A top Department of Energy (DoE) official presented a sobering portrait of the nation’s cyber readiness this week, saying that a lack of funding is preventing Federal agencies from fully adhering to the Biden administration’s cybersecurity executive order (EO).
Paul Selby, chief information security officer (CISO) at DoE, said cyber defenses are “moving in the right direction” but that the 2021 order has resulted in agencies being expected to “comply with unfunded mandates.”
“I don’t have the resources to do it. I don’t have the expertise to do it,” Selby said on May 21 at the Qualys public sector cyber risk conference in Washington, D.C. “I think it’s a real crisis.”
Selby, who previously served as deputy CISO at the Internal Revenue Service (IRS), said government officials have “been talking about cybersecurity ad nauseam for 20 years. And yet … data breaches have increased 72 percent in the last year. So we need to do something different.”
He added an ominous warning. “If somebody were asking, ‘what keeps you up at night, Paul?’” he said, the answer would be “Everything. If you’re not scared, you’re not paying attention.”
The remarks were especially stark because of their source. DoE has enormous responsibilities in the cybersecurity realm, safeguarding the nation’s nuclear weapons stockpile, the 17 national laboratories, and America’s energy systems, which include the power grid, electric utilities, pipelines, and renewable energy generation sources like wind and solar.
Selby’s comments reflected the department’s new cybersecurity strategy, released in January, which said that cyber threats have grown so serious that DoE enterprises should assume that their networks and systems have already been compromised “by both known and unknown malicious actors seeking to exfiltrate our data.”
“State-sponsored attacks from various nation states are aggressively using advanced cyber capabilities to carry out malicious activities and cause physical effects and are attempting to undermine our democracy,” the strategy reads.
It also outlines a plan for achieving cyber resiliency through pillars such as identifying threats, combatting them through zero trust principles, and developing the cyber workforce.
DoE has also been investing heavily in cyber defenses, including a $45 million allocation in February for16 projects aimed at developing new technologies to prevent cyberattacks and reduce energy disruptions from cyber incidents.
The renewed push comes after the U.S. Government Accountability Office (GAO) questioned DoE’s cyber readiness in a report last year, saying the agency needs to do more to safeguard the power grid’s distribution systems, which are “increasingly at risk from cyberattacks.”
“DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains,” the report said. “By not having plans that address the improvement to grid distribution systems’ cybersecurity, DOE’s plans will likely be of limited use in prioritizing federal support to states and industry.”
In his remarks this week, Selby declined to be specific about the cyber threats facing DoE but said the agency has “huge problems that we need to solve … We have a tremendous amount of operational technology. So we need to figure out how we can apply the basic cyber hygiene to the operational technology or come up with other mitigating factors.”
Overall, he said, the government faces “a severe shortage of cyber talent,” and added that he has “a great amount of respect” for the offensive cyber capabilities of U.S. adversaries such as China and Russia.
Yet he ended his remarks on an optimistic note, saying Congress is supportive of cybersecurity efforts and that artificial intelligence (AI) “is going to be incredibly helpful” in relieving the burden on Federal cybersecurity workers who are sifting through huge quantities of data.
“I don’t mean to be all doom and gloom,” said Selby, who called himself “an eternal optimist.”