The Census Bureau houses massive amounts of personal information used by the public and private sectors, but with the 2020 census nearing and cyber threats growing, the bureau is beefing up its cyber defenses.
Tim Ruland, chief information technology security officer at the Census Bureau, said the agency recently completed two phishing exercises — one for employees who work in buildings across the country, while the other was for field representatives — and is also working with Carnegie Mellon University to improve its insider threat network.
“We’re having them come in to look at what we’re doing, help us identify some gaps and build and strengthen the insider threat program,” Ruland said. “It’s part of the risk management framework, part of the holistic view we’re taking of everything. Insider threat is not something we look at saying oh we need to look at it for this program or that program, but really as an agency we need to look at it.”
Ruland told Federal News Radio during last month’s Symantec Government Symposium in Washington that the bureau didn’t know yet what the specific gaps were, but would be implementing actions to close them as they’re discovered.
Ruland said his office embeds a security engineer into every major bureau project.
“They work from the very beginning of the project to make sure security controls, security practices are embedded or baked into the project, rather than bolted on at the end,” Ruland said. “We have a very robust reporting on the risk for each system.”
Ruland said the bureau also scans its databases every month, and is building in a monthly scan of its application codes, as well as tying its security operation center workers “more tightly into the risk management framework, so there’s a constant cross-talk among all of them as far as the threats.”
The bureau’s risk management framework is an ongoing project for Ruland’s office as the agency modernizes itself for the upcoming census.
Earlier this year, Census Bureau Director John Thompson told Congress that a modernized way of collecting and processing information — through the Census Enterprise Data Collection and Processing (CEDCaP) effort — would cut the cost of the the next count and streamline the process.
Thompson said the redesign can save $5.2 billion. But government auditors also testified on Capitol Hill that the complexity and timing of the bureau’s plan for the 2020 count could put the survey in jeopardy.
Ruland said for the enumerators, who will be out in the field actually conducting the survey in 2020, the bureau is applying the same in-house security engineering to ensure mobile devices are secure for the count.
Ruland said as the bureau’s preparation is guided by input from a variety of advisory committees from the educational and scientific communities, who can benefit from the collected information.
“Certainly we’re not going to tell all of the things that we’re going to do as we build the systems, but we do want people to understand that we recognize the responsibility we have with data,” Ruland said. “The balance is trying to make that data response easy and accessible to the public and at the same time be able to assure them that the data they give us is going to be protected and they don’t have to worry about their data getting exposed. It’s a challenge, it’s something that we talk about every day at the Census Bureau at various levels.”