Rod Turk understands that the Census Bureau is one of the biggest troves of data the government possesses. So to prevent something catastrophic, he wants the intelligence community’s help in guarding it like a national treasure.
The Department of Commerce CIO said as the agency prepares for the 2020 census, he wants to get help from intelligence agencies to identify cyberthreats to the survey, especially since it will incorporate more technology than ever before, making it a rich target.
“I’m interested in a more significant flow of information from the three-letter agencies and the intelligence community back to my organization,” he said at the AFCEA Energy and Earth Science IT Symposium Tuesday. “We have some very significant functionalities that if we are not protecting them cause great harm to the goodwill and just the basic good order of the country.”
The Commerce Department has faced a lot of scrutiny in the run-up to the decennial census, which will utilize more than 40 IT systems, provide online response functionality and is expected to deploy new mobile technology to assist census enumerators.
But it will not only collect the personal information of millions of Americans — the census will also determine the federal funding for some critical infrastructure systems like education and public safety.
Turk said that protecting the networks the census will rely on is critical, and intelligence agencies could help the Commerce Department identify where those threats might come from.
“With the mountains of data that we see in the IC community, should we not be able to do some predictive analysis through [artificial intelligence] or machine learning that says, ‘You know, your risk for an exfiltration attempt is high in this vector, from this nation-state,’ to give us a chance to be able to protect ourselves,” he said.
He added that the Commerce Department has already sought out “private sector intelligence gathering services” to help it track threat indicators on the dark web, such as bitcoin transactions that could flag a potential attack.
“It’s kind of amazing what you can find out there on the internet,” he said.
The CIO added that his team is also leveraging the Department of Homeland Security’s Continuous Diagnostic and Mitigation program both as a shared service provider across the Commerce Department’s disparate systems, but also to look for possible supply chain vulnerabilities that could affect its networks when new technology is on-boarded.
“Census has used that significantly, that supply chain effort, and we have in fact found things. I’ll just leave it at that,” he said.
Finding specific supply chain vulnerabilities can be as simple as searching the internet with the Commerce Department’s IT checklist when it does a technology procurement, Turk said.
“We’ll go look for things like what tools have you embedded in your systems if you are a service provider,” he said. “We’re looking for intents, we’re looking for threats, we’re looking for all kinds of issues related to the supply chain. You’d be amazed what you can find in the regular internet in terms of information.”
Combining that research prowess with a capability to monitor threat indicators on the dark web could bolster that security even further, he added. But while his cybersecurity teams are vigilant, Turk said he would never profess a reassurance in his defenses that is “quite high.”
“[W]hile we may have all of these tools now, the sophistication of the exploitation and the vulnerabilities has also increased,” he said. “So it’s really difficult to say are we better. There’s no such thing as a completely secure system.”