Lawmakers Warned 2020 Census Data Vulnerable to Hackers
Lawmakers were served up another cybersecurity wake-up call on the upcoming 2020 Census in a hearing held by the Senate Homeland Security and Governmental Affairs Committee.
In two words, the Department of Commerce’s Census Bureau is a “high risk” program, with serious, untended cybersecurity and IT vulnerabilities hackers could exploit, according to testimony from officials at the Government Accountability Office (GAO). That citizens can fill out the 2020 Census online, which is estimated to save the federal government billions, adds to the potential for cybersecurity events.
“Although the Bureau has taken initial steps to address risk, additional actions are needed as these risks could adversely impact the cost, quality, schedule, and security of the enumeration,” said Nick Marinos, the GAO’s information technology and cybersecurity director, and Robert Goldenkoff, the GAO’s strategic issues director, said in written testimony from their report, 2020 Census: Actions Needed to Address Key Risks to a Successful Enumeration.
“Specifically, the Bureau has faced challenges related to completing security assessments, addressing security weaknesses, resolving cybersecurity recommendations from DHS, and addressing numerous other cybersecurity concerns,” they wrote.
At the macro level this is what Marinos and Goldenkoff are talking about: The Bureau is using innovations that are not expected to be fully tested; it continues to face challenges in implementing IT systems; and, it faces significant cybersecurity risks to its systems and data.
At the micro level, specific to cybersecurity, this is what they’re talking about:
- At the end of May 2019, the Bureau had about 330 open plans of action and milestones (POA&Ms) to remediate for issues such as ongoing continuous monitoring.
- Of the open POA&Ms, 217 were considered “high-risk” or “very high-risk.”
- While the Bureau established POA&Ms, it was slow to meet its own deadlines to complete remedial actions.
- Of the 217 open “high-risk” or “very high-risk” POA&Ms, 104 were delayed. Of those, 74 had missed their scheduled completion dates by 60 or more days. Delays owed to technical problems or tight budgets.
It’s not a disaster in the making, Goldenkoff told committee chair Ron Johnson (R-WI). “If the Census Bureau gets the response rate, and that there is no cybersecurity incident or IT shortfall, I think the Census Bureau will be positioned for a cost-effective headcount,” he said. “I don’t think we’re looking at disaster, but I think there is a lot of work needed going forward,” he said. (via The Hill)
There’s notable concern surrounding the potential for hackers to steal the personally identifiable information (PII) on some 100 million households, heightening the need to “properly secure these systems,” Marinos and Goldenkoff said. “It will be important that the Bureau provides adequate time to perform these security assessments, completes them in a timely manner, and ensures that risks are at an acceptable level before the systems are deployed,” they wrote.
Census Bureau Director Steven Dillingham, had much the same to say with one significant qualifier. “We incorporate protections in our technology, have processes to continuously monitor systems, and have a team ready to respond immediately to any potential threat.” However, the Bureau still hasn’t nailed down a plan should a massive cyberattack bring the entire system to its knees,” he said. (via The Hill)
The Senate Homeland Security and Governmental Affairs Committee hearing isn’t the first time lawmakers have been cautioned about the 2020 Census’ potential exposure of PII. A GAO report published a year ago found some 3,100 security issues and vulnerabilities, 43 of which were classified as “high” or “very high” risk that hackers could exploit. “Because the 2020 Census involves collecting personal information from over a hundred million households across the country, it will be important that the Bureau addresses system security weaknesses in a timely manner and ensures that risks are at an acceptable level before systems are deployed,” that report said.