CESG Connections Magazine 2020 Issue | Page 46

SECURITY, TECHNOLOGY AND CRITICAL INFRASTRUCTURE: ENERGY AN INTERVIEW WITH HONORABLE KAREN EVANS, ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, U.S. DEPARTMENT OF ENERGY KAREN EVANS is a name familiar to anyone who has spent any appreciable time working in or around government technology. Today, Karen serves as Assistant Secretary and the Energy Department’s cybersecurity point person for guidance and policy affecting the nation’s energy sector. She has also served as U.S. Chief Information Officer under President George W. Bush, CIO for the Department of Energy, IRM Director for the Justice Department’s Office of Justice Programs, and a few other positions as well. Whatever her position, cybersecurity has been a focus. HOW DID IT START, YOUR PASSION FOR AND INTEREST IN CYBERSECURITY? I think cybersecurity actually chose me. Most people don’t know this, but the Department of Justice website was the first government website ever hacked. I was there, working in the Department, and the date August 17, 1996 is ingrained in me. It was a career-enhancing moment. Two weeks later, the CIA website was hacked, and we surrendered the stage to the Washington Post front page coverage of that hack. But that August website hack led us to think about evidence preservation, data protection, and records management. That’s where it started for me, that incident. YOU HAVE BEEN PART OF OUR COUNTRY’S 46 • CESGovernment.com CYBER EVOLUTION IN TERMS OF LAW AND POLICY. CAN YOU TALK ABOUT FISMA—THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT? Before FISMA, talk to IT managers about a security framework governed by reasonable processes to protect against what were the early era of cyber threats and you would get “I am an innovator and I can’t be bothered with frameworks and process for security.” Well that works fine right up to the point there is a problem. FISMA put discipline into cybersecurity across the Federal government. People paid attention. The question[s] now moved to “What are you trying to accomplish? Who signed off? What is the risk? and What is your risk mitigation strategy?” The question I started asking, and have asked throughout my career, was and remains “How do I provide the greatest services of the Federal government through technology while preserving privacy, records management, and security?” CAN YOU TALK ABOUT YOUR OFFICE, CYBERSECURITY, AND THE ENERGY SECTOR? Sure. We learned some important lessons from 9/11. Communications services went down because we all were using the same tunnel, the same pipe. Different providers, but the same delivery channel. That was an important lesson