Tom Pyke | A more secure IT environment
Interview with Energy Department CIO Tom Pyke (full version)
The Energy Department has endured several high-profile lapses in computer security in recent years, ranging from intrusions and thefts of sensitive information to losing laptops and carelessly disposing of PCs that contained information from one of its laboratories.
CIO Tom Pyke was tapped last year to be the cowboy in the white hat, when he came to DOE after more than four years as CIO at the Commerce Department. A career government employee, Pyke started at the National Bureau of Standards—now the National Institute of Standards and Technology—where he was director of the Center for Computer Systems Engineering, and then director of the Center for Programming Science and Technology. He also served as CIO and director for High Performance Computing and Communications at the National Oceanic and Atmospheric Administration, so he understands very high-end computer technology, and how it is applied at DOE’s labs around the country.GCN:
There’s been a lot of change at Energy in the IT management team, including your arrival. Do you have your team in place now? And what are their priorities?Tom Pyke:
We are almost there with our new management team. When I came to Energy almost a year ago, we had a lot of very good people, but a number of them had already been promised that they could leave as part of an early-out process that was in place at that time. So I’ve been busy reinvigorating our leadership and bringing in new folks.
I’m very proud that we have Carl Staton as our new deputy CIO—from NOAA, where he was the CIO. We have Kevin Cook as one of our associate CIOs, for business management, and Deanne Gordon as our associate CIO for IT reform, and Bill Hunteman as our associate CIO for cybersecurity. … We also have Harry Hixson, who continues as our associate CIO for operations.
Then we have two new associate CIO positions that we’re recruiting for. One is our associate CIO to manage our most efficient organization, to manage our A-76 organization. … The implementation of this MEO is expected to result in cost avoidance on the order of $450 million over the next seven years. So this associate CIO has a big job, to guide that part of our organization.
Finally, there’s a new associate CIO position for advanced technology and systems integration … We’ll be recruiting for that position soon. It represents my strong interest in trying to make sure that we leave no stone unturned in tracking the latest and best technologies that we can use to improve the way the Department of Energy carries out its mission.GCN:
When you talk about advanced technology, are you referring to computing, to networks, to storage, or all of the above?Pyke:
All of the above. Everything associated with information technology, as we now know it and looking toward the future. I wouldn’t rule out even some far-out things like quantum computing.GCN:
Let’s come back to the A-76. That $450 million in cost avoidance—is there any process in place for the department to allow the recapture of that money and use it for other priorities, or is it a way Energy can reduce its overall budget?Pyke:
Yes, over the seven-year period, as fewer people are needed [overall], fewer people are needed for IT, those resources will automatically be redeployed for the highest priority unfunded activities in each of the programs across the department.GCN:
Who determines the highest-priority unfunded activities?Pyke:
The program managers. The senior program managers, the under secretaries largely, who oversee the major programs of the department.GCN:
So, talk about the A-76 operation.Pyke:
This is an effort that was underway well before I got here and is, in my opinion, turning out to be a great success. We’re basically centralizing in the department the support of IT for all of our federal employees. This includes workstations—PCs, if you like—networks, and our application hosting that we do in our data centers.
So we are consolidating the support structures; we have standard configurations, we support what end users need, and we have an array of federal employees and contractors in place to provide this service across the country in a uniform way and to assure that we provide the highest quality of customer service at the lowest possible cost.GCN:
DOE is a decentralized department. How does that match up with the desire to centralize the IT functions?Pyke:
I like to refer to DOE as a federated organization. We have a lot of moving parts in this department—and, by the way, I love this department. It has a great mission, it has a lot of very bright people, and most of our bright people are in the field.
Many of our bright people are in contractor organizations, most of those in our national laboratories. The Department of Energy only has about 14,000 federal employees, and they are largely here in Washington, but we have a number of offices around the country with federal employees.
And it’s the support for our federal employees that we are centralizing, or that we are providing on a centralized basis, but in a way that meets the requirements of the individuals and the organizations wherever across the country. We are not centralizing our support for the laboratories or the contractor operations that are associated with DOE.GCN:
One of the advantages to centralizing the IT is in computer security. How does that fit into the labs continuing to do their own thing?Pyke:
What we’ve done in cybersecurity since I’ve been here is to establish a cybersecurity revitalization plan. I led an executive steering committee, consisting of the under secretaries and other senior officials, and we were supported by a cybersecurity working group. We came up with a plan that was approved by our senior management, and we are implementing that plan.
The plan makes the under secretaries and other senior managers personally responsible for cybersecurity in their areas, their program areas. They share the responsibility with me, and they are responsible programmatically for ensuring there is adequate protection of systems and data throughout their entire organization, including the field. And that includes the laboratories under each of the under secretaries.GCN:
When you talk about the under secretaries being personally responsible, is it that they have to attest to the validity of their security measures and sign off on them, as in the provisions in the Federal Information Security Management Act?Pyke:
The under secretaries manage cybersecurity within their organizations, within their programs. We develop top-level policy, we develop guidance—“we” being the office of the CIO—working with the representatives of the under secretaries.
