AI. Defensive AI may need to become another layer of defense in depth.