Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Census Bureau is getting a new chief information security officer just as preparation for the 2020 count hits its full stride.
Beau Houser will join Census after spending the last two years as SBA’s chief information security officer. Houser will begin his new position in mid-September and Jeff Harris, SBA’s director of security operations, will be the acting CISO until the agency hires a new permanent executive.
Houser replaces Tim Ruland, who retired last September.
Houser said he’s looking forward to the challenge of protecting the technology and systems behind the population count.
“The mission over there is very appealing and the challenges are pretty significant. I always like a challenge,” Houser said on Ask the CIO. “When I came to SBA and anyone who has heard [SBA CIO] Maria [Roat] talk about the issues she inherited, it’s the same sort of model. There was a lot of work to do and we were allowed to lean in on some pretty interesting areas and do some cool stuff. I’m hoping Census is the same kind of challenge for me because that’s where I find joy as a CISO, solving these large complex challenges.”
There may be no bigger IT challenge than the 2020 population count, which will get going in earnest next April.
The bureau is testing more technology than ever before for the Decennial Census, including geospatial software, online data capture tools and the cloud. In fact, Census recently awarded two contracts for cloud services—a $102 million deal with Unisys in March and a $24 million task order under the Enterprise Infrastructure Solutions (EIS) with CenturyLink.
At the same time, Houser’s challenges will be great as the Commerce Department inspector general found in June that Census’s move to the cloud “contained fundamental security deficiencies that violated federal standards and U.S. Department of Commerce policies”
Auditors state, “These findings demonstrate that the bureau did not securely use commercial cloud services to host its cloud environments during 2020 Census preparations, which placed the sensitive Title 13 data collected by the bureau during the 2018 E2E Test at increased risk of potential misuse or loss. Our recommendations, if fully implemented, will help the bureau manage its cloud environments in a more secure manner.”
Houser’s experience at SBA where he took innovative approaches to securing cloud applications will serve Census well.
“I always make a point as a CISO to embrace creativity and flexibility. That’s where we have to start because a rigid view of security and an authoritative view of security is not always helpful and in a lot of cases it just forces our customers to go around us,” he said. “Skepticism of cloud security is still prevalent. That’s probably one of the biggest challenges and you really have to get folks to see it firsthand. We’ve done over 30 demonstrations as an agency to other federal agencies. We are trying to be transparent about what we are doing and how we are doing it.”
SBA had too many cyber tools
Over the last two years, Houser led the effort to consolidate and improve SBA’s cybersecurity in part by trusting his cloud providers, taking advantage of the tools and capabilities they offer, and managing risk throughout the process.
He said when he first got to the agency, after spending almost three years as the deputy CISO at the Centers for Medicare and Medicaid Services, SBA had 38 different security tools, many of which the agency implemented differently, were maintained by different teams and ended up giving the gaps in some areas and overlapping capabilities in others.
“Leveraging the cloud tools and organizing around those solved a lot of those problems,” he said. “We were able to cut down our portfolio of tools.”
Just as important as reducing the number of tools, Houser helped initiate an entirely new approach to security in the cloud.
SBA took an entirely different approach to implementing the continuous diagnostics and mitigation (CDM) program. Instead of installing new tools on-premise, the agency worked with the Homeland Security Department to develop, what now many call, an innovative approach that relies on the cloud.
“Our goal was to leverage native cloud tools and stretch them as far as we could stretch them in achieving those CDM goals and show what the capabilities are,” Houser said. “We did that and DHS was really impressed. A lot of folks had that moment that this was different. It wasn’t just spinning up virtual machines, installing software on virtual machines and doing what we were used to. It was a different model.”
TIC pilot a success
Now, SBA ingests more than 400 gigabytes of log data a day into the tools and using the business intelligence tools in the cloud. Houser said SBA now understands better than ever what’s going on in their network, who and which devices are logging on and have fewer challenges to secure the data.
“If you look at cybersecurity or CDM, there’s always a challenge around data. How do you aggregate all of those logs from all of those sources into a consolidated view? We leverage cloud and the initial thought is the cloud is the key, but really it’s beyond that. It’s really about using big data concepts and unstructured data to solve these problems,’ he said. “We all know what we deal with from an IT management standpoint and all of the various things we have to manage. By using big data, it’s very simple and straightforward to aggregate all those data sources into a data lake and then pick and choose which data elements you need from any of those sources to paint the picture you need to paint. It becomes a challenge of creativity once you get the data aggregated.”
Houser said it took SBA 30 days to aggregate its data and spent most of the time in the CDM pilot getting the data dashboard and visualization to a level of maturity to help make security decisions.
Along with CDM, SBA piloted a new approach to the Trusted Internet Connections (TIC) program.
Houser said through this effort, SBA saw just how mature the cloud security tools had become.
“What we wanted to do was take a different approach and look at the outcomes that the TIC architecture and requirements were trying to achieve, and then determine if it’s best to do that on the wire or at the end point or where is the appropriate place to get that level of attention, and then aggregating that into the picture you need to prove you’ve got that,” he said. “We took the chains off of it, be creative and see where we would go. It was a good pilot from that standpoint.”
Houser said all of these tools and capabilities gave SBA a level of visibility it didn’t have before. That let the agency manage risk and inform their decisions, a philosophy he plans to bring to the Census.