With every month that passes, the 2020 decennial census gets closer to reality, as do potential security threats to the nation’s population count. The Census Bureau has taken pains recently to demonstrate that it takes cybersecurity threats seriously and is doing all it can to mitigate them.
On Aug. 3, at a usually sleepy quarterly meeting known as the Program Management Review, Kevin Smith, the Census Bureau’s CIO, detailed the efforts the bureau is making to keep the count secure. Census, part of the Commerce Department, will work with the Department of Homeland Security as well the intelligence community to address cybersecurity threats not known to its private sector IT security partners, Smith said.
Those efforts are part of a multipronged cybersecurity plan Smith detailed. The presentation comes after 11 former U.S. cybersecurity officials sent a letter to Commerce Department Secretary Wilbur Ross expressing their concerns about the Census Bureau’s cybersecurity preparations for the count — and a lack of transparency from the bureau about those measures.
Smith said the bureau is focused on not only protecting the data census enumerators collect but on securing the collection process itself. “There have been some conversations in the public about security and what the census is doing to secure data,” he said, according to FedScoop.
“I want to stress that protection of the data we collect is the census’s highest priority,” Smith continued. “I am going the describe that it’s not just the technology, it’s also the people and processes that we also use within our culture to help make sure everyone is aware of the importance of the data.”
Census to Work with DHS, IC on Cybersecurity Protections
The Census Bureau expects to handle 95 percent of its cybersecurity concerns through commercially available IT security products and services, Smith said, according to Federal News Radio.
However, the agency is working with DHS and some elements of the intelligence community to mitigate other threats.
“Once somebody’s already done it, industry knows about it, puts it into their product sets. We’re then covered and protected from the known things people do,” he said.
“It’s really that 5 percent of the cyberspace that’s unknown,” Smith continued. “This is where the federal intelligence community comes in, where they can proactively let us know what things are happening within their realm of tools and resources that typical industry does not know.”
According to Federal News Radio, DHS has conducted penetration testing on the Census Bureau’s website, this year, as well as the iPhones enumerators will use when they follow up with households in door-to-door surveys, and the agency’s databases filled with address canvassing data.
Commerce Department CIO Rod Turk in June had requested that the intelligence community provide the Census Bureau with “a more significant flow of information” about cyberthreats to the count, FedScoop reports.
Census Aims to Allay Concerns over Cybersecurity Protections
The letter sent to Ross last month was signed by several luminaries from the federal cybersecurity world, including J. Michael Daniel, former cybersecurity for the National Security Council; Matthew Olsen, former director of the National Counterterrorism Center; and Christopher Painter, former coordinator for cyberissues at the State Department.
They wrote that “the Bureau has not provided basic information such as whether two-factor authentication will be required for all access to the data obtained, whether relevant information will always be encrypted while in transit and also while at rest (and what specific encryption methods will be used), and whether other now-standard cybersecurity practices will be utilized.”
During the quarterly update meeting, Smith said he did not want to give away the Bureau’s “playbook” on countering cyberthreats, but did lay out several measures that are being taken. He also said this playbook is shared with the office of Federal CIO Suzette Kent and the Office of Management and Budget, the intelligence community members Census works with, congressional oversight committees and the bureau’s industry partners.
In terms of internal threats, like attacks on the census’s self-response site or the enumerators’ mobile devices, Smith said that the data will be encrypted both in transit and at rest, according to FedScoop. He also added that network activity will be heavily monitored and that the data will be collected and isolated from the internet.
Smith also said the enumerators’ devices will only contain data until it is transmitted to Census systems, and the data will in no way be retained.
When it comes to external threats like a respondent’s compromised device, Smith said that the bureau will conduct public service campaigns to warn citizens about the threats of rogue websites, spear phishing attacks and other cybersecurity threats.
Though data submitted to the Census Bureau through its self-response option will be encrypted, users should be careful of how they handle the data when they are inputting it, Smith said, according to FedScoop.
“Census is not storing any data on your respondent device, computer or your mobile phone to go collect data or to submit data to the internet self-response tool,” he said. “If you choose, as a respondent, on your device to store data locally, or cache it, there’s not much I can do to stop you from caching that data. That’s up to you, with how you use your internet browser and how you want to connect to rest of the internet.”