The U.S. Census Bureau failed to mitigate a known vulnerability that enabled hackers to attack its network in January 2020, the Office of Inspector General (OIG) said in a newly-released report.
The report reinforces a lingering problem in the IT industry: Many breaches involve known vulnerabilities that end-customers and/or their outsourced security service providers fail to patch.
In this case, hackers hit the Bureau beginning on January 11, 2020 using a publicly available exploit. The attack, which targeted the agency’s remote access servers, did not enable the hijackers to penetrate the agency’s network through a back door. However, threat actors were still able to modify user account data to prepare a malware launch, the OIG’s report said. Staffers use the remote servers to access production, development and lab access networks, but the systems do not permit access to 2020 census data.
U.S. Census Bureau: Five Cybersecurity and Risk Mitigation Mistakes
The OIG auditors were tasked with assessing the Bureau’s processes to respond to cybersecurity incidents in line with federal and departmental requirements. The review found that the Bureau tripped in these areas:
- Missed opportunities to mitigate a publicly known, critical vulnerability, resulting in the exploitation of vital servers.
- Did not discover and report the incident in a timely manner.
- Did not maintain sufficient system logs, which hindered incident investigation.
- In the attack's wake, the Bureau did not conduct a lessons-learned session.
- Continued operating servers that were no longer supported by the vendor.
In a written response, Acting Census Bureau director Ron Jarmin said that none of the systems used for the 2020 census were compromised nor was any data affected. “Furthermore, no systems or data maintained and managed by the Census Bureau on behalf of the public were compromised, manipulated or lost,” he said.
Nine Cybersecurity Recommendations to Mitigate Risk
The OIG issued nine recommendations to be implemented by the Bureau’s chief information officer (CIO) and other officials:
- Notify relevant system personnel when critical vulnerabilities are publicly released.
- Regularly review and update vulnerability scanning lists to identify all network-facing assets.
- Ensure all network facing assets are scanned as the Bureau requires or by using the Department of Homeland Security’s (DHS) diagnostic and mitigation guidance.
- Review the alert capabilities of the agency’s security information and event management (SIEM) tool.
- Ensure incident responders report confirmed events to the Enterprise Security Operations Center (ESOC) in the Department of Commerce, within one hour.
- Develop ESOC procedures for handling alerts from outside agencies.
- Conduct periodic reviews of the Bureau’s system log aggregation configurations to ensure that all network facing assets are properly configured.
- Include a specific time frame to review lessons learned from an incident.
- Establish plans with milestones to retire end-of-life products.
The Census Bureau agreed with all but one of the OIG's recommendations, the exception being the ESOC/incident response item, suggesting it should be redirected it to that unit for a proper response and actions.
On August 12, 2021, the Bureau released the redistricting data to the states and the public. States may use these data in redrawing congressional, legislative and local district boundaries. The data also is used to distribute $1.5 trillion in federal spending each year.
