Karen S. Evan
Assistant Secretary, U.S. Department of Energy 

Cybersecurity is becoming a bigger focus for the United States as it strives to protect critical infrastructure from foreign adversaries and other intruders, and no infrastructure is more vital than that involving the delivery of electricity and other forms of energy.

In this edition of the Columbia Energy Exchange, host Bill Loveless sits down with Karen S. Evans, a recently confirmed assistant secretary at the U.S. Department of Energy (DOE). Evans heads DOE’s Office of Cybersecurity, Energy Security and Emergency Response, which was established earlier this year by Energy Secretary Rick Perry to place more accountability at the agency for these critical responsibilities.

Bill stopped by DOE headquarters in Washington this fall to discuss with Evans what the establishment of her new office means for DOE’s responsibilities in cybersecurity and what she will focus on in the days ahead. They also talked about the type of risks facing the U.S. electric grid, how the government and industry are responding to them. 

They also discussed the relationship between Evans' cybersecurity responsibilities and a broader effort at DOE to promote resiliency throughout the U.S. grid, including coal, nuclear and other types of electric power generation. 

As DOE’s highest official for cybersecurity, Evans brings a long record of experience in information technology, having served as Administrator of the Office of Electronic Government and Information Technology (IT) at the Office of Management and Budget during the administration of George W. Bush. More recently, she was national director of the U.S. Cyber Challenge, a public-private program to help address the skills gap in the cybersecurity field.

Read the transcript 

[00:00:01]

Bill Loveless:  Cyber security takes on ever increasing importance to the United States as the nation strives to protect its critical infrastructure from foreign adversaries and other intruders.  And now infrastructure is more vital than that involving the delivery of electricity in other forms of energy.  Hello and welcome to the Columbia Energy Exchange, the weekly podcast from the Center on Global Energy Policy at Columbia University.  From Washington, I’m Bill Loveless.  Our guest today is Karen Evans, a newly confirmed assistant secretary at the U.S.  Department of Energy.  She heads DOE’s office of cyber security, energy security and emergency response which was established earlier this year by Energy Secretary Rick Perry to place more accountability at the agency for these critical responsibilities.  As DOE’s top official for cyber security, assistant secretary Evans brings a long record of experience in information technology.  Having been a top IT official in the administration of George W.  Bush including an earlier stint at DOE.  More recently, she was national director of the U.S.  cyber challenge, a public private program to help address the skills gap in the cyber security field.  She was confirmed by the senate in August and hit the ground running at DOE as the White House released a national cyber strategy and hurricane slammed into the mid-Atlantic in Florida focusing her attention on one of the other responsibilities of her office, emergency response.  I stopped by DOE’s headquarters in Washington recently to discuss with assistant secretary Evans what the establishment of her new office means for DOE’s responsibilities in cyber security and what she will focus on in the days ahead.  We also talked about the type of risks facing the U.S.  electric grid.  How the government and industry are responding to them and the challenges, they face in doing so.  We touched two on the relationship between her cyber security responsibilities and a broader effort at DOE to promote resiliency throughout the U.S.  grid including coal, nuclear and other types of electric power generation.  Here is our conversation.  I hope you enjoy it.  Assistant secretary, Karen Evans, welcome to the Columbia Energy Exchange.

 

[00:02:25]

Karen Evans:  Thank you for having me today.

 

[00:02:27]

Bill Loveless:  Well, boy, if you hit the ground running here, you have a new department, new office here at the Department of Energy.  You’ve just been in office a couple of months.  You were confirmed back in August.  There have been two hurricanes recently which have drawn your attention.  You’ve been very much in the thick of it in terms of the department’s coverage of such events.  Boy, what a time to get going here.

 

[00:02:53]

Karen Evans:  I think, it’s great to come in.  I know, that the secretary was very excited about the confirmation.  I got sworn in on September 4th in the hurricane.  So, it’s good to learn right there on the job about what’s going on.  So, and then I think we also had a pipeline explosion in the New England area.  Right, so I got oil and natural gas, SCC work, the ESCC work.  I’ve learned all these new acronyms going forward.

