Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM
Connect Directly

Does the 2020 Online Census Account for Security Risk?

Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.

For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.

This year's census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its 2018 test indicated 61% of those who responded on their own did so online. 

People can fill out the Web form with a census ID they should receive in the mail. However, they don't have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.

The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a statement to the House Oversight and Reform Committee. "The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away," he explained. The ability to respond via Internet or phone means "people can reply almost anywhere, at any time."

A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019 report mandating the Census Bureau fix "fundamental cloud security deficiencies" in order to better secure the 2020 census. An audit of the Census Bureau's cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.

One month before the 2020 census began, it was on the GAO's "High Risk" list. A February 2020 report found "the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns." It had made progress, the GAO noted, but more work remained.

"When I see things like the census going online, my initial reaction is there is room for threat," says Jason Truppi, co-founder of Shift State Security. But this doesn't mean it's a bad decision, he adds: "I think more and more people might prefer now, and into the future, that it would be only online and not mail-based." Still, he continues, the census will inherit more risks by going on the Web, and the census has ordered millions of extra paper forms in case people can't respond online.

This is the government's best and only ability to collect population data without legal process, and it says it's ready to bring things online. It will reportedly encrypt responses to keep them confidential and it's blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?

Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.

As such, it's an appealing target for adversaries.

There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. "In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process," says Steve Moore, chief security strategist at Exabeam.

Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. "I would spend my effort on the low-hanging fruit, as a hacker," Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

"Intelligence gathering and disruption are some of the main motivations for nation-state threat actors," says Kacey Clark, threat researcher at Digital Shadows. "These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons."

A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has reportedly built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.

(Continued on next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/2/2020 | 6:56:58 AM
The post hit some great points about the potential of risk.
The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

This is not all that true, it is true they collect addresses and demographics but they also work with the other agencies to create a profile of the person so the data that is provided is also cross-referenced against other data-sets for verification. In short, they don't collect financial data, but it is matched against other sources to create a maxtrix of personal information (PII).

In addition, the Census Bureau was hacked, and a buddy of mine stated that they have numerous security holes that he himself expressed but they did nothing about, another gentlemen provided similiar information, once he found out they did not listen to him or even threatened him, he left the office. He was a security sevant and was not trusted when he brought information to their attention (2019).

Refernce - https://www.consumeraffairs.com/news/yet-another-us-government-cybersecurity-breach-this-time-its-the-census-bureau-072415.html

Hackers stole massive amount of data from the US Census Bureau ...Anonymous Hacks US Census Bureau Against TPP/TTIPSecurity Affairs

And by the way, they have been removing compotent personnel from the various security teams. So if they get hit again, it won't be surprising because the management staff has not been willing to listen to individuals who have a keen sense of cybersecurity operations, it is almost a travesty of their disarray of IT operations.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.