A checkup on cybersecurity with Energy Department CIO Ann Dunkin

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Cybersecurity poses a never ending challenge to federal information technology people. Now supply chain security has jumped into the pile of concerns. One chief information officer has put cyber defense at the center of her efforts at the ACT-IAC Executive Leadership Conference earlier this week in Hershey, Pennsylvania.  The Federal Drive with Tom Temin caught up with...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Cybersecurity poses a never ending challenge to federal information technology people. Now supply chain security has jumped into the pile of concerns. One chief information officer has put cyber defense at the center of her efforts at the ACT-IAC Executive Leadership Conference earlier this week in Hershey, Pennsylvania.  The Federal Drive with Tom Temin caught up with Energy Department CIO Ann Dunkin. I asked her about whether all those energy labs make up a special supply chain concern.

Interview transcript: 

Ann Dunkin: So I think that, yes, it is a special concern, although I’m not sure it’s bigger than some of the departments and agencies, we have a lot of supply chain risk management programs in DoE. We do everything from what NNSA does, destructive testing of products and some of the labs do, some destructive testing, to more traditional programs where we look at data about suppliers, and we look out to the  nth supplier in that supply chain to understand who we’re buying, where it’s coming from, what components exist in that software, or hardware. And, actually, our challenge is that we do a lot of it. And we are often doing the same things across different parts of DoE. So I’ve been having conversations with the labs and with NNSA and other folks about, hey, let’s bring these programs together. And not to have anybody take over anybody else’s program, but to coordinate and say, “Oh, we already evaluated this, here’s our information”, let’s not have three other parts of the department evaluate it. So we have a tremendous amount of resources to bear on that we just need to get better coordinated to do to do more with it.

Tom Temin: Yeah, short of shared services, at least you can have shared information and shared practices, you might say,

Ann Dunkin: Exactly. And there’s value in having everybody do their own thing, because they’re looking at slightly different things. But sharing that information back and having a clearinghouse and I’m a big believer that the best place to do something in DoE is the place where the most knowledge is. So I’ve been trying to convince one of my peers that I don’t need to own that, that that’s something that clearinghouse, they can own. So I’m working on someone on that one.

Tom Temin: But cyber defense, that’s really your major focus, almost as CIO?

Ann Dunkin: It is huge. And I you know, it’s frustrating to me as someone who is deeply excited about innovation, that I spend far more time talking about cybersecurity, because it’s so important. And DOE has a really unique role in cyber defense. Because not only do we have lots of stuff to defend everything from, the nuclear stockpile, all the way to the electrical grid to our plants, labs and sites. But also we do research in cybersecurity and cyber defense. And so my team, my team’s role in that space right now is not only defending DOE’s footprint and DOE’s assets, but also understanding the research going on in DOE, and really being a clearinghouse to share that research across DOE. And we have an event that we’re putting together in the spring, which is going to be both classified and unclassified, where we’re gonna bring folks from DOE together from our researchers and to share their research. But also, it’s an opportunity for those researchers who don’t see each other to get together and have conversations. So we’re going to probably have a very formal event in the SCIF. And then we’ll have a formal event outside the SCIF with some academics and other folks. But then we’re going to get people and say, Hey, now’s your time to do kind of birds of a feather session, I saw something really interesting, I’m gonna grab these three people, we’re gonna go in the room, we’re gonna have a conversation. So we can not only share, but we can create more value  by getting those folks together to learn from each other.

Tom Temin: You know, it sounds prosaic, but it really seems central to the whole cyber defense issue, and that is the password-less society, password-less access for the public accessing systems and for federal employees themselves. Some have CAC cards, that’s kind of getting there. Is that an area that you’re looking at? Or that some of the researchers are looking at somewhere in DOE?

Unknown Speaker: I’m sure someone in DOE is looking at that, because any kind of research that you look for, I mean, things I don’t even expect – someone is doing. Certainly, it’s an area of interest for us. And, you know, one of our struggles is you not only have identity, but you have systems. And we’re getting pretty good with identity. But we have systems that can’t support the same infrastructure. So we have to look at what you know, if we can’t do password lists, what are our mitigations? And what are our compensating controls to make sure that it’s more safe and secure, but I have no doubt that there is someone somewhere at DOE who’s got the killer app that they’re developing right now.

Tom Temin: All right, you just have to find it. So right, which gets us to the question of the aggregator role that you’re developing for DOE, different places, become the locus of learnings. Tell us more about that one.

