HHS CISO Chris Wlaschin on the importance of cyber-hygiene
Chris Wlaschin says a lot could be accomplished with just a little bit of basic cyber-hygiene.
As the CISO of the Department of Health and Human Services, Wlaschin knows how complex keeping an agency’s workings and data safe can be. So he isn’t trying to be pithy. But he does tend to think that people under-appreciate the little things.
Wlaschin began his tenure as HHS CISO in January — previously he held a senior information security role at NRC Health. He’s also worked at the University of Nebraska and the Department of Veterans Affairs, and served in the Navy.
To get to know Wlaschin and his priorities, FedScoop invited him to participate in a FedScoop Q&A — a new series of interviews with top federal IT executives.
Editor’s note: The transcript has been edited for clarity and length.
FedScoop: Briefly, what do you find is the most critical part of your job right now?
Chris Wlaschin: So as the CISO for HHS, with 11 operating divisions including FDA, NIH, CDC, CMS, Indian Health Service and others, my job is building collaborative relationships with the security forces around HHS, synchronizing our efforts to improve cybersecurity preparedness and readiness. Probably the most critical aspect of that is educating our workforce that they are the frontline of our cybersecurity defense.
Most of them don’t realize the important role they have in defending HHS against all manner of cyberattacks. I’ve been quoted as saying HHS is subjected to about 500 million cyberattacks a month. Now that’s scans, probes, phishing emails, all that. We are a very high-visibility target. And we’re only as good as our weakest link. So I find that the most critical part of my job is helping the security teams around HHS improve the awareness and preparedness of our workforce. Because they truly are the key.
FS: Is there any topic in federal technology right now bigger than cybersecurity?
CW: I would say that the recent efforts by the administration to invest in modernization and reduce the amount legacy technology that consumes so much of our budget — that’s just as important as cybersecurity.
FS: What challenges keep you up at night regarding cybersecurity?
CW: Patching. We treat our patching reports like profit-loss statements in commercial industry. Patching is critical. In the WannaCry attack earlier this year, the U.S. was by and large able to prevent the success of that WannaCry malware because we focus so intently on patching and making sure that the vulnerabilities that WannaCry was trying to exploit were removed from our systems.
FS: How can the U.S. government do a better job protecting its systems and Americans’ information? What is needed?
CW: We need to be smart about our IT investments and specifically IT security investments. It is my humble opinion that we should spend a little bit more on cybersecurity in terms of technology, processes and people. We have a tough time hiring and retaining qualified cybersecurity individuals in the workforce because the government doesn’t pay what the private sector does.
We need to focus on risk-based decisions for cybersecurity investments. Our high-value assets, the places where sensitive information resides, should be the most formidable of all our systems.
And finally awareness. Most federal employees focus on the mission. Their day to day job. They don’t realize the important role they play in cybersecurity. And we need to educate them that they are the frontline defense.
FS: What isn’t talked about enough regarding cybersecurity?
CW: People don’t realize the importance of basic cyber-hygiene. Changing your password often enough, keeping it strong — people overuse passwords. By that I mean they use passwords on their home account, their social media, their banking, their work account and they’re all the same. This can be because passwords are hard to remember and you don’t want to write them down. People underestimate the power of keeping a strong password.
FS: What advice do you have for others?
CW: I have six steps that I relay to people when they ask me, “Chris, what can I do.”
Number one — keep a clean machine. Make sure that the laptop or desktop that you use is patched, that its got anti-malware and virus programs on there and that they’re working.
Second — protect your personal information. Limit where you share your personal information. I have a very limited social media footprint because people in high-visibility roles are often targets of hackers. So I keep the personal information about me on the internet to a very minimum.
Third — connect with care. Connect to websites that you trust. Be careful about where you browse and the links that you follow when people send you them in emails. Unsecure websites are the gardens from which hackers gather fruitful information.
Fourth — Just be web wise. Make sure that you’re using secure internet connections, secure Wi-Fi — Wi-Fi that is patched and has a password on it. Just be wise about how you interact on the internet.
That leads to number five — be a good online citizen. It is a social community, the internet. It was built to be unsecure. So I try to propagate healthy cyber-hygiene in my interactions with people and at the places that I speak.
And then finally — own your online presence. If you find instances where people are building fake accounts about you or propagating fake information about you or trying to steal your identity, be proactive. Take action with the hosts of those websites.