 

[00:03:27]

Bill Loveless:  You got to explain them to me again just to remind us.

 

[00:03:29]

Karen Evans:  Yes, yes.  Because there is a lot of groups that are supporting this sector going forward.  So, it’s truly is a partnership and so, I got to experience partnerships live while the events were occurring.

 

[00:03:43]

Bill Loveless:  You know, I want to start with you and your career path.  You’ve been very much involved in this world of cyber security for many years.  Now, tell us about your career path and what brought you back to the Department of Energy?

 

[00:03:53]

Karen Evans:  Well, my career path is pretty interesting.  I started out as a GS 2 career employee with the National Park Service as a matter of fact.  So, I have a soft spot for department of interior and I’ve worked my way through the system and then ended up in information technology.  So my first go around here at Department of Energy, I was selected for the chief information officer and in that time was when they had brought it out to a dash 1 type of organization, which is a direct report to the secretary.  So…

 

[00:04:30]

Bill Loveless:  And this was back during under president George W.  Bush.

 

[00:04:33]

Karen Evans:  Right.  And I was gonna say during secretary Abraham.  So I was selected by secretary Abraham and at that point, the Def Sec was Frank Blake.  That later became Carl _____ [00:04:44].  He was the chief of staff.  So they were all involved in my selection.  And they were really pretty clear about what they wanted to do and they were elevating technology at that point because they saw the strategic value that technology would play in this sector.  So that was the reason why, it was being elevated at that point.  So, it was really a fun job because being a chemistry major and then getting my business, my master’s degree.  So it was like being in the candy shop with all the national, you know, things that you had studied while you were coming through school.  You had the opportunity to actually go out and see what is happening live and work with the national labs which is always an opportunity.  Then, from there, I was chosen to run, I was like co-chair, the vice chair of the federal CIO counsel.  I was asked to do that by the office of management and budget.  And that’s where I believe the deputy director for management, _____ [00:05:46] about how we were trying to organize and make sure that we are actually delivering results under everything that we were trying to achieve at that time as it related to information technology and then I was pulled over to the White House and so it is now what is called the chief information officer for the United States Government.  But at that time, they just passed a new piece of legislation called the E-gov act.  So that was in 2002.

 

[00:06:11]

Bill Loveless:  Effectively, you were the chief information officer for the government at that time.

 

[00:06:13]

Karen Evans:  Yes.  But what happened, so this is all relevant to this is there were two new pieces of legislation that went through.  One dealt with cyber security which was a federal information security management act and then the E-gov act.  So when you put those two together, it was, how do you maximize services for the American citizen using technology while preserving information under records management, protecting privacy and also ensuring cyber security.  So, I had all those.  It was 42 statutory responsibilities that have passed and I said, yeah, why don’t you come over here and institutionalize this and get this up and running across the federal government.  And so it was really exciting.  It was really exciting to do that and when you have an agency perspective and you grew up through the federal government, you kind of, you know how the bureaucracy works, so that you can look at what are the policies.  How do you want to do things and what can you do to get to an effective outcome? So then I left and one of the big things that I learnt from that was it’s all about workforce like even though you have information technology and you have the tools and you have everything that you need, if you don’t have the right workforce with the right set of skills, it’s not gonna make a difference.  And so, at that point, cyber security was still blossoming and a lot of the incidents and things like that had not happened.  So, you know, like everybody talks about the office of personnel management and the data loss that was associated with that.  I was working on workforce issues and what skillsets would you really need to have in order to be able to protect.  The information holdings that the federal government collect.  So, I worked on that and then you asked, why would I come back and I heard this today and I thought, oh, no but it’s really relevant that, the reason why I came back was this was a wonderful opportunity.  It’s the next evolution in credible infrastructure.  So I was here in government when the department of homeland security stood up.  I was here at DOE when 9/11 happened and how we had to, you know, work to stand up the department and then go to the White House and implement the recommendations that came from the 9/11 commission.  So, you’re working with intelligence, terrorist information and then also ensuring that you can do services to the citizen.  And now fast forward to here, this is the next evolution of how…

 

[00:06:13]

Bill Loveless:  You’re ready for this job.

