GAO: Census Bureau Comes Up Short on CybersecurityWith 2020 Census Slate to Start April 1, Bureau Still Has Work to Do
The U.S. Census Bureau has not done enough to address cybersecurity issues in preparation for the 2020 census, which is slated to begin in April, according to a new report from the Government Accountability Office.
The GAO report notes that over the last 10 years, the watchdog agency has issued more than a 110 recommendations on a variety of topics, including cybersecurity, to the Census Bureau concerning the 2020 census, but some of them have yet to be implemented.
For example, the report says the bureau has not yet implemented certain cybersecurity practices spelled out by the U.S. Department of Homeland Security.
"Because the 2020 census involves collecting personal information from more than 300 million people across the country, it will be important that the bureau continues to address these challenges," the report states. "GAO has ongoing work monitoring the bureau’s progress in addressing … cybersecurity challenges."
This latest update by the GAO was requested by lawmakers from two U.S. House committees: Homeland Security and Governmental Affairs and Oversight and Reform.
New Online Survey
The GAO's concerns about cybersecurity are of particular importance because the census bureau is scheduled to use an online survey response option for the first time this year, along with the usual telephone or mailing options.
Because the online census enables Americans to submit their data through internet-connected computers, tablets or mobile devices, the GAO report finds that the census could be susceptible to phishing, disinformation and other cyberthreats.
On Tuesday, Florida Attorney General Ashely Moody issued a warning about census-related phishing emails looking to steal credentials or spread malware.
"The bureau … needs to quickly address concerns related to the readiness of its internet response system," according to the GAO. "The bureau also continues to face significant cybersecurity challenges, including those related to addressing cybersecurity weaknesses in a timely manner, resolving cybersecurity recommendations from the [Department of Homeland Security], and addressing numerous other cybersecurity concerns."
In its report, the GAO investigators highlight several security concerns, including:
- Security preparedness: Since 2017, the Department of Homeland Security has provided several recommendations to the census bureau to strengthen its cybersecurity efforts, including improvements in incident management capabilities, penetration testing and phishing assessments, in order to determine if attackers are able to access personally identifiable data. But the report says the bureau has not followed up.
- Contingency planning: Because the bureau collects so much personal data in such a short amount of time, the GAO has recommended that it develop contingency plans to ensure uninterrupted IT operations. But the bureau has not yet fully implemented all the recommended backup plans, according to the report.
- Protecting privacy: To ensure citizens’ privacy, the report recommends that the bureau limit the access employees have to the public data it collects. In addition, the report recommends that the bureau strip any personally identifiable information from its publicly released statics to ensure confidentiality. The report notes that the bureau has taken steps in this direction, including using a "disclosure avoidance technique" to help mask data.
Challenge of Disinformation
The GAO report also says that disinformation campaigns could pose a significant threat to the 2020 census. Such campaigns can shape the public's perceptions of how the bureau handles data, leading to a reduction in the online submissions of census data, the report states.
"According to the bureau, if a substantial segment of the public is not convinced that the bureau can safeguard public response data against data breaches and unauthorized use, then self-response rates may be lower than projected, leading to an increase in cases for follow-up and in subsequent costs," the GAO report states.
Bureau officials told GAO investigators that they are working with local partners, fact-checkers and law enforcement to share correct information about the census process. The bureau will also rely on "specialized" tools to track and respond to the disinformation campaigns, the report adds.
Concerns about disinformation are also changing the way the government is approaching the 2020 election. Earlier this month, the U.S. Cybersecurity Infrastructure and Security Agency released its cybersecurity plan for the November election, which includes plans to counter disinformation on social media and other online platforms (see: Cybersecurity Plan for 2020 US Election Unveiled).