Risk
1/4/2013
03:23 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

DOE Taps PNNL CIO To Improve Security

Federal agency brings in a national lab CIO to help implement a cybersecurity strategy that spans its diverse and autonomous operations.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The U.S. Department of Energy is looking to bolster its cybersecurity readiness with the appointment of Jerry Johnson, CIO of Pacific Northwest National Laboratory for the past eight years, as a senior policy and technical adviser.

Johnson had first-hand experience with one of the federal government's most serious cyber attacks. In 2011, he oversaw PNNL's response to a dual-pronged cyber attack that was likely part of a broader attack against government agencies and private-sector companies. The lab disconnected its network, conducted a forensics investigation and re-imaged its systems before going back online.

Some security experts surmised that the broader espionage campaign, dubbed Operation Shady Rat, originated in China. Johnson publicly shared the lab's experience and lessons learned to help others prevent, and if necessary respond to, such attacks.

[ What does NASA plan for the coming year? Read NASA Details 2013 Plans. ]

At the Department of Energy, Johnson will work with CIO Bob Brese and his deputy CIOs to develop a cybersecurity strategy that spans the agency's disparate operations, which include 21 national labs and technology centers and four electric power authorities. Those largely independent organizations have their own cyber defenses and action plans. "This will be an umbrella strategy," Johnson said.

DOE's Joint Cybersecurity Coordination Center, or JC3, supports agency-wide reporting and tracking of cyber incidents. Johnson will work with the agency's associate CIO of cybersecurity, Gil Vega, to advance those capabilities and implement a more comprehensive incident-response plan.

Johnson will also spearhead the DOE's response to a March 2012 report from the Government Accountability Office on national security risks associated with federal agencies' IT supply chains. The GAO recommended that the departments of Energy, Homeland Security and Justice develop policies and procedures to guard against supply chain threats such as malware and counterfeit hardware that might exist in computer and networking equipment. The DOE's nuclear weapons operations are among the areas that will be assessed.

Johnson's experience makes him uniquely qualified to not only help improve the DOE's cybersecurity posture, but also to bridge cultural differences between the department and its labs, which are operated by private-sector companies or universities, are staffed by non-government employees, and in many cases are located far from Washington, D.C. In addition to having a hand in improving processes, Johnson will serve as a liaison between the DOE's Office of the CIO and the lab CIOs in the field, splitting his time between PNNL's campus in Richland, Wash., and DOE headquarters in Washington, D.C. "This is going to be very beneficial," he said.

Brese took over as the DOE CIO six months ago, after serving as acting CIO. He was formerly deputy CIO of the National Nuclear Security Administration, another DOE organization that operates with arms-length autonomy. Energy's Office of the CIO includes more than two dozen deputy CIOs and other technology directors.

Brian Abrahamson steps in as CIO at PNNL. Abrahamson had served as the lab's chief enterprise architect since 2011. Before that, he was CIO and chief architect at Pacific Gas and Electric. PNNL director Mike Kluse, in a statement on the changes, said Abrahamson's industry experience makes him well suited for the lab CIO position.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.