The Energy Department is finding a silver lining from its cyber breach that exposed the data of more than 50,000 employees last year.
Energy developed a new tool to help ensure outdated software is updated proactively before it becomes a security risk.
Rick Lauderdale, Energy’s chief architect, said the department is one of the first public or private sector organizations to use IT asset management information to direct how it protects its networks and systems.
“We have a couple of applications we use at Energy and we tied the information together like lifecycle management for software and hardware into an easy readable dashboard. This is real information based on IT asset inventory that they have,” Lauderdale said in an exclusive interview with Federal News Radio. “They provide information to us and we provide the knowledge and dashboard back to them so they can actually make decisions going forward. Original equipment manufacturer provides the dates and lifecycle information, and then we provide that to them so they know whether in 18 months they have to start phasing this piece of software or hardware out. Like Windows XP pro went out of date on April 8, and in the six-month window, you definitely have to get it off network. Then when window expires, you’ve become vulnerable because no longer is that software or hardware being supported by the manufacturer.”
Back in July 2013, hackers took advantage of an outdated software program that hadn’t been patched to expose the personal data of more than 50,000 employees.
Lauderdale said that breach was the impetus to try something new to mitigate known risks.
“There was no cook book for going forward. We actually put the pieces together piece by piece,” he said. “It took about nine months with three people. It’s very innovative.”
Not a purist view of EA
Mike Rosen, an adjunct research advisor for IDC’s Research Network, said Energy’s effort is unique.
“We rarely see an example where someone has taken a very focused approach on enterprise architecture and hasn’t been a purist about it, and instead said ‘I have this problem, how can I solve it? Let me collect data and process that data and give it to people who need to make decisions and give it to them in a way that helps them make decisions,'” he said. “What we see if you give people information that helps them do their job better, they will come back to you. It sounds simple, but it’s so rare.”
Rosen said IDC wrote a case study about Energy’s use of enterprise architecture to improve cybersecurity and overall IT asset management.
Lauderdale said the tool is government-owned and developed based on a commercial dashboard. He said it cost about $400,000 for the software, servers and implementation.
“We use commercial software. We have people who are trained on it and it’s an interaction between the commercial sector and the government,” he said. “We bought the software for life, meaning we don’t have to pay for the software on an annual basis. We have to pay a maintenance fee, which is very low. It’s a very low investment and a high return.”
Lauderdale said that high return has been obvious from the start.
He said Energy’s chief information officer’s office had two goals in developing the tool. The first is focused on cybersecurity. The second is much broader around improved IT asset management.
“The short term benefits are to know what you have, when the lifecycles, and when you put the costs associated with the lifecycles you can do financial planning. We have briefed stakeholders within DoE because they actually love it because they are looking forward instead of looking backwards. They know the IT assets they have, both software and hardware that are on their particular network they are responsible for and they do some planning,” he said. “Now if they have a denied or obsolete software because of end of life, then they know they have a possible security breach. Usually what happens is you never know what is occurring, you usually find out after the fact. So now we are trying to prepare them not to be reactive, but proactive. I don’t think it’s going to solve all the security issues because there are many facets to cybersecurity, but this is one big one that all agencies face.”
Reconciling the checkbook
Lauderdale said just knowing the software and hardware titles is one thing, but knowing the version and whether the vendor still is supporting that particular version is much more difficult than most think.
Program and business officials receive a dashboard view of the state of their hardware and software. Green means the technology is and will remain in good standing for at least the next 18 months. Yellow means the technology needs attention in the next year. If it’s red, then the hardware or software needs to be updated or removed from the network in the next six months.
Lauderdale said the tool also provides other data including cost and usage information, both of which can be filtered to meet the office’s needs.
But at the top layer of the dashboard, he said, it’s very easy to understand the state of technology.
“A lot of times they already have the information. They are doing an IT inventory or asset management. What we are doing is reconciling the checkbook. We are taking the information that you have and we are reconciling to what we have and we are producing clean information back to you,” Lauderdale said. “Sometimes it just gets too hard for the stakeholder to reconcile the information because sometimes there are 2,000 changes a day with different vendors, adding version, changing names and how do you figure out who’s on first? That’s what we do along with the commercial software that we have. It’s challenging, but once you have the complexity down in the background, it’s very simple in the foreground, and that’s what we are trying to do.”
Lauderdale said the feedback from the mission areas has been good, including one saying this has been a huge cyber and mission gap over the years.
Applicable across the government
IDC’s Rosen said Energy’s approach is successful because it started small, focused on a solving a specific problem and showed value to the users quickly.
“They started with the cybersecurity problem and patched a hole the agency had with obsolete software, and then they took that same information and asked how they could manage their finances better, how they could manage what they are paying in license fees and management and maintenance of devices,” Rosen said. “They started small, showed what they were doing was valuable to the business, got feedback and grew.”
Rosen said Energy is solving a big data problem by collecting information, cleaning it up and focusing on solving real problems.
He said other agencies could learn from what Energy is doing.
Lauderdale said he’s shared the tool with the Office of Management and Budget chief architect Scott Bernard, and offered briefings to other agencies.
“It’s very adaptable to other agencies,” he said. “They just have to have the primary pieces of information in place and then they can move forward. They do not have to reinvent the wheel.”