Alarm sounds over census cybersecurity concerns

Lawmakers are raising concerns that the upcoming 2020 census, which people are expected to fill out primarily online for the first time, is opening the door to potential cyber vulnerabilities. 

These vulnerabilities were in the spotlight on Capitol Hill on Tuesday as the Senate Homeland Security and Governmental Affairs Committee held a hearing to examine the security of the census, which residents will be able to complete online, over the phone or on paper. 

The hearing featured testimony from top officials from the Government Accountability Office (GAO), which has added the Census Bureau to its list of “high risk programs” due to cybersecurity and information technology shortfalls. 

{mosads}“Although the Bureau has taken initial steps to address risk, additional actions are needed as these risks could adversely impact the cost, quality, schedule, and security of the enumeration,” Nick Marinos, the director of Information Technology and Cybersecurity at GAO, and Robert Goldenkoff, the director of Strategic Issues at GAO, said in their written testimony.

Concerns center around the security of personal data involved in the census, and around securing systems against threats from foreign nations. The anxiety echoes some of the worry surrounding security against cyberattacks from foreign actors during the upcoming presidential election.

Specifically, GAO identified more than 330 “corrective actions” in regard to securing the census against cyber incidents as of May, with the Census Bureau telling the GAO that 104 of these actions are “delayed” for reasons unrelated to technical issues or resources. 

When questioned by committee Chairman Ron Johnson (R-Wis.) as to the overall readiness of the Census Bureau for the 2020 census, Goldenkoff said that “if the Census Bureau gets the response rate, and that there is no cybersecurity incident or IT shortfall, I think the Census Bureau will be positioned for a cost-effective headcount. I don’t think we’re looking at disaster, but I think there is a lot of work needed going forward.”

But Census Bureau Director Steven Dillingham, another witness, insisted that the agency is prepared to secure the personal data involved in the census. 

“Our cybersecurity program is designed to adapt and respond to a changing threat landscape,” Dillingham said. “We incorporate protections in our technology, have processes to continuously monitor systems, and have a team ready to respond immediately to any potential threat.”

Dillingham acknowledged that while the Bureau has a “continuity of operations” plan in the event of a cyberattack impacting computer systems, it is still working on a plan for what to do in the event of a “catastrophic” cyberattack that takes down broad swaths of the system.

Johnson expressed confidence following the hearing that the Census Bureau is well prepared to face cyber threats in 2020.

“There will always be risks, but I think based on the testimony, based on my opening questions, I think both the director and GAO seem pretty confident that they’ve got things at a manageable level, so I’m feeling pretty good about the census personally,” Johnson told The Hill, adding that he believes the Bureau has “adequate security” to combat potential threats from nation states against the census. 

Committee ranking member Gary Peters (D-Mich.) was more cautious, telling The Hill last week that “one of the main concerns we have with the census is to make sure it’s secure, and people who are filling out the census want to know that their data is protected and secure, so it’s something that we’ve got to make sure that we’re focused on.”

The Senate Homeland Security and Governmental Affairs Committee will likely not be alone in examining this issue.

Sen. Dan Sullivan (R-Alaska), the chairman of the Senate Commerce security subcommittee, expressed interest in examining the subject, telling The Hill that he plans to speak with Johnson and potentially take a look at the issue after Tuesday’s hearing. 

Rep. Cedric Richmond (D-La.), the chairman of the House Homeland Security cybersecurity subcommittee, told The Hill on Tuesday that his subcommittee will likely look into the cybersecurity of the census in the next few months. 

“We just have to make sure it’s accurate, we have an administration that won’t admit to Russian hacking in our elections, so I’m not sure how serious they are taking the cyber threat of the census, so it is an area of concern,” Richmond said. “I’m glad the Senate is doing it, it’s about time they were.”

The security concerns surrounding the census mirror the controversy over election security from foreign actors, evoking the debate about using paper ballots or receipts to track votes.

Tim Maurer, the co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, cited the need for Census Bureau and other government officials to learn from interference efforts in the 2016 elections in protecting the 2020 census in an op-ed written for The Hill earlier this year. 

“Imagine that when the census takes place, devices used to collect the data stop functioning, data gets leaked, or the data itself gets manipulated,” Maurer wrote. “With American society on edge ahead of the 2020 election, such scenarios could have devastating consequences for the census as an institution.”