 

[00:08:52]

Karen Evans:  I think, I really have decided that, if the secretary and the president of the new administration did choose me which they did, thank goodness that I learnt a lot in the ten years, nine years that I was out as well.  So, if I knew then, what I know now, I thought oh, I can really get this jump started and really take this to the next level of how a sector specific agency should be managing these efforts while working in conjunction with DHS and their overall role of how they have to protect the homeland.

 

[00:09:32]

Bill Loveless:  Yeah, yeah.  You know, the government and energy industries have been gearing up for years to bolster cyber security in the energy sector.  You mentioned some of the statutes that were passed in years back when you were back in the government that address some of these issues.  The new office you had, the office of cyber security, energy security and emergency response would take this preparation to a new level.  I mean, what’s been missing and how would your office fill the gap?

 

[00:10:00]

Karen Evans:  So, what is missing, I think and the opportunity that secretary Perry has really taken the heart and a lot of analysis was done in the previous administration.  So, every administration, cyber security fortunately is a very bipartisan issue like everybody agrees that we have to have good cyber security.  Now…

 

[00:10:22]

Bill Loveless:  But you don’t see a lot of politics.

 

[00:10:25]

Karen Evans:  You don’t, you see it as it relates to the program that it supports.  So for example, you’re seeing it in the area of elections, right because that’s a program.  You know, if you look at it from a straight IT, it’s a program that it supports.  So what is the right risk that we’re willing to live with as a country.  So, when you look at this, this administration, when they came in and the executive order that was issued by the Trump administration was very clear about accountability because one of the things that if you go back and analyze anything that’s happened through the federal government in this area, it’s like how do you have the accountability and the secretary when they are selected, they need to realize just like a CEO of a company, because you’re talking about how you talk to the utilities and everything.  They know that it’s their responsibility and that they are gonna be held accountable should an incident occur during their watch and they have to show that they did due diligence.  And so, that’s the same thing that has to happen within a department and an agency when the executive order went out.  Secretary Perry has really embraced this responsibility what it means to be accountable in the energy sector.  And I think what you’re seeing with this office is that again the next evolution of that and the ability for him to be able to demonstrate that he is accountable and that he has tasked me to do certain things.  So that he can then answer that responsibility to the president and say this is how we’re working with the energy sector because as you know, 90% of the infrastructure here is run by private industry.  So it takes a different type of approach in order for us to be able to leverage what’s happening in the national labs and then take it to action.  So, the other piece is the national cyber strategy that was really about the administration specifically.

 

[00:12:25]

Bill Loveless:  September 20th.

 

[00:12:26]

Karen Evans:  Yes, because that was one of the things that I had to roll out as well in my short tenure here.  But when you read that in PillarOne it talks about critical infrastructure and the other piece that’s really critical in the national strategy is we’re moving, the government likes to do a lot of policy and planning.  But we really need to move to action and accountability.  So, we spent a lot of time and when I say we, I mean the nation of admiring this, yes, there is a problem.  We all acknowledge there is a problem.  There is different groups.  We have different pieces that have been implemented.  Energy sector has been really good about going forward and really partnering and working together as an industry to be able to address this but it’s now taken it to the next level.

 

[00:13:16]

Bill Loveless:  And a lot of that next level you’re seeing has to do simply with accountability.  Let’s be clear who is responsible.

 

[00:13:22]

Karen Evans:  And let’s be clear who is responsible and who is gonna take what actions under what circumstances.

 

[00:13:27]

Bill Loveless:  Had that been unclear up until now?

 

[00:13:31]

Karen Evans:  Yes, I would say that depending on, so that was one of the things that was released with the national strategy where they resend it presidential direct 20.  So when they resend it that, there was a process that was in place in the intergovernmental process that would go through so that they could, you know, figure out who was gonna do what where.  But in the cyber world, if you are executing out this process, the actual action that you’re trying to address is happening real life in the infrastructure, you know, or whatever in the financial sector and health sector whatever.  And so the government can keep running an internal process every time something happens.  It needs to be more clearly defined.