Ann Dunkin: So it was a serendipitous thing we were asked by the White House to deliver a 5g catalog. And we did that we realized there was huge value in understanding what DOE knows, because no one in DOE knows, what DOE knows. And so we pulled that together. We did that for 5g, then the next outcome was a strategy. And then the next outcome after that was, oh, here are the gaps. Here are the things that we need to fill and then we go and get people to fill those gaps. And so that’s what we’re repeating  in the cyber defense space. We’re repeating that, as we said, in the supply chain security space, and how do we not take over anybody’s mission but pull it together, understand it and then convey it out to the organization, in some cases, to other folks in the interagency or international partners, so that people can leverage that capability as well as we can fill the gaps in.

Tom Temin: It strikes me, that’s almost a shortcut to the learning agenda goals that the White House put out recently, we may not need to do so much learning, somebody already knows this stuff somewhere.

Ann Dunkin: Exactly. And you know, it’s funny, because this is this is similar to knowledge,  all these knowledge management systems we’ve been trying to put in place for decades, and they don’t work. No one fills in the data. So how do you create that knowledge aggregation? And, you know, we’ve learnt what we’re learning here is, it is very much a one piece of information at a time it takes a person to go out and get that information from people. But yes, it’s short circuits that we’ve got to learn new things by figuring out what we know and pulling that together.

Tom Temin: And workforce is another focus. I’ve heard you speak several times publicly on that the development of the cyber workforce, the IT workforce, tell us your latest thinking.

Ann Dunkin: There’s tremendous attention to cyber workforce. But all of our technical workforces are challenging to recruit, retain. And so we’ve got a couple things going on. Number one is that we have we’re implementing the cyber retention incentives that have been implemented across a number of parts of the government, we just launched our program across DOE. And being DOE,  it’s each department element decides whether they’re gonna participate or not, we have some levers at the labs because they’re not federal employees at 16, of the 17 labs. So we have a little bit more leverage, but we’re not going to be paying them what Google pays for example. So one of the exciting projects we have out there is our Omni Internship Program, which is sponsored by a number of parts of DOE. And that Omni Internship Program is designed to give college students a paid internship, because we recognize that if we want to have diverse students, we need a paid internship. We also have sites that are very remote, we have places like Albuquerque and Idaho Falls and, and Tri Cities, Washington. So what we really need to do is be able to get those students there, make sure they have transportation and housing, you have to get from the Albuquerque airport, you’ve got to get to Los Alamos, right, that’s not trivial if you can’t rent a car, because you’re too young. So we smooth out all the challenges of actually physically getting to those sites so that those students can have a meaningful 10 week internship. And then the goal is to have them for three years, across three different parts of DOE, and then  their clearance is ready, we’re at the end of their three years, and by the time they’re ready to come on board, they have a clearance. And so we hope to basically convince them that they want to be public servants, that our mission is exciting, and that they should come work for the government, whether it’s in the DOE, public sector side or in the private sector side of DOE. And, you know, we have a tremendous number of leaders in DOE, now, senior leaders who have started as interns. So we know it really is a place where people will spend their entire careers. It’s a huge enterprise, you can do a lot of things. And so we just need to get them in the door younger. So  that’s a big initiative on our part.

Tom Temin: Well, the State Department has several channels of internship like that, check with them, they might have the knowledge you need on smoothing it like you say they also bring in paid collegiate interns. You know, CIOs, often at these conferences and elsewhere, talk about artificial intelligence, cloud computing, modernizing the infrastructure, all those kinds of nuts and bolts things. Do you spend a lot of time on those issues? Are those pretty well under control? And the thing worth noting going on in those not prosaic but ongoing?

Ann Dunkin: Yeah, I mean, they’re the table stakes, right, that things that we need to be doing  to get our jobs done, to have credibility around the rest of the organization, at DOE we were doing really basic things in that space we have, we don’t have lots of big customer facing or public facing systems. So we don’t get a lot of visibility  from that standpoint, across the government. We have a few grant programs, things like that. But  we sell bulk power. We don’t sell to individuals, we do research grants, we don’t do research for individuals. So we’re certainly improving the ability of my office to deliver capabilities, we’re trying to ensure that across DOE, it gets easier to get an ATO, that it gets easier to use our paths where we have low code platforms and ATOs in place and if you use those paths, we’re going to try and make it streamlined for people. We’re  increasing the level of engagement across DOE with modernization programs to try and ensure that those programs are successful. And, you know, obviously continuing to manage our critical infrastructure across DOE but nothing earth shattering and new in that space. We’re just turning the crank to do all the things we should be doing to be successful.

Tom Temin: And midterms are coming. Will you stick around for the second half of the first term, at least?

Ann Dunkin: I don’t have any plans to go anywhere right now.

Tom Temin: Ann Duncan, CIO of the Energy Department, we spoke at the ELC conference earlier this week in Hershey, Pennsylvania.

Related Stories