The Cyber Challenge Lessons Learned from the Department of Energy

Slides:

Advertisements

Similar presentations

Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.

Advertisements

Cities and Green Growth OECD Green Cities Programme

Building a Strategy for Combating Terrorism. “We have to fight terrorists as if there were no rules, and preserve our open society as if there were no.

© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.

Distribution Statement A: Approved for Public Release; Distribution is unlimited. 1 Electronic Warfare Information Operations 29 MAR 2011 Val O’Brien.

BELMONT FORUM E-INFRASTRUCTURES AND DATA MANAGEMENT PROJECT Updates and Next Steps to Deliver the final Community Strategy and Implementation Plan Maria.

Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.

Jim Seligman Chief Information Officer Welcome & Opening Remarks.

Fluff Matters! Information Governance in an Online Era Lisa Welchman.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Ari Kokko Industrial policy Why? How? Examples: EU Industrial Policy and Swedish Industrial Policy Sources

© 2006 by Nelson, a division of Thomson Canada Limited.1-1 Strategic Management & Strategic Competitiveness Chapter One.

A Framework for Marketing Management

Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

How are we going to get there?

Emergency Management & Homeland Security Interface Samuel Musa National Defense University.

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

European Commission Preparation of the Innovation Union Flagship Initiative European Commission Presentation to ERAC 11 June 2010.

Logistics and supply chain strategy planning

Building Capability.  In order to successfully operate an architecture function within an enterprise, it is necessary to put in place appropriate organization.

Homeland Security Grant Program 2015 Process Michelle Hanneken Illinois Emergency Management Agency.

Mid-West Electric Consumers Association Board Meeting Mark A. Gabriel Administrator.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

STRATEGIC PLANNING Vandenberg Fire Department. Strategic Planning Is the set of actions and decisions made by management that lead to the development.

Holistic Approach to Security

Why and Wherefore of Planning in Police Services Andrew Graham School of Policy Studies Queens University.

Aim To examine what developments are needed in curricula to prepare military officers and defense officials for their roles in dealing with future defense.

The Role of Science and Technology in Counter Terrorism Jay Davis National Security Fellow Center for Global Security Research Lawrence Livermore National.

Cyber Security Architecture of Georgia Giorgi Tielidze 0 Current Challenges and Future Perspectives Tbilisi 2015.

Defense Policy Making You may not be interested in war, but war is interested in you.

Dale Emmerson 75 FSS/FSD Chief, Force Development Flight I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force Sustainment Center AFSC Way.

Unclassified MG. L. HOXHA Skopje, 21 st of June 2005 REPUBLIC OF ALBANIA MINISTRY OF DEFENCE GENERAL STAFF OF THE ARMED FORCES.

© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.

INFORMATION MANAGEMENT: THE NEXUS OF BUSINESS AND IT CHAPTER © 2015 Pearson Education, Inc. Publishing as Prentice Hall.

The Multi-Faceted Role of Maritime Training in and for NATO and Non-NATO Operations by Professor Kostas A. Lavdas* & Dr. Marios P. Efthymiopoulos**

Welcome and Introduction January 11, 2017

Strategic Management Review of the Basics

CHAPTER 4 THE EVOLVING/ STRATEGIC ROLE OF HUMAN RESOURCE MANAGEMENT

Porter’s Competitive Forces

Updating the Value Proposition:

Crisis management related research at

Wendy Birkinshaw, A/Director, Service Transformation

and Security Management: ISO 28000

IT Governance at the SCO

California Cybersecurity Integration Center (Cal-CSIC)

Dr Rosemary Foster MRC/NMMU

Strategic Management (MGT501)

Strategic Research Agenda

The National Initiative for Cybersecurity Education (NICE) AFCEA International Cyber Education, Research, and Training Symposium January 17, 2018 Bill.

One ODOT: Positioned for the Future

Managing Change and Other Keys to Successful Implementation

Claire NAUWELAERS, independent policy expert

TERRORIST PROTECTION PLANNING USING A RELATIVE RISK REDUCTION APPROACH

An Urgent National Imperative

Perspectives on Defense Cyber Issues

Promoting Responsible Innovation in the industry: framing and wording by Emad Yaghmaei (Delft University of Technology) and Marc Steen (TNO)

A Funders Perspective Maria Uhle Co-Chair, Belmont Forum Directorates for Geosciences, US National Science Foundation.