 

[00:14:18]

Bill Loveless:  You need it to clarify some of this process and what’s happening now.  You know, I noted at the ceremony marking, you know, confirmation as assistant secretary, energy secretary Perry said that DOE is at the frontlines in the battle over cyber security.  And said the threat is growing.  He said, in short, it requires us to think differently.  How so, how do you think differently?

 

[00:14:46]

Karen Evans:  So, there is a lot of different models that are out there.  And I really believe that the way that we need to be looking at this problem.  If you look at it from a Washington DC perspective, a lot of people look at it from inside going out.  If you look at the energy sector, so that’s kind of a command control, I’m gonna centralize everything.  But if you look at it from an energy sector, it’s really from the outside coming in.  So, think of the internet of things.  Think of how they have all these relay stations out there.  Think about how they are in the middle of no where and then there is, you know, a transformer.  So, it’s from the outside in and how do you get that information to come in, so that we can have situational awareness about what’s happening.  That is a different way of looking at it.  Now, I would say the energy industry and the, so I was gonna say the ESCC which is the electric sub-sector, coordinating council.  Okay, that, yeah, I have to make sure I get all these acronyms right.  That they have been pretty proactive in the work groups and the things that they have underway and so, a lot of these problems, they’ve been thinking about and they’ve actually been working to try to get some solutions in place and then we as a partner with them.  The things that the government needs to do because we have an energy government coordinating council that is reciprocal of this.  So it’s co-chaired by department of homeland security and energy myself.  Then we need to work with them in partnership because if they identify certain things, only the government can take that action we need to know that.  But we are doing a lot of in the national labs that we need to leverage back out through that group.  And so, it is a different model and if you try to build a command and control, so a lot of people think of that from like a DOD perspective.  It’s a lot of centralized command and control.  You cannot have that in the energy sector.

 

[00:16:44]

Bill Loveless:  You know, people worry about threats to the grid, you though, justifiably.  During a congressional hearing this September, you were asked by a member, a lawmaker, whether you were confident U.S.  utilities are prepared for a cyber attack by a state act like pressure of China.  And you said no.  Why?

 

[00:17:08]

Karen Evans:  So, I’m glad you asked that, so that I have the opportunity to clarify a little bit more because of the way he asked me about my confidence level.  And I think the value that the government brings on that is, there is a certain amount of where we can put context around it and we have the ability through the intelligence agencies to put more context around it.  So, when a small utility is experiencing an event, they may not necessarily recognize that that’s actually what is happening.  And so, he specifically said a nation state and that gets into a lot of things doing with attribution and really having situational awareness of what’s happening in across the sector and so, they maybe able to do some things locally, but they may not have all the tools and the intelligence that they need to have, to really see how it fits into the bigger picture.  And so, and there are different examples of how this has happened in other parts of the sector where a company continuously fix a problem and the adversary then realized what the threshold is.  So they just fine tune and make some adjustment.  So, if we are getting information back, so if you think of them, you know the grid operators more like first responders, where they know, they can do the triage and then there is a system that you feed is back to.  So like the E Eyesack that is set up here for sharing or the oil and natural gas Eyesack which is the information sharing piece.  That’s where we are looking to put more tools.  That would then be able to give them actionable types of things that they can take.  They may not necessarily have to have the full picture but we know how that they have protections in place.  So that they are collecting certain information that can inform a process.  While they are still keeping the utility up and running.  Because a lot of this is gonna affect the local communities, right.  And they want to have the power.

 

[00:19:08]

Bill Loveless:  But, I mean, there have been concerns, even alarms raised by the government department of homeland security and the FBI, pin the responsibility on a Russian group, often called dragon flyer, energetic bear for intrusion into utilities that gave attackers remote access to critical industrial control systems, the so called scata systems.  This is according to the Wall Street journal.  These systems are governed, the way that power flows and keeps the electric supplies balanced with the demand and thus prevent blackout.  Now, there have been no blackouts by the these sorts of intrusions but nevertheless, I mean, does that sort of illustrate one of the big concerns, someone like you would have when you look out at the grid and the risks it faces?

