I saw it in play, on the conference stage and in sidebar conversations: your U.S. government coming together, bringing the power of the interagency to discuss some big issues around energy infrastructure and, in particular, the security of its networks. It was DOE’s annual CyberCon and, big picture, the goal was to exchange ideas on a range of policy, management, and people aspects – from the Modernizing Government Technology (MGT) and Federal Information Technology Acquisition Reform Act (FITARA), to new advances in Continuous Diagnostics and Monitoring (CDM), to cyber workforce development. Smaller picture, but just as important: it was to seed those connections that would help programs launch new or better services, products, or ideas, and help craft roadmaps for their future.
Being back in the DOE community after having been closer to DHS for the past decade, I realized how connected the interagency cyber environment is and how – across policies, management, and technology – much is strikingly similar. Across the agenda, the plenaries, the panel sessions, it was not just DOE’s agenda, but an interagency agenda that was playing out.
Shared Cyber Environment
The interagency is not just sharing a cyber environment; it is thinking in lockstep. At the basic level, we are all doing similar things. We are all looking to understand and implement many of the same legislative requirements, orders, and presidential management agenda, and to get those initiatives done we must come together to share challenges and solutions. We are all trying to tease out what it means to share – everything from information to responsibility – and how to do that through the lens of the public-private partnership model. We are all thinking through diversity and are focused on launching our communities and networks much more prismatically to capture the expanse and spirit of innovation (but also that we out-innovate our adversaries). We are all thinking forward and developing use cases for emergent new(er) tech, like artificial intelligence, robotic process automation, blockchain, 5G (but sometimes perhaps with a little irrational exuberance). We all admit weaknesses and vulnerabilities (and not just on our networks). We are all emerging into and coping with this new era of privacy because… GDPR. Oh, and data – it’s still a big issue.
A Framework for Discussion
The interagency is playing some master strokes in orchestrating how we will all come together on these issues. CyberCon laid out the chessboard and teed up the key themes and structure that we need to carry forward.
Bottom line, we need to look big picture across how we are establishing policy, developing technology, and managing people. We need to understand the intersects in what are seemingly very different initiatives. For example, executing the intent of the Modernizing Government in Technology Act, conducting continuous diagnostics and monitoring, and designing and shaping our cyber workforce might seem like very different initiatives, but pull the thread and there are definitely overlaps and interdependencies.
Similarly, we need to explore these issues as a holistic ecosystem. We need to not only bring the nation’s energy cyber brain trust together – CIOs/CISOs/CTOs as well as cyber-focused operational staff from HQ, labs, and PMAs – but also interagency partners who will have different use cases and perspectives. (BTW, best quote at CyberCon18: “What we need to do here comes back to what you learned in kindergarten: that ‘sharing is caring.’”)
We need to explore advances in technology and capabilities to constantly challenge our current thinking. We’ve been thinking for a while now that it’s better, faster, cheaper to focus on “detect and respond,” but given advances in machine learning and artificial intelligence are we now at the place where it’s better to invest earlier in the threat spectrum in “protect and prevent”?
It’s always a good exercise to consider how to “rework the fundamentals.” As an example, recent executive orders and guidance have reset our perspective and focus back to assets (e.g., Section 9 infrastructure), a shift in thinking from the longer-term systems focus. Never think that we won’t revisit the journey across time and space.
It’s important to understand that we while we’ll always wrestle with some recurrent challenges, we shouldn’t give up on them. The list is long: How do we synchronize our systems and cyber tools across the varied subcomponents? How do we manage the explosive growth of digitization and network interconnection that has blurred the lines between IT and OT, which brings both efficiencies as well as new risks? How do we take into consideration the growing volume of indicators, a significant number of which could be false positives? How do we deal with the increasing frequency, scale, and sophistication of attack methods? Can we really trust the information sharing process?
And finally, think about the present, but keep a laser focus on the future. Want to know what’s harder than developing KPIs and metrics for your current programs but, I’d argue, is just as or even more important? Thinking about where future cyber threats might take shape not today, not tomorrow, but decades from now. NotPetya V8.0?
Bottom line – there’s a framework for a conversation that should manifest going forward. DOE CyberCon laid that framework, as it centered around the idea that while there are some principles to organize our thinking, there is no linear path to solutioning. Innovation emerges from exploring multiple paths, and is how we learn, grow, and adapt, and not just by one agency, but by the power of the interagency.