Management, Leadership, and Internal Organization

Building and Sustaining Total Quality Organizations

To: EFCOG By: Piechowski Date: July 19, 2018

Community of Users.

AFROSAI-E COOPeRATION WITH WGITA

Leadership and Strategic Planning

MODULE 11: Creating a TSMO Program Plan

Innovation policy for sustainable development by Azerbaijan Rashad Azizov Head of Innovational Development Department Ministry of Transport, Communication.

Humboldt Space Research Mission America. Humboldt Space Co. adopts a forward thinking stance in scientific research and technical development. Our policy.

Presentation transcript:

The Cyber Challenge Lessons Learned from the Department of Energy Rolf Mowatt-Larssen Senior Fellow Belfer Center, Kennedy School of Government, Harvard University March 22, 2011

National Cyber Strategy – a Maginot line? How question arose….my own experience Statement of the problem- two cyber summits External assessment -national cyber plan Internal assessment - DOE strengths and vulnerabilities What needs to be done? Cyber triage Protect the crown jewels Integrate the offense and the defense Revise the cyber investment model

DOE Stakeholder $24+ billion dollars, 100k+ people 50K clearances National laboratories R&D DOE Core Nuclear weapons – the crown jewels Science Scientific and technological innovation, R&D High speed computing Energy Life sciences Cyber-related assets Scope of intelligence work Intelligence community role Field intelligence elements Work for others – trend line

Cyber Summit Opening Remarks September 26, 2007 “Never looked at the whole (cyber) problem…” “(We have)..a process orientation, not a mission orientation.” “Take out a blank sheet of paper - how can we protect DOE? Articulated risk-taking..rank order what needs to be protected, and draw a line on what cannot be protected.” “Our science mission is highly dependent on speed, transparency of communications…the national framework can jeopardize that mission, if it imposes a framework that is in conflict with that.”

Cyber Summit Opening Remarks “The defense must be informed by the offense. If not, we don’t have a prayer. The offense is killing the defense.” defense $ offense time

External Assessment National strategy lacks strategic policy input and civilian/political framing/boundaries Muddled thinking Ad hoc --tools development Blur -- cyber war and peace Gray areas -- authorities and jurisdictions Offensive bias – assumption of cyber dominance “Let’s not kid ourselves…our adversaries are doing the same to us…jumping the air gap.” Inverted pyramid of risks – highest priority risks are getting least amount of attention

Assessing Cyber Threats – Three Conceptual Flaws Risk = Intent X Capability X Consequences 1. $ drives the train! 2. Technical assessment of vulnerabilities/risks trumps actor-specific (intelligence) judgments 3. Threats posed by actors are not assessed holistically, in context of cyber serving as means to ends

Internal Assessment Priorities are misaligned to risks – threat pyramid is inverted Resources and attention paid to least defendable, lowest value assets Cyber threats viewed as technical challenge, vice actor-based Competitive business model limits cooperation between laboratories Offense and defense segregated Investment process - “wine by the glass” Multi-lab work on “grand challenges” lacking Limited investment for long term cyber R&D Badly stove piped bureaucracy due to compartmentation , competing cultures and objectives

Hurwitz’ Model in DOE National Security Markets Individuals Capabilities Infrastructure Tools Threats $ Biz model Scientific culture Cooperation Competition Intellectual property Need to know Proprietary Transparency Multi-year Single year Project Multi-lab Single lab Expert Crossover between domains produces uneven results: Tactical vice strategic Stovepiped Insufficient expert results bureaucracy collaboration

What needs to be done? Establish role for DOE in developing and implementing national cyber strategy Develop an integrated cyber architecture within DOE Harmonize/synchronize with individual programs, missions and constituencies within DOE and external customers (including Congress) Cyber policy (CIO) Security Intelligence Science Infrastructure protection

Getting Priorities Right Cyber triage Simplification, leadership and follow-through Continually assess progress in seven areas Protect the crown jewels – define the core Define the scale of value Define the cyber threat statement Define the protective systems Infrastructure protection Cyber research and development Strengthen the defense Internal and external communications strategy - garner policy support for determining acceptable level of risk

Longer Term Planning Develop national policy and doctrine vis-à-vis cyber war, deterrence, defense Zero base cyber priorities and realign resources to risks/threats as matter of policy Integrate offense and defense into a single strategy Adopt principle – offense must inform defense A focus on information and “best practices” sharing between offense and defense Modify the cyber business/investment model Defining cyber grand challenges Long term investments in infrastructure, not tools R&D - what are the game changers?