 

[00:19:51]

Karen Evans:  Absolutely and we’re looking at is when you look at industrial control systems and scata systems that is even a more refined set of knowledge that you need to have to know what is the normal type of operation that would occur and what we’re trying and what DOE is working on and what we’re working on in partnership with our industry partners in the international labs is you know what the ecosystem should look like, right and there is a certain set of event that happens and should happen.  What we are working on in conjunction with our partners is okay, what is that tipping point and how do you detect it.  Because there is like, there is commercial products already available but what’s the delta between what operational technologies capable of doing and what information technology is capable of doing.  And what is our delta? Can we come up with, you know, for a lack of a better term, a management control type of thing and then be able to share that information out with the commercial sector as well so that they can then embed it into the commercial products that then go back out to all the industry.

 

[00:19:51]

Bill Loveless:  Right.  How often do breaches occur or how often are there cyber attacks on an electric utility in the United States?

 

[00:21:13]

Karen Evans:  So, I don’t have that information readily available and even if I did, I probably wouldn’t share it with you on a podcast.  So, but you know…

 

[00:21:25]

Bill Loveless:  How can you best assess?

 

[00:21:26]

Karen Evans:  Well, I was gonna say, it depends on how we categorize a cyber incident as well and so that’s part of the discussion.  The way that I’m now starting to frame this discussion is that, we do as a sector specific agency, we do emergency response and we’re really good.  So when people think about energy and we start it out this discussion talking about our hurricane response capability.  We should have that same type of mature responsibility as it relates to cyber security as well.  So I’m calling it emergency response of a cyber nature.  Because if I say incident response and say something about cyber security an incident response in cyber security will cognate actions that happen in the IT world.  But energy is more than just IT.  You brought up scata systems, you brought up the industrial control systems.  How do they interact? Should they even interact? What is the best architecture associated with this and how should, the municipalities go about doing this? They don’t all have the same capabilities and when we start making recommendations, there is gonna be effects of how this could play out on investments, right.  It could, it could affect rates.  It could affect a lot of different things which means now, I have to gather the information and I have to have situational awareness that then comes up from the sector and goes into the national risk management center that is managed by Department of Homeland Security.

 

[00:22:59]

Bill Loveless:  Right, right.  I think, you raised an interesting question, some reporters recently and I was reading about and you asked raise the question, how much risk utilities are willing to accept when it comes to cyber security? What do you mean by that?

 

[00:23:14]

Karen Evans:  Right.  So, this really becomes an investment, right.  Because we were just talking about what could happen in a local jurisdiction because of the regulators, I mean, there is a lot of different powers to be that are playing in the energy sector.  And so, we as a nation may say, our risk tolerance in certain geographical areas are zero because of the services that are offered by their.  So when you look at what department of homeland security is attempting with the national risk management center, they have to look at risk across the whole nation of which we are just one sector.  So when you start looking at the risk that we are seeing, hey, this is coming from the energy sector because under our _____ [00:23:58] program, which is a pilot program that we’re starting to look at supply chain risk management associated with components and how the scata systems and how industrial control systems are put together.  We may say, hey, there is this one particular product that is based on all the analysis that the national labs have done and then based on the risk that we’re willing to live with the nation, we have to replace this product.  Okay, because our risk tolerance could be really low.

 

[00:24:28]

Bill Loveless:  And it could be a very costly substitution.

 

[00:24:30]

Karen Evans:  It could be very costly, right.  So at that point, if it’s really costly and everybody, and I mean everybody from a national perspective says, no, it’s too high of a risk, now we have to come up with that could affect the federal budget process.  We might have to come up, they might say, hey, in order for us to be able to minimize this risk, we have to change out all these equipment which means, now we are gonna manufacture only here in the United States because a lot of these component parts are manufactured overseas.  So we are not willing to accept that risk anymore.  It’s good news because we could generate jobs in this area.  It’s bad news because we have to have the cost in order to exchange out the equipment and how much your private industry really absorb on that and how much of the federal government did.  That is the policy discussion.

 

[00:25:20]

Bill Loveless:  That’s like a big issue too.

