GAO finds Census Bureau vulnerable to cyberattack

cyber attack button

A litany of IT shortcomings will put the Census Bureau at the mercy of hackers and other nefarious activity until the agency implements a comprehensive information security program, according to the Government Accountability Office.

A report released Feb. 20 concluded that although the Census Bureau has taken steps to protect the information and systems that support its mission, it has not effectively adopted appropriate information security controls to protect those systems.

Security controls are used to regulate who or what can access the bureau’s systems. Census officials, for example, did not adequately control connectivity to key network devices and servers or identify and authenticate users. They also failed to limit user access rights and permissions, encrypt data, monitor systems and network or ensure appropriate physical security controls were adopted.

The main reason for these flaws is the agency’s lack of a sweeping information security program to ensure controls are effectively established and maintained. The Federal Information Security Management Act requires all agencies to create and adopt an information security program.

The agency also failed to keep certain security management program policies current and had not revised its IT security program and policies since April 2010. Intra-agency guidelines require Census to update its policies at least once a year.

"Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption or loss," GAO warned.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Sun, Feb 24, 2013

What a lame excuse!!! "One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework". (http://www.csoonline.com/article/729281/gao-raps-census-bureau-s-data-protection-practices) Come on Brian McGrath. You really don't expect the public to buy into your excuse do you. I don't think you're taking your job seriously. If I were the Director I would fire you. Under Title 13 of the U.S. Code, Census Bureau employees are subject to a $250,000 fine and/or 5 years in jail if confidentiality is breached. So does this mean the information can be stolen and everything is OK as long as nobody reports it??? The title 13 and title 26 data could have been stolen right now, but no one is aware of it and that makes it alright because ignorance, stupidity, laziness, and incompetence pays off. Is that the message you want the public to see. Kind of like being a weather-man isn't it. You can be 50% wrong and still keep your job. Better yet someone will get promoted.

Fri, Feb 22, 2013

I have learned from many years of first hand experience that many weaknesses in IT and IT Security are found in non-compliance of a few players in the organization. Many of these non-players have been the heros of the past when we had to throw it together for the mission and come back later if there's time to address security. But with proper Planning and Authority placed in the right areas the old days don't have to exist anymore and an organization can mature to a proper level of capabilities, control and compliance. But until the heros of old are put in their place an organization will be held hostage by the heros and their egos of the past.

Fri, Feb 22, 2013

It's quite a leap to assume that Census is a month behind in patching because an explanation was offered to refute the false claim that workstations are "not patched regularly". Patches are released in sync with Microsoft. Microsoft typically releases patches on the same Tuesday every month. It's know as patch Tuesday. Once the patches are tested they are deployed, usually within a few days of the release. Patches released at other times are known as "out of band" patches and are tested and released in a similar way, but not according to a regular schedule because they aren't released according to a regular schedule. The accusations in the first post were wild exaggerations not based in fact. The person who made them sounded bitter and so do you.

Fri, Feb 22, 2013

To the person that stated patches are applied monthly. You basically admitted that your patches are a month behind. Pathetic.

Thu, Feb 21, 2013

Previous comment regarding patching is incorrect. patches are deployed to Census workstations monthly in sync with Microsoft releases and audits are performed. Sounds like and unhappy camper.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group