The under secretaries take the FISMA requirements, NIST guidance, DOE policy and guidance from the office of the CIO, and they develop policies and practices for their organizations, that tune all of the input into the cybersecurity program that is just right for their programs. I believe that one size doesn’t fit all, but that there are certain minimum standards or minimum requirements that we all have to meet.GCN:
Is there any sort of peer review of the policies and practices that they put into place?Pyke:
The policies that are in place, then the procedures, and then the implementation of those policies are all subject to monitoring by our inspector general in annual inspections and audits and evaluations they perform.
We are also fortunate to have another organization that provides independent oversight over cybersecurity as well as some other areas in the department. This office does independent evaluations of cybersecurity implementation; they even do independent penetration testing as part of their testing of systems out in the field, to make sure that all of the controls are in place as all the policies and procedures have established. It’s currently called the Office of Health, Safety and Security.
Then our office plays a role in compliance monitoring, including making sure the policies that are established in each part of the department are consistent with our policy guidance and with the guidance put out by NIST.
My job is not only to try to organize our management of cybersecurity, but to be a cheerleader, to be out in the field leading, to help people fully understand how important it is that we protect our systems and data.
Cybersecurity is all about risk management. In conducting C&As, our certifications and accreditations of individual systems, we look at the threat as part of a risk assessment, apply appropriate technical and management controls, then determine the residual risk. And there’s a designated accrediting authority who makes the decision to go operational with each system.
We apply this risk-based approach to the management of cybersecurity, and what each under secretary is given in their charge, in their appointment as the leader for cybersecurity for their part of the department, is to take a risk-based approach to managing cybersecurity in their organization.
We also, in cybersecurity since I’ve been here, substantially improved not only the managerial processes with … site visits to our labs, but we’ve also improved the segmentation of our networks, we’ve improved the management of passwords, we’ve improved our intrusion detection at all levels. We have defense in depth from firewalls on the outside all the way down to the desktop.GCN:
Is the department making any plans for a widespread implementation of Microsoft Vista, or will you let other people down the road shake out the bugs and then commit?Pyke:
In cybersecurity here at DOE, we are attacked literally millions of times every day. Many other folks are, as well, but we monitor very closely the scans against our systems, the various attacks from all comers. Many of the more sophisticated attacks attempt to exploit vulnerabilities in software, especially new software, and large, complex software has inherent vulnerabilities. We’ve come to understand that these vulnerabilities exist over the lifetime of the software.
My experience has shown that new software, especially new complex software, has a good many more vulnerabilities than software that’s more mature. From a cybersecurity standpoint as well as a functional standpoint, we have beta versions of Vista, we are examining them, we will begin rolling them out very carefully.
And we will begin rolling out additional cybersecurity protection that may be necessary to make sure that we don’t inadvertently introduce new vulnerabilities that would cause us a cybersecurity problem with new software such as Vista.GCN:
When Congress recessed before the election, the department’s budget hadn’t been approved yet, so you’re working off continuing resolutions. What does that do to the programs and plans that you’d hoped you would have under way by now, and what are the snags that will come along because the actual final budget hasn’t been approved yet?Pyke:
We’re basically working at a continuation of last year’s funding level, so we’re able to continue all of our high-priority activities. In the fiscal 2007 president’s budget, we’re in for a substantial increase, largely for cybersecurity. That will help us improve our cybersecurity protection across the board when those funds eventually become available to us. But our core programs, our highest priority programs are continuing basically at the same level as last year.GCN:
Is that [cybersecurity funding] being treated as a line item, or is that included in the general administrative account?Pyke:
It’s included in appropriation account called departmental administration.GCN:
How much additional had you asked for?Pyke:
About 20 million dollars. There are a lot of priorities in the budget process. We’re providing a substantial amount of resources for IT management in the department. The department, at base level, spends about $2 billion a year on IT. Of that, we spend at least $300 million a year on cybersecurity.GCN:
Twenty million doesn’t sound like a big increase, then.Pyke:
It’s a substantial increase … in the funds that our office has available to help provide centralized support for cybersecurity. Most of those expenditures in cybersecurity are where they should be, out in the field, they’re in the programs where solid cybersecurity is being put in place. So this represents a substantial increase, an increase of just the right amount that we need to provide centrally provided cybersecurity support.GCN:
You had alluded to the high-performance computing. Can you talk a bit about the role of high-performance computing in DOE’s mission? How is the department making use of that?Pyke:
There are two primary ways that we use high-performance computing at DOE. One is in support of our nuclear weapons enterprise, where we now are able to model, using high-performance computers in lieu of being able to conduct tests of nuclear weapons. In this way, the use of high-performance computers enables the department to ensure the nation’s nuclear weapons are reliable, that they will perform if they are ever needed, and it allows us to make sure we are good stewards of the stockpile of nuclear weapons. That’s on the nuclear side of the house.
And on the other side, in our Office of Science, we are proud to be an active participant in the president’s American Competitiveness Initiative. As a part of this initiative, the Office of Science is in for a doubling of its budget over 10 years. Part of that increase is in the president’s 07 budget request, and part of that is for high-performance computing.
It’s leadership-class computing, where we provide high-end computing that will help DOE and our partners in the public and private sectors perform research using these high-performance facilities, that will help improve all the research activities that we have in the Department of Energy and the research in the many organizations that collaborate with DOE.