GAO finds Census Bureau vulnerable to cyberattack

cyber attack button

A litany of IT shortcomings will put the Census Bureau at the mercy of hackers and other nefarious activity until the agency implements a comprehensive information security program, according to the Government Accountability Office.

A report released Feb. 20 concluded that although the Census Bureau has taken steps to protect the information and systems that support its mission, it has not effectively adopted appropriate information security controls to protect those systems.

Security controls are used to regulate who or what can access the bureau’s systems. Census officials, for example, did not adequately control connectivity to key network devices and servers or identify and authenticate users. They also failed to limit user access rights and permissions, encrypt data, monitor systems and network or ensure appropriate physical security controls were adopted.

The main reason for these flaws is the agency’s lack of a sweeping information security program to ensure controls are effectively established and maintained. The Federal Information Security Management Act requires all agencies to create and adopt an information security program.

The agency also failed to keep certain security management program policies current and had not revised its IT security program and policies since April 2010. Intra-agency guidelines require Census to update its policies at least once a year.

"Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption or loss," GAO warned.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Sun, Feb 24, 2013

What a lame excuse!!! "One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework". (http://www.csoonline.com/article/729281/gao-raps-census-bureau-s-data-protection-practices) Come on Brian McGrath. You really don't expect the public to buy into your excuse do you. I don't think you're taking your job seriously. If I were the Director I would fire you. Under Title 13 of the U.S. Code, Census Bureau employees are subject to a $250,000 fine and/or 5 years in jail if confidentiality is breached. So does this mean the information can be stolen and everything is OK as long as nobody reports it??? The title 13 and title 26 data could have been stolen right now, but no one is aware of it and that makes it alright because ignorance, stupidity, laziness, and incompetence pays off. Is that the message you want the public to see. Kind of like being a weather-man isn't it. You can be 50% wrong and still keep your job. Better yet someone will get promoted.

Fri, Feb 22, 2013

I have learned from many years of first hand experience that many weaknesses in IT and IT Security are found in non-compliance of a few players in the organization. Many of these non-players have been the heros of the past when we had to throw it together for the mission and come back later if there's time to address security. But with proper Planning and Authority placed in the right areas the old days don't have to exist anymore and an organization can mature to a proper level of capabilities, control and compliance. But until the heros of old are put in their place an organization will be held hostage by the heros and their egos of the past.

Fri, Feb 22, 2013

It's quite a leap to assume that Census is a month behind in patching because an explanation was offered to refute the false claim that workstations are "not patched regularly". Patches are released in sync with Microsoft. Microsoft typically releases patches on the same Tuesday every month. It's know as patch Tuesday. Once the patches are tested they are deployed, usually within a few days of the release. Patches released at other times are known as "out of band" patches and are tested and released in a similar way, but not according to a regular schedule because they aren't released according to a regular schedule. The accusations in the first post were wild exaggerations not based in fact. The person who made them sounded bitter and so do you.

Fri, Feb 22, 2013

To the person that stated patches are applied monthly. You basically admitted that your patches are a month behind. Pathetic.

Thu, Feb 21, 2013

Previous comment regarding patching is incorrect. patches are deployed to Census workstations monthly in sync with Microsoft releases and audits are performed. Sounds like and unhappy camper.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group