As the White House rolled out its new National Cyber Strategy Thursday in Washington, D.C., to guide the joint vision for how the U.S. approaches cybersecurity, Department of Energy CIO Ann Dunkin was 4,000 miles away in Zagreb, Croatia, for a meeting of the Partnership for Transatlantic Energy and Climate Cooperation.
Dunkin has been tasked by Energy Secretary Jennifer Granholm to “play a leading role in creating opportunities for cybersecurity exchanges and training for P-TECC partners,” the CIO told FedScoop in a phone interview from Croatia.
As the fifth pillar of the new cyber strategy, the White House calls for the nation’s leaders to forge international partnerships to pursue shared goals. And that’s precisely what Dunkin and her office are working to do through support of the P-TECC — to drive “technical collaboration in cyber and physical security of energy infrastructure to respond to emerging threats from adversaries and a rapidly changing climate,” as is one of the corporation’s principles — and other international partnerships.
“We intend to move forward with a collective defense approach to cybersecurity, extending collaboration across the government and private sector, and with like-minded partners around the world,” Dunkin said on the call.
“We’re deeply committed to collective defense — we think it’s the only way forward,” she said, explaining that partners must work together to support the lowest common denominator in an increasingly connected world. “We really need to be operating in an environment where we’re all working together. Because it’s just too easy for one part of the organization, part of the country, part of the world to put everybody at risk.”
Energy’s work to support international partners may be reaffirmed by the long-awaited national strategy — but it isn’t new. Dunkin’s office has provided training opportunities to allied nations for years, she explained.
“My office is developed over the years a robust relationship with a number of international partners,” Dunkin said. “And we work with them to share best practices, and leverage lessons learned in cybersecurity, supply chain, security, technology, innovation and workforce development.”
The most recent example of that came in December when Energy conducted its Cyber Fire training and education program with a dozen international partners. Cyber Fire events are led by National Laboratory experts and hosted alongside what DOE calls “foundry” sessions, which are “week-long simulation and incident investigation events” to put training into simulated practice.
“We have a Cyber FIRE program that supports both the U.S. government and U.S. private sector, but also international partners,” Dunkin said. “We last did it in December, we had folks from 12 countries present. There were I think 14 people from Poland, and they won our competition, because we do an [operational technology, or OT] training exercise, and then we do an OT competition. So it’s a great opportunity to build relationships.”
Additionally, DOE has also offered its support during the ongoing Ukraine-Russia war, Dunkin explained. “We’ve been very engaged for very obvious reasons in Central and Eastern Europe in recent months.”
Other DOE takeaways from the National Cyber Strategy
Dunkin’s office and DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) played a hands-on role in helping develop elements of the National Cyber Strategy.
A key aspect of Dunkin’s work was advocating for the role of civilian federal systems within the larger national cybersecurity apparatus.
“We worked really hard to ensure that [civilian] federal systems were part of the equation, because, you know, federal systems are part of critical infrastructure. So we didn’t want to forget that,” she said, adding that the emphasis is often placed on securing private sector critical infrastructure.
Now that the new strategy is out, Dunkin’s team is working with other department stakeholders to update DOE’s cyber strategy to align with the nation’s. “We’re pretty close on that,” she said.
“My intersection with critical infrastructure is the responsibility for those power marketing administrations that operate electric systems and sell the output of federally owned assets in 35 states and run the grid in those states,” she said. “So we provide power to millions of Americans and that’s on my to-do list every day to make sure that we can keep continuing to provide power to those folks.”
In many ways, the national strategy reinforces and builds on the work federal agencies have already been doing as mandated by the 2021 cybersecurity executive order, namely in its first pillar.
“In terms of our office, we’re going to continue to advance our department cybersecurity posture. And we’re going to do that using zero-trust principles. And we recognize that there are threats to be countered both inside and outside traditional network boundaries, which is why zero trust is important. You know, we’re not gonna give up on the perimeter, but we can’t pretend that the perimeter is not porous. And we’re putting a lot of energy into software supply chain risk mitigation through software bill of material efforts,” Dunkin said.