Analysis | The Cybersecurity 202: The 2020 Census could be the next big hacking and disinformation target
By Joseph Marks
U.S. Census Bureau Director Steven Dillingham testifies during a hearing of the House Committee on Oversight and Reform. (AP Photo/Alex Brandon)
Lawmakers are growing increasingly alarmed about hacking dangers targeting the 2020 Census after a watchdog detailed dozens of high-risk cybersecurity problems that should have been fixed a long time ago.
The hacking danger could be compounded by social media misinformation spread by U.S. adversaries or pranksters falsely claiming that census data is corrupted or the count is rigged, according to the Government Accountability Office report released during a House Oversight Committee hearing yesterday.
“This new report seems to be sending flashing red lights warning that the Census Bureau simply is not ready for what’s about to happen,” the chairwoman Rep. Carolyn B. Maloney (D-N.Y.) said.
Concerns are extra high because the decennial count, which kicks off in earnest next month, will be the first one conducted primarily online with respondents encouraged to submit forms over the Internet. And when responses don’t arrive online or by mail, census-takers will go out to collect them using secure smartphone apps.
That’s a major overhaul for the constitutionally mandated count that determines everything from reapportioning congressional districts for the next decade to distributing federal grant money at a time when hacking dangers are rising sharply. And time is tight to ensure the changes will be made as securely as possible, warned Nick Marinos, the GAO’s information technology and cybersecurity lead.
“Where the risk is and where my worry resides is just in the time,” Marinos told lawmakers. “We’re in a pressure cooker of time to get a lot of things done.”
And the count is sure to be a prime target for U.S. adversaries looking to sow chaos and to raise doubts about national institutions.
“If ever there was a juicy target for those who want to hack in and cause mischief and sow discord and all the rest of it, it would be our 10-year census,” Rep. John Sarbanes (D-Md.) said.
The census has been on the GAO’s list of the highest-risk government projects since 2017 because of cybersecurity and other issues, including concerns the Census Bureau won’t be able to hire enough workers to gather data from communities across the nation, as my colleague Tara Bahrampour reported.
As of December, the bureau still had 191 unfixed cybersecurity problems labeled “high” or “very high” risk and about 26 percent were 60 days or more past their planned fix date, the GAO said. The report did not describe the specific problems because of security concerns.
The report especially set off alarm bells for lawmakers after the fiasco in Iowa last week when state Democrats tried to integrate a smartphone app into the caucus process but didn’t do enough tech and security testing and ended up delaying results for days.
“I must tell you the Iowa [caucus] debacle comes to mind when I think of the census going digital,” Eleanor Holmes Norton, a nonvoting Democratic delegate who represents the District of Columbia said before asking about the bureau’s plans “in the event the systems experience some kind of attack or disaster.”
Democrats on the committee also slammed the Republican National Committee for sending out a fundraising mailer last year that looked like an official census form, charging the committee was damaging the census’s credibility.
“This is an abuse. We’ve been writing Facebook and Twitter and every other social media urging them to be careful about deceptive documents that could be put on the Internet that could be confusing to people … Then you find out a congressional party is sending out deceptive information,” said Maloney, who sponsored a 2010 bill aimed at stopping phony census forms.
She pledged to introduce a successor bill that would impose criminal penalties for mimicking census forms.
Census Director Steven Dillingham assured Norton that “we’ve worked with the best minds in the private industry and the best in the intelligence community and our systems are monitored 24/7.” The bureau declined, however, to tell me who its officials had consulted in private industry, citing security concerns.
The bureau is also guarding against a cyberattack by storing census data in multiple place in computer clouds, Albert Fontenot Jr., the bureau’s associate director, testified. “At worst case, we would send someone out to re-collect that data,” he said.
The bureau is also constantly monitoring social media sites for disinformation about the census or census-related scams aimed at stealing people’s personal information, Dillingham said. And it has a fast track to alert social media companies when it finds phony stories, he said.
Marinos credited the bureau for making hundreds of tech and cybersecurity fixes over the past several years and for developing strong ties to the Department of Homeland Security’s cybersecurity division, which is helping the bureau monitor for hacking threats and will help secure census operations if requested.
He warned, however, that the bureau must move faster to make the remaining fixes — ideally before it begins collecting Internet responses to census questionnaires next month.
“We’re dealing with cyberthreats on a constant basis against federal agencies and the Census Bureau is no exception,” he said.
'I Voted' stickers are seen on Election Day. (Katherine Taylor/EPE-EFE/Shutterstock)
“An analogy I heard a lot on the campaign is it's building the plane while it's in the air,” Baccio said. “I think any kind of wide-scale security coordination or security culture is difficult to do in a campaign environment.”
Baccio left the Buttigieg campaign in January. He spoke with researcher Tonya Riley in his first interview since joining Splunk, a data and security software company that works with several state, local and national governments on election security, as a cybersecurity adviser. Baccio was the first known CISO for a presidential campaign this cycle, part of a surge of attention on campaign security after 2016 when Russia hacked the Hillary Clinton campaign and selectively leaked emails to damage her candidacy.
In the future, Baccio said, he hopes government considers mandating that campaigns meet some of the same cybersecurity standards that are imposed on federal agencies.
“I think that there should be standards to follow just like every other public-sector agency or department out there,” he said. “I know campaigns don't fall under that umbrella, but I think it gives serious question as to why they don't.”
He also praised programs such as DigiDems and Defending Digital Campaigns, which are helping campaigns with cybersecurity protections at little to no cost.
At Splunk, Baccio will help government and other public-sector clients address cybersecurity compliance issues and improve their “cybersecurity culture,” he said.
Iowa Democratic Party Chair Troy Price. (Brenna Norman/Reuters)
“As chair of this party, I am deeply sorry for what happened and bear the responsibility for any failures on behalf of the Iowa Democratic Party.” Price wrote in a letter. He said the failure of the reporting process was “simply unacceptable” but stressed that Iowa Democrats are "not the only party to blame.”
“We worked collaboratively with our partners, our vendors, and the DNC in this process, and I am confident the review will be able to determine exactly what went wrong, what went right, and how we can avoid this from ever happening again,” he wrote.
Members of Congress, however, are still clamoring for answers. Democrats and Republicans alike have criticized the Iowa party and the app maker Shadow Inc. for failing to adequately test the app before caucus day and declining offers from DHS to audit the technology for security concerns.
Both the DNC and Nevada Democrats dropped Shadow last week. Democrats are recounting votes from some Iowa districts.
President Trump speaks during a meeting with Ecuadoran President Lenin Moreno in the Oval Office on Wednesday. (Evan Vucci/AP)
Trump called the technology a “largely invisible utility” for key infrastructure including the electric grid, communications infrastructure, mobile devices, and transportation. “Disruption or manipulation of these services has the potential to adversely affect the national and economic security of the United States,” he said.
The order requires the Commerce Department to develop profiles of critical services that are dependent on GPS and other location services, and detect possible risks. DHS will then be tasked with developing a plan to test those and ensure their security.