Census braces for cyberattacks

Less than a year before the 2020 population count officially begins, the Census Bureau knows it'll be a prime target for cyberattacks.

Public perceptions around data confidentiality and the security of a trove of sensitive information have consistently topped the bureau's major risk areas in the decade leading up to  an online census.

And with that change in medium -- the bureau expects about 60 percent of responses to be submitted online -- comes novel risks, Census CIO Kevin Smith told FCW at an event hosted by the Poynter Institute and Georgetown University March 5.

Because the information, for the first time, will be coming in digitally rather than on paper, Census is now making sure data is encrypted both in transit from respondents and once it's been received by the bureau, he said. And the bureau isn't taking on the cybersecurity lift alone.

"We're going through the steps right now with [the Department of Homeland Security] to involve the intelligence community to determine what to put in place," he said. "They offered to provide us with support similar to the 2018 midterm elections."

But Smith noted protecting the census has key differences from protecting an election. For one, the duration of the census is "not like a week," he said. "It's eight months. So it's a different model."

As far as specific actions that the bureau will take to make sure its security is where it needs to be, Smith said federal agencies would conduct penetration testing on Census systems later "this quarter," followed by another round of penetration testing from industry.

"Those are all set up to be done in the next six months … and there will probably be some done in the fall as well," he said.

Similar testing has been conducted over the last couple years, "and nothing critical or high [risk] has been discovered," he said.

But whether all the systems the bureau needs will be delivered on time is still a question. Systems readiness, and the bureau's ability to deliver on a tight budget and timeframe, has been a persistent concern from lawmakers and watchdogs.

And even if all the tech is ready to go and adequately shored up, "the weakest link of every chain is the people," said Smith.

To make sure the human side of the equation is prepared, a DHS red team will test "the people and the processes we use to support the technology," Smith said.

"Instead of a week-long adventure of the penetration testing, it's a couple months," he said. "We're getting ready to schedule those things in the next quarter to the next three months."

The bureau has also put other protections in place to mitigate human error. It's using two-factor authentication and can remotely erase data on an enumeration device that's been lost or misused by an enumerator, Smith said.

While some aspects of the census operation at large have undergone less testing than originally planned -- both because of budget constraints as well as the addition of the citizenship question after the start of the 2018 end-to-end test -- the cybersecurity components of the census have not been similarly challenged, Smith said.

The other novel difficulty the online census presents "is people impersonating us," said Smith.

Impersonation of the census is nothing new. But the outsized presence of social media today raises new concerns for the potential dissemination of false and fraudulent information.

The amount of routine disinformation that currently exists on social media platforms, much less surrounding high-profile endeavors with political implications, already causes problems. To combat that, the bureau plans to work with the sites and organizations helping it promote the national headcount. Sharing information is a key part of the 2020 rollout, Census Assistant Director of Communications Stephen Buckner said.

While misinformation presents a heightened challenge for a census that's received more attention at this point in the decennial than counts of years past, Smith seemed less worried about the threat of a major brute force attack taking down the entire site on actual Census Day -- which happened to the Australian census in 2016.

"My hope is that we know about [an attack] ahead of time because we're working with the intelligence community," he said. "But secondarily, we're using industry leaders to basically be the front end of our website.… People try to do a denial of service all the time, and they're not successful."

And even in the event an attacker did get through, Smith said the data collection site is designed in such a way where individual parts could be shut down without flatlining the whole website.

"I don't see it getting to us, but if it does, the systems we've designed on the back end [will] respond to that," he said. "We've put things in place where it's not all-or-nothing on the website."

Still, the possibility of a risk in the digital space is never zero.

"There's always a risk," he said. "At the end of the day, if there's an issue, we'll figure out how to get the site back up and running and figure out what the bad actor was trying to do," he said. "We'll still have other ways to respond -- by phone and by paper."