Q&A: How the Postal Service Thinks It Can Predict the Next Cyber Breach
The agency's manager for data science and exploration told Nextgov his team plans to use predictive analytics to foresee future cyberintrusions.
Following the cyber intrusion at the U.S. Postal Service last year, which compromised the personal information of more than 800,0000 current and former employees, the agency says it now wants to use predictive systems to stop the next cyberattack.
That’s just one of many projects emerging from the agency's Data Science and Exploration office. It's also trying to use sensors to make its physical operations more efficient, pinpointing the number of employees needed for a predicted number of packages about 10 days in advance.
Dan Houston, manager of the data office, spoke with Nextgov about these and other upcoming technology efforts at USPS. This conversation has been edited for length and clarity.
NG: Give us a picture of what USPS will look like in the near future.
DH: For the future, we’re looking at more predictive and prescriptive analytics. We want to be able to start telling on our business side -- in particular with plant operations -- what volume of mail and packages they can expect, what machines they’re going to need to run at which time to actually process that volume, and at some point how many people you need for each one of those machines to actually meet our service standards.
[For cyber], we’re very interested in moving from the traditional threshold of “somebody’s working after this time, they’re logged into more than one machine, they’ve moved this amount of data.” We’re starting to establish true baselines for [employees], so we come up with "risk scores" and leveraging changes in risk scores as places where we need to start doing further investigation. It’s not necessarily, "As risk score moves, we think something bad has happened," but we think, "As a risk score moves, we need to do a little further investigation" to see if maybe a credential has been compromised, or even worse, if it’s some sort of inside threat where someone’s trying to steal data from inside the environment and sell it elsewhere.
We definitely want to get to where we can establish risk scores for people . . . Do we have people that have access to that data that maybe don’t need it?
NG: How long until this system actually exists?
DH: We’re really just getting started with that type of capability. We have a lot of the data together, and we're starting to really establish those baselines and risk scores. We’re really early in that journey. We’re hoping to be there in this fiscal year, but I think that's a pretty tall order. We’ll definitely be well into that journey this fiscal year.
NG: How much will the cyberintrusion system take into account outside threats?
DH: We already ingest threat feeds and we’ll continue to do that. We’re exploring some ideas around social media to see if there are opportunities for us to leverage social media to look for, "This looks like a group of people that are trying to do bad things, and they have a relationship to an employee here. Do we need to be worried about that or not?"
NG: USPS has been trying to update its GPS routing system for package delivery drivers for a couple years so it adjusts in real-time to factors such as traffic. Do drivers feel undermined when a computer system tells them to change the route they've been perfecting for decades?
DH: There's definitely that kind of pushback. We do that kind of "dynamic routing" even with our carriers on the street -- we no longer just follow static routes and go to every door. Definitely people think, "I know this, I’ve been driving it for 20-30 years, my computer doesn't know that better than I do." And I think initially, that's where we have to be very, very careful.
Because people are resistant to it, they think they do know it better. We want to make sure the [computer-generated route] really is the way to do it.
NG: How much data do you collect on individual customers?
DH: That’s always a touchy one for people: How much do they really want people to know about what they're doing. We know an awful lot about people because we know what goes in your mailbox everyday. Do we know where you are at all times? No.
But as more and more services get offered up about notifications -- [such as], "I want to know that my package was delivered to me via text message," or now, we're even experimenting with, "I don’t want you to deliver that package to my house, I want to you deliver it to me here, where I’m going to be at that time". . . that kind of information certainly becomes available where we start to know more and more patterns.
We know what kind of stuff you're buying based on packages you receive. I don’t think that’s all that important at the individual user level, but it does become important to some of our business customers.
We’re not going to tell them about your specific buying habits, but we're going to say, "Hey, you want to sell sporting goods, why don't you give us 1,000 of whatever you have, [maybe] a catalog . . . We'll make sure it gets in those right mailboxes." We won't risk people's information.
NG: But you could probably make the case, for some customers, that knowing more about their habits could help USPS be more efficient in package delivery.
DH: I think we want to go the other way, where we’ll let you tell us, if you want, where you're going to be. With a lot of the newer cars, there are digital keys. I don't think [USPS is] actually exploring this one, [but] your phone can either unlock your trunk or open a particular door. [So, maybe in the future it could be], "I don't need you to deliver to my house anymore, here's where my car is going to be, put it in my trunk."
There are some interesting cases like that. They’re not currently on our roadmap, but as that technology evolves and becomes more ubiquitous, [it] certainly becomes an opportunity for people to use that kind of service.