Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM
Connect Directly

Does the 2020 Online Census Account for Security Risk?

Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.

For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.

This year's census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its 2018 test indicated 61% of those who responded on their own did so online. 

People can fill out the Web form with a census ID they should receive in the mail. However, they don't have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.

The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a statement to the House Oversight and Reform Committee. "The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away," he explained. The ability to respond via Internet or phone means "people can reply almost anywhere, at any time."

A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019 report mandating the Census Bureau fix "fundamental cloud security deficiencies" in order to better secure the 2020 census. An audit of the Census Bureau's cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.

One month before the 2020 census began, it was on the GAO's "High Risk" list. A February 2020 report found "the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns." It had made progress, the GAO noted, but more work remained.

"When I see things like the census going online, my initial reaction is there is room for threat," says Jason Truppi, co-founder of Shift State Security. But this doesn't mean it's a bad decision, he adds: "I think more and more people might prefer now, and into the future, that it would be only online and not mail-based." Still, he continues, the census will inherit more risks by going on the Web, and the census has ordered millions of extra paper forms in case people can't respond online.

This is the government's best and only ability to collect population data without legal process, and it says it's ready to bring things online. It will reportedly encrypt responses to keep them confidential and it's blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?

Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.

As such, it's an appealing target for adversaries.

There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. "In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process," says Steve Moore, chief security strategist at Exabeam.

Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. "I would spend my effort on the low-hanging fruit, as a hacker," Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

"Intelligence gathering and disruption are some of the main motivations for nation-state threat actors," says Kacey Clark, threat researcher at Digital Shadows. "These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons."

A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has reportedly built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.

(Continued on next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/2/2020 | 6:56:58 AM
The post hit some great points about the potential of risk.
The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

This is not all that true, it is true they collect addresses and demographics but they also work with the other agencies to create a profile of the person so the data that is provided is also cross-referenced against other data-sets for verification. In short, they don't collect financial data, but it is matched against other sources to create a maxtrix of personal information (PII).

In addition, the Census Bureau was hacked, and a buddy of mine stated that they have numerous security holes that he himself expressed but they did nothing about, another gentlemen provided similiar information, once he found out they did not listen to him or even threatened him, he left the office. He was a security sevant and was not trusted when he brought information to their attention (2019).

Refernce - https://www.consumeraffairs.com/news/yet-another-us-government-cybersecurity-breach-this-time-its-the-census-bureau-072415.html

Hackers stole massive amount of data from the US Census Bureau ...Anonymous Hacks US Census Bureau Against TPP/TTIPSecurity Affairs

And by the way, they have been removing compotent personnel from the various security teams. So if they get hit again, it won't be surprising because the management staff has not been willing to listen to individuals who have a keen sense of cybersecurity operations, it is almost a travesty of their disarray of IT operations.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0.
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server c...
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, when using a manipulated server with USB redirection enabled (nearly) arbitrary memory can be read and written due to integer overflows in length checks. This has been patched in 2.1.0.
PUBLISHED: 2020-05-29
In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot ...
PUBLISHED: 2020-05-29
HUAWEI P30 smartphones with versions earlier than have an improper authentication vulnerability. A logic error occurs when handling NFC work, an attacker should establish a NFC connection to the target phone, and then do a series of operations on the target phone. Successful...