 

[00:25:22]

Karen Evans:  It is a huge issue and so my office is responsible to make sure that secretary Perry or when we go into future administrations any secretary would have the data to be able to inform that policymaking process.

 

[00:25:39]

Bill Loveless:  Now, recently you met with officials of DOE.  I assume you’re among the, met with your counterparts at the department of homeland security to discuss a new initiative addressing cyber threats to pipelines.  Has there been insufficient attention paid to pipelines when it comes to cyber security and energy infrastructure?

 

[00:26:00]

Karen Evans:  Well, I was at that meeting to announce the initiative of the pipelines going forward.  The TSA administrator was specifically there to ask oil and natural gas industry to join us in that initiative.  So we are pretty excited that they suggest.  I would refer everybody to read the general accountability, they change the name, general accountability offices report as it relates to pipelines because there is a lot of recommendations and suggestions in there as it relates to security and that really is, I think at a minimum.  What we are trying to address from a government perspective but the other part is that the industry as a whole again, the oil and natural gas industry recognizes that, through that sector sub sector coordinating council.  We work with them and they realize the risk associated with that.  They have working groups again that are looking at that.  There are specific things at that, they have concerns over because again, you know, this is what’s the new way of thinking about it and I’m saying from the outside coming in.  When you start looking at technology that’s available, do they put sensors on that? How do they collect that data? What’s the threshold with that? There is a lot of technology capabilities that you could do?

 

[00:27:20]

Bill Loveless:  But has there been less attention paid to pipelines than to the grid? The sense I get, maybe just as an observer in some what covering these things that I typically think of cyber security as it relates to the grid.  I don’t think so much about pipelines.  That may just be me but…

 

[00:27:37]

Karen Evans:  But, okay, so I’m gonna focus on the second part of my title which is energy security.  So, it’s cyber security, energy security and emergency response.  So energy security is all sources, all hazards, all… So my office is focused on all of that.  So, I’m not making a distinction between the two.  I’m looking at, you know, what is the delivery, what is our role as a sector specific agency and how can I help my other government partners? Especially DHS as it relates to this so that we can then make sure that we are addressing the responsibilities that we have as a sector specific agency.

 

[00:28:14]

Bill Loveless:  Okay.  I mean, you’re talking about, which security issues.  There are more than simply cyber issues when it comes to security of things like pipelines.

 

[00:28:21]

Karen Evans:  Yes, yes.  Because there is physical security issues, there is all kinds of things and so what we are really trying to do is make sure that we collect data and have situational awareness and so that’s what I mean by all hazards but we started out this discussion about hurricane.  So you know, you have to be able to say, okay, here is what’s happening, here is where our energy, the grid, here is what the utilities look like, here is how it’s laid out.  You know, here is the IT infrastructure on it, here is the OT infrastructure on it and by the way here is the weather map.  And so here is all the possibilities and then when you infuse that with potential intelligence information that could be looking at what regional areas, what types of equipment, you know, I’m gonna take advantage of a hurricane, I mean, secretary always talks about that to me is this like, he wants to know what the root cause of the issue is.

 

[00:29:13]

Bill Loveless:  Right.

 

[00:29:15]

Karen Evans:  So if, there is a hurricane going on and then, you know, there is another issue going on like that just happened with the pipelines.  What’s the root cause? Make sure that, you know, the right team is investigating that and in the case of the pipelines that’s _____ [00:29:30] department of transportation.

 

[00:29:33]

Bill Loveless:  Pipeline has a _____ [00:29:34] safety administration.

 

[00:29:35]

Karen Evans:  There you go.  Thank you.

 

[00:29:37]

Bill Loveless:  Thank you very much.  You know, I had Bruce Walker around the program some months ago.  We talked a lot about security resiliency and that discussion had more to do with his involvement in looking at coal power plants, nuclear power plants and weather from a national security perspective, something needed to be done to try to keep them online.  I mean, does that whole initiative had any bearing on what you’re doing here in the cyber security and these related issues that you’re responsible for?

 

[00:30:04]

Karen Evans:  So there is a natural line between what Bruce Walker and his team are looking at.

