Chu: IT security a drag on Energy's mission

Energy secretary wants to balance information security, mission

Energy Secretary Steven Chu has said the Energy Department needs to consider whether its information security systems are worth the drag on its mission.

“We’re going to be looking at information technologies," Chu said at press briefing May 7 about the department's fiscal 2010 budget proposal. "Do we have the right balance between keeping our IT secure from viruses to how it compromises productivity?”

In an April 29 speech at the National Renewable Energy Laboratory in Golden, Colo., Chu said “well-meaning people” in the chief information officer’s office and in the procurement and finance offices “whose job it is to protect the Department of Energy” actually hinder what the department can do.

“They forgot the Department of Energy has a job, and it’s not to protect the Department of Energy. It’s to get something done,” he said. Terrible accidents and financial waste are bad things, he said, but added, “It has to be balanced against the mission of the department and so this is something that I feel very strongly about.”

Beyond IT, the department will undergo more core reforms, Chu said on May 7, adding that officials will take a thorough look at how Energy buys things and manages its property and then direct any savings to the department’s goals

“We really want to look very hard at the business operations of the Department of Energy,” he said.


About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Tue, May 19, 2009 Anonymous please

It's only special nuclear material... and human safety... bah humbug! Agency mission is more important! Chu: "If we have a terrible accident, that would be terrible". I wonder if his personal information was stolen when UC Berkeley lost all those personal information records...oh those darn security rules get in the way of getting things done. Right?

Thu, May 14, 2009 DOEWatcher

Everyone who thinks this guy is crazy needs to take a deep breath. If we are at the point where anyone who questions the balance between security and work is considered a heretic, we have a really really serious problem on our hands as a community. No one is going to take security seriously if the entire conversation about risk is reduced to: error on the side of caution. That's just a ticket for not so smart IT people to lock-down everything and prevent all work from happening. Security people need to be an input to risk-management, not in charge of it.

Wed, May 13, 2009

Our IT Sec team was amused based on the following e-mail exchange with various contributors who shall remain nameless:---------------------------------------------------------------------------------a posting on the cisspforum contained this link. Stupid, stupid, stupid things for the most senior official to say....
----------------------------------------
"Do we have the right balance between keeping our IT secure from viruses to how it compromises productivity?”
Suppose he sees no link between the two ?
----------------------------------------
At least he's not Canadian !
----------------------------------------
Stupidity knows no pay grade....
----------------------------------------
Is not like they have had any lost data or espionage issues involving the nuclear sector....
----------------------------------------
ALMOST feeling sympathy for the poor guy but.....must take one parting shot.
This gem from his 35 page speech: "If you can’t get an idea out in less than 20 pages there’s something wrong with the idea."

Wed, May 13, 2009 just a citizen MD

Excuse me. Wasn't just a couple of weeks ago that the headlines and lead stories were about the dire consequences of our national power grid being hacked and viruses being placed in them? Well by all means let's make it easier to hack into secure systems. Yes, we need a balance but isn't it better to "err" on the side of caution.

Wed, May 13, 2009 Maryland

It's not security itself that's the problem. It's the corporate Windows botnet security model. You just can't get any work done when your disk is at 100% utilization running virus scans all the time, crashing due to the probing that the apps weren't designed for, blocking outbound ports you know about and need, and getting critical system files quarantined. When it comes down to that kind of pain, it's a lot easier to strike that balance by installing a Linux desktop, locking down everything inbound but ssh, and staying up to date. It's probably better to go to a hypervisor based model so OS installations are disposable (incidentally, its how a lot of people run their Linux installations). That way, most security checks can be made safer by moving them out of the OS if they aren't already done by a network IDS.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above