The U.S. Census Bureau’s decennial count is raising concerns that its new digital systems are vulnerable to attacks or malfunctions that could unfairly rejigger congressional seats or shuffle federal resources.
The 2020 headcount, for the first time conducted primarily online, kicked off in remote parts of Alaska last week. After years of preparation, the bureau is racing to finish securing systems and testing operations. Legal deadlines for counting the population leave no room for mishaps that have plagued large government systems, such as the rollout of healthcare.gov or the 2015 breach of data files for millions of federal personnel.
“We’re concerned and continue to view this as one of the highest risk areas of government right now,” Nick Marinos, information technology and cybersecurity director at the Government Accountability Office, said in an interview. “They have made progress in reducing risk, but we are still seeing a good number of systems at risk.”
The personally identifiable information of about 100 million American households will be collected and stored on governmentsystems at a time of heightened fears of cyberattacks from foreign adversaries such as Iran, as well as Russia, which targeted the 2016 election. Almost 20 states are estimated to gain or lose congressional seats based on the outcome. More than $1.5 trillion in federal funding—including for first responders, grants, Medicare, tax credits, and other spending—are determined by the count.
“Lacking a clear understanding of those circumstances is a clear threat to democracy,” Dipayan Ghosh, a former technology policy adviser to the White House as well as Facebook Inc., who has raised concerns about census cybersecurity for years, said in an interview.
Census officials have welcomed oversight and worked to build and secure their technology systems, spending $3.79 billion in obligated contracts over the last five fiscal years, according to a Bloomberg Government analysis. But for years a series of budget issues, leadership turnovers, and short staffing have set off alarm bells among lawmakers, cyber specialists, and watchdogs concerned the census may be short of the resources it needs for the gargantuan task.
Congress on Alert
A federal audit and congressional oversight hearing next month are expected to shed light on several of the vulnerabilities the U.S. Census Bureau has yet to shore up before the nationwide count goes live in March.
House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-N.Y.) has scheduled a hearing with the bureau’s director, Steven Dillingham, Feb. 12 to address the challenges. Maloney, in a hearing this month, said she was “gravely concerned” about the bureau’s readiness, and cited cyberthreats as aworry.
The bipartisan leaders of the Senate Homeland Security and Governmental Affairs committee last year pressed the GAO for regularreports of the census, with a focus on its new technology and cybersecurity, after an August 2018 report revealed almost 3,100 security weaknesses in the system. The next report will be released in mid-February, according to the GAO’s Marinos.
“While significant progress has been made and strong cybersecurity protections have been put into place, we must remain vigilant in the face of this ever-present and evolving threat,” Sen. Gary Peters(D-Mich.), ranking member of the committee, said in a Jan. 25 email.
Phishing attacks and disinformation campaigns on social media present new vulnerabilities that could trick Americans into avoiding the census or going to the wrong website and ultimately skew results, auditors have said.
Sen. Maggie Hassan (D-N.H.), another member of the committee, said in an email she is “continuing to monitor cyber resiliency efforts,” and is in touch with auditors and the bureau about steps needed and ensuring there’s a backup plan if an attack were to occur.
Senate and House lawmakers have requested a string of updates on census readiness since the GAO put the operation on its “high risk” list in 2017 that have revealed vulnerabilities. For example, the bureau lacked sufficient staff to oversee the implementation of its largest IT contract with T-Rex Solutions, obligated at $851 million, according to the GAO and a Bloomberg Government contracts analysis from fiscal year 2015 to 2019. Almost $380 million has been obligated to T-Rex in fiscal 2020 as staff races to finish work before launch.
T-Rex has worked closely with the bureau and other contractors to protect and ready systems, and is “prepared for a secure and successful 2020 Census,” Seth Moore, the company’s CEO, said in an email.
More concerning than cyber vulnerabilities or recommendations the bureau has yet to address is a lag in the process to address them, increasing the possibility of known risks at launch time, Marinos said.
“Time is running short and they just need to make as many corrections as they can,” he said.
Apart from the GAO, the internal watchdog at the Department of Commerce in June released a report showing the cloud-based IT systems that supported the census contained “fundamental security deficiencies that violated federal standards.” The deficiencies indicated the bureau was “behind schedule and rushed to deploy its systems,” and that sensitive personal data was at risk of “potential misuse or loss,” the report said.
The department’s Office of Inspector General announced another audit of the bureau’s IT security measures in October.
Government auditors, former officials, and cyber specialists say these security vulnerabilities are symptoms of larger issues that have plagued the department for years,including the abrupt resignation of its director in 2017 for a spot not filled until 2019. Throughout the past decade, funding from Congress and the administration has been inadequate or delayed to help it prepare for the transition to digital, Terri Ann Lowenthal, a former staff director of the House census oversight subcommittee, said in an interview.
“That forced the Census Bureau to streamline, delay, or cancel important testing opportunities” Lowenthal said.
Marinos and cyber specialists were quick to point out the progress the census has made in addressing cyber concerns and said the staff is working around the clock to get ready for launch. Cybersecurity is “paramount,” and contingency plans were being developed for an attack or breakdown of systems, Dillingham told lawmakers in July.
Census spokesman Michael Cook said “major testing” of systems are complete while others are ongoing, and that multiple layers of security are in place to protect against “current and evolving cyber threats.”
“We have a team of cybersecurity experts who monitor and protect all agency technology around the clock,” he said in an email.
The census in 2017 partnered with the Department of Homeland Security’s cyber arm, now called the Cybersecurity and Infrastructure Security Agency, for help securing its systems. Its director, Chris Krebs, said the bureau had addressed the severe security issues his agency had previously identified, and that his agency was working with the intelligence community to identify any specific threats that would then be shared with the bureau.
“We are obviously closely paying attention,” Krebs said in a Jan. 22 interview.
Americans can help by making sure their own devices have up-to-date security when logging in to participate, Maria Filippelli, a technology census fellow with the think tank New America, said in an interview.
And cyber specialists say the census could build public confidence by promoting its contingency plans, and urged Congress to continue its oversight.
“We don’t get to do a do-over on the census,” Michael Daniel, president and CEO the Cyber Threat Alliance and former cybersecurity coordinator at the National Security Council, said in an interview. “There’s a lot riding on this.”
With assistance from Paul Murphy
To contact the reporter on this story: Michaela Ross in Washington at firstname.lastname@example.org