Federal systems are some of the biggest targets of opportunity for cyber adversaries, containing massive amounts of personally identifiable information about citizens, classified or sensitive national security data, or the ability to disrupt critical services. That’s leaving IT and cybersecurity personnel at federal agencies like the Energy Department with the need to devise strategies to protect their systems that suits the unique requirements of each agency’s mission.
“We are under attack right now. We’re being scanned, probed every second. So what we have to do is leverage a fair amount of automation to get that volume out of the way,” said Ty Brown, director of cybersecurity operations for the Energy Department. “Have we seen this before? And that goes back to the documentation and sharing of intelligence. If we’ve seen it, let’s make sure we understand it as well as possible so that if it does happen again, we have a fairly good confidence interval that this is a false positive. But if it looks the slightest bit different, we need to go in and either document this is enemy action or this is one more step in that false positive chain.”
Automation is a commonly adopted technique for separating the signal from the noise amidst vast amounts of cybersecurity data. But intelligence sharing is something DoE puts a particular focus on. That’s largely due to the uniquely federated environment of the agency: In addition to headquarters and its individual offices, DoE also administers the national laboratories and a number of citizen-facing programs, and oversees a significant contractor workforce.
DoE’s Integrated Joint Cybersecurity Coordination Center (IJC3) feeds information to the Office of the Chief Information Officer so that it can do updates and intrusion detection and prevention. Greg Doan, associate deputy CIO for Enterprise I.T. Operations and Shared Services, said that though most of that is automated, incidents and anomalies can prompt manual reviews. Likewise, the CIO office notifies IJC3 whenever it experiences an event.
“We try to handle these things at the lowest level possible, but we’re always making sure that the proper parties are informed and that we’re sharing what we’ve learned from these incidents. It’s not a matter of just flipping a switch to turn off the bad thing,” Brown said. “We then need to turn to our colleagues and say, we just saw this, this is what we learned. And sometimes we get some fusion there and we get a much broader sense of what’s going on. And now we’re proactive and we’re preventing these attacks before they happen.”
Implementing AI
Doan and Brown said that DoE is approaching implementing AI for cybersecurity purposes cautiously, though they’re already seeing results and are optimistic about its capability and potential. Doan said tools of that nature have already been implemented on the operations side for years by vendors and software-as-a-service providers.
But he emphasized the need to stay vigilant as well.
“Certainly, as we’re working to implement AI for our end users’ use and using it for ourselves, there’s a real key focus on ensuring that that’s done safely and securely,” he said. “And securely not just from a cyber aspect, in the safety aspect of ensuring that there’s no bias or there’s no other factors that are going to influence what the particular model may do — something unintended.”
Brown agreed with the need to monitor it closely.
“AI is the new guy, and like anybody that’s new to the office, you’re going to eventually give it some work and you’re going to keep a very weather eye on it and make sure that it’s performing as expected,” he said. “I don’t see it being cut loose anytime soon, but it’s very glad to have that second opinion.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