 

[00:30:12]

Bill Loveless:  By the way, the assistant secretary for electric, previously.

 

[00:30:15]

Karen Evans:  Previously, my office was actually part of his office and so, there is an effort that he’s working on and I’d like to describe that a little bit more.  Under the old methodologies that we used to have, that’s called _____ [00:30:34] right, so it’s continuity of government and continuity of operations.  And so when you start looking at that, it's like what do you do immediately as soon as an incident happens so that like your coup plan, right.  And then cog is always continuity of government and so what do you need to do to keep government services running and what are the minimum government services that you need to have in a geographical area.  And then how do you make sure that those government services are operational and part of what he is working on and what I’m also working on is now, I’m gonna bring it back to risk is what then, what’s the risk associated with that.  If the government says, this is what they need from a national security perspective across multiple geographical areas, then we have to see what kind of energy, you need to have in order to make sure that those services are running and how are we doing that? Are we doing it ourselves through the Power Market Administration or are we doing that with our industry partners and if we are doing that and I’m the one who ask to go out, if we are doing it with the industry partners to be able to explain what we are doing from a national security perspective, so that they can support us going forward.

 

[00:31:43]

Bill Loveless:  So you might look at types of power being generated.

 

[00:31:44]

Karen Evans:  We could, we could.

 

[00:31:44]

Bill Loveless:  Coal, nuclear, gas, renewables which…

 

[00:31:48]

Karen Evans:  But that’s a policy decision that needs to be made at a higher level and then once that decision is made, then it would go back into this visualization and this data collection that we want to have that then goes out to DHS, so that they can monitor and have situational awareness across all sectors.

 

[00:32:09]

Bill Loveless:  Yeah, I want to finish the conversation with a topic that I think is pretty near and dear to you and that’s building a workforce in the cyber security.  You did that previously with an institute that you are involved in and you’ve worked on while you were out of government.  I think, you spent a lot of time on this.  What needs to be done?

 

[00:32:28]

Karen Evans:  So, there is a lot that has been done in this area and the work that I used to do is under the U.S.  cyber challenge and the national institute for standards and technology has a national initiative called the national initiative for cyber security education.  The challenge in that area is that the federal government has funded a lot of curriculum but what you really have to do is kind of go.  There is like an immediate need for workforce today.  So a lot of these could be done at the community college level and you’re retraining people.  And then there is a longer term issue that everybody really likes to get in to which is taking cyber security down to elementary school levels and getting them all excited, yes.  There is…

 

[00:33:14]

Bill Loveless:  Elementary school level.

 

[00:33:15]

Karen Evans:  Elementary school levels to get them really excited.  There is a lot of studies that have been done where girls will switch and they won’t go into sciences around the 8th and 9th grade and so, how do you keep them actively engaged.  So that’s why you see these other initiatives that are out there about like there is one called digi girls and _____ [00:33:36] girls.  Because it’s really a fun thing.  So if you like solving puzzles then this is the area that you want to be in.

 

[00:33:44]

Bill Loveless:  But there is a need for a lot more network force.

 

[00:33:46]

Karen Evans:  Absolutely.  There is always gonna be a need and the analogy that I like to use is that we want a major league baseball team, several of them but we’re also creating the T ball team at the same time back at the local area and so you want to build that whole infrastructure out to be able to do, so that we can compete in the world series.

 

[00:34:06]

Bill Loveless:  There is a lot to be done.

 

[00:34:07]

Karen Evans:  Yes, sir, there is.

 

[00:34:08]

Bill Loveless:  Assistant secretary Karen Evans.  Thank you very much for joining us on the Columbia Energy Exchange.

 

[00:34:12]

Karen Evans:  Thank you for having me today.

 

[00:34:12]:  Bill Loveless:  Thanks as well to you our listeners.  For more information on the podcast or on the Center on Global Energy Policy go to energypolicy.columbia.edu on the web.  On social media, you’ll find us at Columbiauenergy.  For the Columbia Energy Exchange, I’m Bill Loveless.  We’ll be back again next week with another conversation.