The 2020 Census could be the next big hacking and disinformation target
Joseph Marks, The Washington Post
Lawmakers are growing increasingly alarmed about hacking dangers targeting the 2020 Census after a watchdog detailed dozens of high-risk cybersecurity problems that should have been fixed a long time ago.
The hacking danger could be compounded by social media misinformation spread by U.S. adversaries or pranksters falsely claiming that census data is corrupted or the count is rigged, according to the Government Accountability Office report released during a House Oversight Committee hearing yesterday.
“This new report seems to be sending flashing red lights warning that the Census Bureau simply is not ready for what’s about to happen,” the chairwoman Rep. Carolyn B. Maloney (D-N.Y.) said.
Concerns are extra high because the decennial count, which kicks off in earnest next month, will be the first one conducted primarily online with respondents encouraged to submit forms over the Internet. And when responses don’t arrive online or by mail, census-takers will go out to collect them using secure smartphone apps.
That’s a major overhaul for the constitutionally mandated count that determines everything from reapportioning congressional districts for the next decade to distributing federal grant money at a time when hacking dangers are rising sharply. And time is tight to ensure the changes will be made as securely as possible, warned Nick Marinos, the GAO’s information technology and cybersecurity lead.
“Where the risk is and where my worry resides is just in the time,” Marinos told lawmakers. “We’re in a pressure cooker of time to get a lot of things done.”
And the count is sure to be a prime target for U.S. adversaries looking to sow chaos and to raise doubts about national institutions.
“If ever there was a juicy target for those who want to hack in and cause mischief and sow discord and all the rest of it, it would be our 10-year census,” Rep. John Sarbanes (D-Md.) said.
The census has been on the GAO’s list of the highest-risk government projects since 2017 because of cybersecurity and other issues, including concerns the Census Bureau won’t be able to hire enough workers to gather data from communities across the nation, as my colleague Tara Bahrampour reported.
As of December, the bureau still had 191 unfixed cybersecurity problems labeled “high” or “very high” risk and about 26 percent were 60 days or more past their planned fix date, the GAO said. The report did not describe the specific problems because of security concerns.
The report especially set off alarm bells for lawmakers after the fiasco in Iowa last week when state Democrats tried to integrate a smartphone app into the caucus process but didn’t do enough tech and security testing and ended up delaying results for days.
“I must tell you the Iowa [caucus] debacle comes to mind when I think of the census going digital,” Eleanor Holmes Norton, a nonvoting Democratic delegate who represents the District of Columbia said before asking about the bureau’s plans “in the event the systems experience some kind of attack or disaster.”
Democrats on the committee also slammed the Republican National Committee for sending out a fundraising mailer last year that looked like an official census form, charging the committee was damaging the census’s credibility.
“This is an abuse. We’ve been writing Facebook and Twitter and every other social media urging them to be careful about deceptive documents that could be put on the Internet that could be confusing to people … Then you find out a congressional party is sending out deceptive information,” said Maloney, who sponsored a 2010 bill aimed at stopping phony census forms.
She pledged to introduce a successor bill that would impose criminal penalties for mimicking census forms.
Census Director Steven Dillingham assured Norton that “we’ve worked with the best minds in the private industry and the best in the intelligence community and our systems are monitored 24/7.” The bureau declined, however, to tell me who its officials had consulted in private industry, citing security concerns.
The bureau is also guarding against a cyberattack by storing census data in multiple place in computer clouds, Albert Fontenot Jr., the bureau’s associate director, testified. “At worst case, we would send someone out to re-collect that data,” he said.
The bureau is also constantly monitoring social media sites for disinformation about the census or census-related scams aimed at stealing people’s personal information, Dillingham said. And it has a fast track to alert social media companies when it finds phony stories, he said.
Marinos credited the bureau for making hundreds of tech and cybersecurity fixes over the past several years and for developing strong ties to the Department of Homeland Security’s cybersecurity division, which is helping the bureau monitor for hacking threats and will help secure census operations if requested.
He warned, however, that the bureau must move faster to make the remaining fixes — ideally before it begins collecting Internet responses to census questionnaires next month.
“We’re dealing with cyberthreats on a constant basis against federal agencies and the Census Bureau is no exception,” he said.