Oversight

GAO finds Census Bureau vulnerable to cyberattack

cyber attack button

A litany of IT shortcomings will put the Census Bureau at the mercy of hackers and other nefarious activity until the agency implements a comprehensive information security program, according to the Government Accountability Office.

A report released Feb. 20 concluded that although the Census Bureau has taken steps to protect the information and systems that support its mission, it has not effectively adopted appropriate information security controls to protect those systems.

Security controls are used to regulate who or what can access the bureau’s systems. Census officials, for example, did not adequately control connectivity to key network devices and servers or identify and authenticate users. They also failed to limit user access rights and permissions, encrypt data, monitor systems and network or ensure appropriate physical security controls were adopted.

The main reason for these flaws is the agency’s lack of a sweeping information security program to ensure controls are effectively established and maintained. The Federal Information Security Management Act requires all agencies to create and adopt an information security program.

The agency also failed to keep certain security management program policies current and had not revised its IT security program and policies since April 2010. Intra-agency guidelines require Census to update its policies at least once a year.

"Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption or loss," GAO warned.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

Reader comments

Sun, Feb 24, 2013

What a lame excuse!!! "One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework". (http://www.csoonline.com/article/729281/gao-raps-census-bureau-s-data-protection-practices) Come on Brian McGrath. You really don't expect the public to buy into your excuse do you. I don't think you're taking your job seriously. If I were the Director I would fire you. Under Title 13 of the U.S. Code, Census Bureau employees are subject to a $250,000 fine and/or 5 years in jail if confidentiality is breached. So does this mean the information can be stolen and everything is OK as long as nobody reports it??? The title 13 and title 26 data could have been stolen right now, but no one is aware of it and that makes it alright because ignorance, stupidity, laziness, and incompetence pays off. Is that the message you want the public to see. Kind of like being a weather-man isn't it. You can be 50% wrong and still keep your job. Better yet someone will get promoted.

Fri, Feb 22, 2013

I have learned from many years of first hand experience that many weaknesses in IT and IT Security are found in non-compliance of a few players in the organization. Many of these non-players have been the heros of the past when we had to throw it together for the mission and come back later if there's time to address security. But with proper Planning and Authority placed in the right areas the old days don't have to exist anymore and an organization can mature to a proper level of capabilities, control and compliance. But until the heros of old are put in their place an organization will be held hostage by the heros and their egos of the past.

Fri, Feb 22, 2013

It's quite a leap to assume that Census is a month behind in patching because an explanation was offered to refute the false claim that workstations are "not patched regularly". Patches are released in sync with Microsoft. Microsoft typically releases patches on the same Tuesday every month. It's know as patch Tuesday. Once the patches are tested they are deployed, usually within a few days of the release. Patches released at other times are known as "out of band" patches and are tested and released in a similar way, but not according to a regular schedule because they aren't released according to a regular schedule. The accusations in the first post were wild exaggerations not based in fact. The person who made them sounded bitter and so do you.

Fri, Feb 22, 2013

To the person that stated patches are applied monthly. You basically admitted that your patches are a month behind. Pathetic.

Thu, Feb 21, 2013

Previous comment regarding patching is incorrect. patches are deployed to Census workstations monthly in sync with Microsoft releases and audits are performed. Sounds like and unhappy camper.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above