Cybersecurity experts worry about census data

With approaches to election security still up in the air, a group of former cybersecurity officials are concerned about the cybersecurity of another democratic foundation: the decennial census.

In a July 16 letter to acting Director of the Census Bureau Ron Jarmin and Commerce Department Secretary Wilbur Ross, the former officials stressed the importance of the security of data collected by the bureau's first-ever electronically based survey and pushed the bureau to publicly share plans for how it plans to protect that information.

The signatories include former White House Cyber Coordinator Michael Daniel, former Office of Director of National Intelligence General Counsel Robert Litt, former State Department cyber lead Christopher Painter and Mary McCord, who formerly served as acting assistant attorney general for national security.

"Ultimately, the accuracy of the 2020 Census will be improved by enhancing the public's confidence in the secure collection and safe storage of that information," they wrote.

Census has listed public perception of the bureau's ability to safeguard response data and the prospect of a cybersecurity incident among its "major" risk areas for 2020.

However, the group noted, despite congressional and public request, the bureau has not publicized how it "is implementing even the most basic cybersecurity practices," such as whether two-factor authentication will be required to access collected data and whether data will be encrypted.

Among the information collected by the decennial is the age, race, relationship and -- for the first time since 1950 -- the citizenship status of people living in the U.S.

The signatories said they believe that publicly sharing how the bureau plans to protect that data will help boost confidence in the results and help make the count as accurate as possible.

"Such transparency and leadership would boost public confidence and also allow cybersecurity experts outside the government to offer assistance in addressing any concerns that they might identify," they wrote.

Alternatively, the former officials recommended the bureau could "at a minimum … retain a reputable outside cybersecurity firm to conduct an end-to-end audit of current plans for data protection associated with the 2020 Census."

Earlier this year, Census CIO Kevin Smith said the bureau has been working with the intelligence community and private industry, including social media companies, to help prepare for these risks and boost public trust.

Census did not respond to a request for comment, and it has previously declined requests to speak with officials about the census's cybersecurity.