Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Cyber Challenge Lessons Learned from the Department of Energy

Published byLisa Marsh Modified over 6 years ago

Similar presentations

Presentation on theme: "The Cyber Challenge Lessons Learned from the Department of Energy"— Presentation transcript:

1 The Cyber Challenge Lessons Learned from the Department of Energy
Rolf Mowatt-Larssen Senior Fellow Belfer Center, Kennedy School of Government, Harvard University March 22, 2011

2 National Cyber Strategy – a Maginot line?
How question arose….my own experience Statement of the problem- two cyber summits External assessment -national cyber plan Internal assessment - DOE strengths and vulnerabilities What needs to be done? Cyber triage Protect the crown jewels Integrate the offense and the defense Revise the cyber investment model

3 DOE Stakeholder $24+ billion dollars, 100k+ people 50K clearances
National laboratories R&D DOE Core Nuclear weapons – the crown jewels Science Scientific and technological innovation, R&D High speed computing Energy Life sciences Cyber-related assets Scope of intelligence work Intelligence community role Field intelligence elements Work for others – trend line

4 Cyber Summit Opening Remarks September 26, 2007
“Never looked at the whole (cyber) problem…” “(We have)..a process orientation, not a mission orientation.” “Take out a blank sheet of paper - how can we protect DOE? Articulated risk-taking..rank order what needs to be protected, and draw a line on what cannot be protected.” “Our science mission is highly dependent on speed, transparency of communications…the national framework can jeopardize that mission, if it imposes a framework that is in conflict with that.”

5 Cyber Summit Opening Remarks
“The defense must be informed by the offense. If not, we don’t have a prayer. The offense is killing the defense.” defense $ offense time

6 External Assessment National strategy lacks strategic policy input and civilian/political framing/boundaries Muddled thinking Ad hoc --tools development Blur -- cyber war and peace Gray areas -- authorities and jurisdictions Offensive bias – assumption of cyber dominance “Let’s not kid ourselves…our adversaries are doing the same to us…jumping the air gap.” Inverted pyramid of risks – highest priority risks are getting least amount of attention

7

8 Assessing Cyber Threats – Three Conceptual Flaws
Risk = Intent X Capability X Consequences 1. $ drives the train! 2. Technical assessment of vulnerabilities/risks trumps actor-specific (intelligence) judgments 3. Threats posed by actors are not assessed holistically, in context of cyber serving as means to ends

9 Internal Assessment Priorities are misaligned to risks – threat pyramid is inverted Resources and attention paid to least defendable, lowest value assets Cyber threats viewed as technical challenge, vice actor-based Competitive business model limits cooperation between laboratories Offense and defense segregated Investment process - “wine by the glass” Multi-lab work on “grand challenges” lacking Limited investment for long term cyber R&D Badly stove piped bureaucracy due to compartmentation , competing cultures and objectives

10 Hurwitz’ Model in DOE National Security Markets Individuals
Capabilities Infrastructure Tools Threats $ Biz model Scientific culture Cooperation Competition Intellectual property Need to know Proprietary Transparency Multi-year Single year Project Multi-lab Single lab Expert Crossover between domains produces uneven results: Tactical vice strategic Stovepiped Insufficient expert results bureaucracy collaboration

11 What needs to be done? Establish role for DOE in developing and implementing national cyber strategy Develop an integrated cyber architecture within DOE Harmonize/synchronize with individual programs, missions and constituencies within DOE and external customers (including Congress) Cyber policy (CIO) Security Intelligence Science Infrastructure protection

12 Getting Priorities Right
Cyber triage Simplification, leadership and follow-through Continually assess progress in seven areas Protect the crown jewels – define the core Define the scale of value Define the cyber threat statement Define the protective systems Infrastructure protection Cyber research and development Strengthen the defense Internal and external communications strategy - garner policy support for determining acceptable level of risk

13 Longer Term Planning Develop national policy and doctrine vis-à-vis cyber war, deterrence, defense Zero base cyber priorities and realign resources to risks/threats as matter of policy Integrate offense and defense into a single strategy Adopt principle – offense must inform defense A focus on information and “best practices” sharing between offense and defense Modify the cyber business/investment model Defining cyber grand challenges Long term investments in infrastructure, not tools R&D - what are the game changers?

Download ppt "The Cyber Challenge Lessons Learned from the Department of Energy"

Similar presentations

Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.

Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.
Cities and Green Growth OECD Green Cities Programme

Cities and Green Growth OECD Green Cities Programme
Building a Strategy for Combating Terrorism. “We have to fight terrorists as if there were no rules, and preserve our open society as if there were no.

Building a Strategy for Combating Terrorism. “We have to fight terrorists as if there were no rules, and preserve our open society as if there were no.
© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.

© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.
Distribution Statement A: Approved for Public Release; Distribution is unlimited. 1 Electronic Warfare Information Operations 29 MAR 2011 Val O’Brien.

Distribution Statement A: Approved for Public Release; Distribution is unlimited. 1 Electronic Warfare Information Operations 29 MAR 2011 Val O’Brien.
BELMONT FORUM E-INFRASTRUCTURES AND DATA MANAGEMENT PROJECT Updates and Next Steps to Deliver the final Community Strategy and Implementation Plan Maria.

BELMONT FORUM E-INFRASTRUCTURES AND DATA MANAGEMENT PROJECT Updates and Next Steps to Deliver the final Community Strategy and Implementation Plan Maria.
Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.

Adopt & Adapt Tips on Enterprise Data Management Annette Pence September 10, 2009 MITRE.
Jim Seligman Chief Information Officer Welcome & Opening Remarks.

Jim Seligman Chief Information Officer Welcome & Opening Remarks.
Fluff Matters! Information Governance in an Online Era Lisa Welchman.

Fluff Matters! Information Governance in an Online Era Lisa Welchman.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Ari Kokko Industrial policy Why? How? Examples: EU Industrial Policy and Swedish Industrial Policy Sources www.europa.eu.int/pol/index-en.htm www.naring.regeringen.se/inenglish.

Ari Kokko Industrial policy Why? How? Examples: EU Industrial Policy and Swedish Industrial Policy Sources
© 2006 by Nelson, a division of Thomson Canada Limited.1-1 Strategic Management & Strategic Competitiveness Chapter One.

© 2006 by Nelson, a division of Thomson Canada Limited.1-1 Strategic Management & Strategic Competitiveness Chapter One.
A Framework for Marketing Management

A Framework for Marketing Management
Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.
How are we going to get there?

How are we going to get there?
Emergency Management & Homeland Security Interface Samuel Musa National Defense University.

Emergency Management & Homeland Security Interface Samuel Musa National Defense University.
The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Similar presentations

Ads by Google