Census Bureau CISO, Tim Ruland, Discusses Cybersecurity Landscape for Federal Agencies
With government agencies more dependent than ever on information technology and networked operations to deliver on their mission, they are also more vulnerable than ever to cyber threats. Over the next few weeks, The Access Granted will be taking a look at how government IT leaders are combatting these cyber threats and what best practices they recommend.
This week, we had the chance to sit down with Tim Ruland, Chief Information Security Officer (CISO) at the US Census Bureau, to discuss their best practices, and what they’re doing to keep their network secure against malicious actors. Here is what Tim had to say:
Tim Ruland (TR): Cybersecurity is a high priority at the Census Bureau. Our mission is to collect information from people and businesses in order to provide an accurate picture of the nation. We are charged under Title 13, United States Code to protect the confidentiality of all the data we collect to accomplish our mission.
We look at cybersecurity as inherent in everything we do at the Census Bureau, so it is hard to rate it separately. We have worked hard to embed cybersecurity processes into our systems development lifecycle, this makes it part of all of our IT projects and initiatives.
However, we also work very hard to comply with other published federal mandates issued by the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) related to cybersecurity. The Census Bureau faces the same pressure and scrutiny as all federal agencies to keep its networks secure. We do understand however that we have an added level of trust to maintain ensuring our respondents, both individuals and businesses that we keep their information secure.
TAG: What are some of the best strategies and practices you’re using to block cyber attacks?
TR: The Census Bureau has implemented a layered cybersecurity defense to protect our networks. This includes implementing a risk management framework that allows us to be very granular in our assessment of risk. The risk management framework is based on the National Institute of Standards and Technology (NIST) and relies on the successful implementation and maintenance of security controls identified by NIST in their publications.
This activity is a priority, and we monitor the effectiveness of these controls on a monthly basis through automated scanning of our servers, databases and telecommunication equipment for vulnerabilities. Patches to identified vulnerabilities or configuration changes are required to be corrected within a proscribed period of time and are formally tracked until closed.
TAG: Why do you think attacks against government agencies are unrelenting?
TR: I can only speak for the Census Bureau, and agree that cyber attacks are getting more attention than before. We monitor activity that could be targeting the Census Bureau all the time and the number of attack signatures have risen somewhat, but not at a rate that would indicate a shift in focus. Attempts to gain unauthorized access to our networks and systems occur all the time, but our defenses to date have been able to keep them from being successful.
We will need to remain vigilant however, and we are working to make sure our cybersecurity infrastructure and architecture matches what the rest of the Federal government is doing in these areas.
TAG: Is there a certain type of malicious actor that you’re seeing across many of these breaches?
TR: I don’t think you can identify a standard profile of these actors. At the Census Bureau we are seeing a wide spectrum on malicious actors, from state sponsored cyber attackers to individuals simply looking to make a claim that they successfully compromised a federal agency’s IT systems or obtained sensitive information.
TAG: What are some of the areas where agency cyber teams could be working smarter? Why are the networks at these government agencies so vulnerable? What are these vulnerabilities resulting from?
TR: Speaking from my perspective at the Census Bureau, I think that vulnerabilities are introduced through a lapse in patching or in poorly written applications. We work very hard to meet all federal regulations using our risk management framework to make sure that we can balance those requirements with what is needed for us to successfully complete our mission. We regularly review our security posture and report to senior management the status. Areas needing improvement are addressed promptly.
I do not think any network can be considered completely secure. There are always risks. The key is to identify those risks and manage them in a timely and effective manner so they do not present an easy target for an attacker.
TAG: What are the most common types of attack you and your team face?
TR: Phishing remains the highest form of successful attack, followed by weaknesses in application coding. At the Census Bureau we are engaged in an initiative to implement a training program against phishing that will test our employees on their awareness, and provide feedback when they make a poor decision as part of the training. We are also looking at improving our capability to scan our application code to make sure it is not vulnerable to malicious attacks.
With the increased use of multi-factor authentication, credential theft, while always a concern, has a lower risk profile that simply username and password, regardless of the length and complexity of the password.