Does the 2020 Online Census Account for Security Risk?

Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.

In another scenario, an attacker may inundate the census site with fake accounts and data to influence results. Exabeam's Moore notes this is less likely, unless a significant amount of data is entered.

"You would want to look for things that move the needle greatly," he explains. This might include peaks or changes in rapid volume, which might prompt questions like: Where is the volume coming from? Are submissions coming from the same, or similar, IP address? At what time of day? Is there a strange number of people being added per household, per day? 

Attackers who don't interfere with the website or data may leverage the census in phishing and disinformation campaigns. "As phishing attacks are the most common threat vector for compromise, it is possible that adversaries will send phishing emails to target US residents," Digital Shadows' Clark says.

As they often do with major events, attackers could trick victims into clicking links or downloading malicious attachments that promise information related to the 2020 census. The Bureau has been taking steps to fight disinformation affecting this year's population count.

Census in the Time of COVID-19: A Broader Scope of Risk
Compounding these security concerns is the heavy reliance on technology and stay-at-home mandates to prevent the spread of coronavirus. If census field workers can't collect data in-person, could it exacerbate the risk to data collection? 

This spring, the Census Bureau planned to hire between 300,000 to 500,000 temporary workers to conduct nonresponse follow-up and other field operations, Dillingham said. On March 18, it announced it would suspend field operations until April 1 to help slow the spread of coronavirus and evaluate operations to avoid putting workers or the public at risk. Ten days later, the Bureau confirmed suspension of field operations for two more weeks, until April 15.

Field workers handle face-to-face encounters to collect data from people who don't respond in other manners – in particular, marginalized populations: people who can't get mail, the homeless, and people who live in remote locations. It remains to be seen how the Census Bureau plans to reach these populations without field workers to contact them in person.

As the census is forced to heavily rely on Internet, phone, and mail responses, the threats shift, Clark says. "When census employees go door-to-door, they can more easily validate that the person is who they say they are, but the barrier between census employees and computers or mobile devices introduces the need for advanced authentication processes," she explains.

The IRS, for example, uses mortgage-based authentication to confirm identities with questions about mortgage payments or car purchases. It's a useful method but also flawed, she adds. Some of these questions can be answered with simple open source data collection methods.

Depending on Internet responses means depending on the security of devices people use to enter them. The census can take steps to strengthen the integrity of field workers' mobile devices, and its employees can be trained to spot rogue Wi-Fi networks and avoid malicious emails, explains Bob Stevens, vice president of the Americas at mobile security firm Lookout. The problem is, the Census Bureau can't train all Americans to avoid the same everyday security risks. 

"The census is focused on ensuring the data they collect is secure once they collect it," says Stevens. "[It's] not as focused on ensuring the data or people entering it are secure when they do the survey." Cybercriminals who learn of the reliance on digital responses could launch phishing attacks with fake census applications or links to get people to download malware. 

Looking Ahead: Government Interactions Go Digital
The census is one of many government processes going digital. As people more heavily depend on technology, especially now, it will influence the way we continue to interact in the future.

"The world as we know it has definitely changed," Stevens says. "And a lot of it will be permanent. I think most of us agree to that." People and businesses that never thought they could telework are learning they can and relying on digital communications to do it. Some government processes, like paying taxes and renewing driver's licenses, have long been digital.

This is the "new norm" for interfacing with the government, says The Shift State's Truppi, and the shift demands a set of standards are put in place to ensure people and their information are protected. As more of these government interactions are moved online, it could expand the attack surface.

There are already discussions around how lessons from the 2020 census can be applied to the presidential election, says Moore, who notes that getting the census right could inform how the government collects data in the future. "We have to have not only adequate representation, but participation in this," he says. "Do we get an accurate account? Do we participate?"

The way the census unfolds will carry implications for a range of future government activities. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading