‘We Have to Assume All of Our Networks Are Compromised,’ EPA CIO Warns

As Federal agencies move forward with big data and infrastructure initiatives, “we really have to assume that all of our networks are compromised,” said Ann Dunkin, CIO at the Environmental Protection Agency (EPA).

Speaking at the Institute for Critical Infrastructure Technology (ICIT) Forum on Monday, Dunkin and Maria Roat, chief technology officer at the Department of Transportation, said cybersecurity and usability are the key concerns when dealing with national infrastructure.

Dunkin
Ann Dunkin, CIO at EPA, addressed the balance between security and usability. (Photo: LinkedIn)

Roat said her agency would like to have an address database that would contain the coordinates of homes and businesses and act as a means of warning people in the danger zone of natural disasters.

These projects, however, increase the chance of data being exposed to the wrong people as well as the potential for bad data to affect government decision-making.

“Pipelines are a perfect example,” Roat said. “While we’re all about open data, sharing data, making it available, there’s things on pipelines [in the data], and we need to protect those systems and those types of information. There needs to be a balance between what’s open, what’s shared, and what we actually have to keep in house.”

Roat is also concerned that the availability of certain data to the public may expose a pathway to sensitive data, if the lateral systems are not protected.

“If they get into the system at railroads, can they move laterally into the system on pipelines?” Roat said.

“If you’re just coming in to look at data, I don’t care who you are,” Dunkin added. She noted that issues of security arise when users begin asking for more sensitive data that requires authentication to access. Determining which of that data is sensitive or dangerous is not always direct.

“We’ve got a lot of data. We have to actually be able to bring it together to analyze that data and make it useful, but we also have to maintain the distinctions as to how public or private that data is at the same time we’re bringing it together inside our environment,” Roat said.

“The genie is out of the bottle with a lot of public data,” Dunkin said. She and Roat described a hypothetical situation in which a person may be able to compile information about a certain bridge from public transportation data. They could know what the daily traffic patterns are, any scheduled maintenance, and even the regularity with which hazmat or similar vehicles pass over the bridge. To someone with malicious intent, this data can become dangerous.

“You could’ve done that by watching the bridge,” Dunkin said.

The potential benefits of this hypothetical bridge data are also large. Roat noted that drivers could use the data to know which conditions the bridge might freeze under and calculate whether they are in danger of ice.

“We have to strike a balance between security and usability,” Dunkin said.

Dunkin and Roat also discussed the potential for big data projects such as the Smart Cities Challenge, which encourages cities to install sensors, collect data, and digitize some aspects of their city. Initially, 78 cities expressed interest, and there are currently seven participating, with a winner to be announced in June.

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
No Comments

    Leave a Reply