The Department of Energy (DOE) plans to roll out an enterprise risk management framework that would provide cybersecurity data about the agency in one place and enable better information sharing between departments.
“The enemy isn’t a hacker in the basement,” Micah Czigan, director of the Integrated Joint Cybersecurity Coordination Center for DOE, said at FCW’s Big Issues Conference on Nov. 1. “The enemy is a world power nation-state.”
Czigan said that the increase in cybersecurity threats has caused the need for a single dashboard for cybersecurity data for DOE. When the dashboard detects a problem, the goal is for the IT specialists to communicate back and forth with the specific system’s administrator to get the problem resolved.
As DOE has worked to comply with the Continuous Diagnostics and Mitigation Program (CDM), Czigan has learned the importance of having one-on-one conversations with the leadership of different departments in order to explain how CDM will benefit their individual missions. Czigan said that the CDM team also has to be receptive to feedback when tools aren’t working.
“You’re going to do this because I said so doesn’t work very well,” Czigan said. “You can’t just say here is this tool that’s going to work for everybody because it doesn’t.”
Willie Crenshaw Jr., program executive for CDM and Risk Management at the Office of the Chief Information Officer for NASA, said that IT teams need to ensure that the agency isn’t just following CDM because it’s mandated, but because the agency recognizes the importance of strengthening its cybersecurity.
“No one likes change,” Crenshaw said. “It’s like pulling teeth. If you don’t pull it out then it’s going to get harder to get out. Then they’ll have to put you asleep to pull it out.”
Crenshaw said that he’s experienced success by showing agency employees that the IT team is there to help them accomplish their mission. For example, the IT team wants to help NASA scientists share their research papers.
“You have to be wired to say ‘yes,’ ” Crenshaw said. “Security is not about saying ‘no.’ ”
Crenshaw said that the fact that hackers are getting smarter requires vendors to build systems more securely.
“We have to keep the momentum,” Crenshaw said. “It’s like a football game.”
Crenshaw said that NASA has been working on training system administrators on the new tools, rewriting IT policies, changing the reporting process to ensure that the leadership knows about cybersecurity problems right away, and focusing on risk management so that the agency can prevent attacks before they happen.
“Cyber is a lot more hostile than it used to be,” Crenshaw said.