The US government is developing a “collective defense” approach to cybersecurity in response to the evolving threat landscape. This strategy was discussed by Anne Dunkin, chief information officer for the US Department of Energy (DoE) during the keynote session on Day 1 of the (ISC)2 Security Congress 2022.
Dunkin noted that previously, organizations simply aimed to be a tougher target for cyber-attackers than others, “with the idea that if we’re a harder target, the bad guys will go after someone else.”
However, the increasingly interconnected nature of the economy, including critical infrastructure, means that this approach is no longer viable. Recent high-profile supply chain incidents, such as SolarWinds and Log4j, highlight that organizations are at now at risk, regardless of their own security posture.
This is especially important for the DoE, a government agency responsible for securing crucial areas like the country’s nuclear weapons stockpile, energy grid and green energy solutions.
Therefore, the US government is seeking to work closely across public sector agencies, the private sector and other countries to keep critical services secure, ensuring there are shared goals and responsibilities. “Collaboration between government, private sector and across the world is necessary to allow us to be more safe and secure,” outlined Dunkin.
She then set out practical steps being taken by the DoE to contribute to the collective defense concept. These are based around two key areas: technology to perform critical functions and resilience, and employing people with the necessary skills to use these tools and “collaborate effectively across the private sector and other partners.”
Regarding technologies, Dunkin revealed the DoE has invested in threat intelligence and big data platforms, designed to enable fast sharing of potential cyber threats across the 97 DoE plants and sites across the US.
On the people side, Dunkin acknowledged that the DoE faces significant hiring and retention challenges in cybersecurity. One way of mitigating this issue is a cyber-retention program, which will launch in November. This will seek to rectify the “mismatch” between cybersecurity salaries in the public and private sectors.
She said the department is also working on updating hiring practices, which includes an emphasis on providing more opportunities for underrepresented groups like women, people of color and young people. “A more diverse, equitable and inclusive workforce provides the needed perspective that contributes to bolstering modernization and cybersecurity,” commented Dunkin.
This requires creating new career pathways, and the DoE is launching a paid internship scheme for cybersecurity positions across its sites this summer.
She added that the White House is planning to embark on a separate cybersecurity workforce strategy “to ensure we have an appropriate level of focus on the need to invest in our future through developing a broad and deep talent pipeline.”
Finally, the DoE is assisting the efforts of the Office of the National Cyber Director to publish a new national cyber strategy. This encompasses a proactive resilience-by-design approach, “pushing the private sector to protect critical networks, software products and data repositories,” in addition to working with international partners.
These approaches will “build the foundation for collective defense for our country and allies,” concluded Dunkin.