Why the government needs to pay attention to census cybersecurity

Malicious foreign attackers interfered in the Australian census three years ago, forcing a system shutdown during prime time for respondents to “ensure the integrity of the data.” The attack cost some $30 million in taxpayer money, caused a big embarrassment for the government, and provided fodder for those who had criticized the census all along.

The United States will conduct its own census next year. Imagine that in early 2020, rumors start to emerge on social media that the census in the United States is a political conspiracy of the Washington elite to control the population. Imagine that when the census takes place, devices used to collect the data stop functioning, data gets leaked, or the data itself gets manipulated. With American society on edge ahead of the 2020 election, such scenarios could have devastating consequences for the census as an institution. The federal government must make protecting the census from cyberattacks a top priority. Senior officials have at times highlighted the topic but preparations are still behind schedule.

ADVERTISEMENT

The Government Accountability Office warned in its new high risk report that the current 2020 census schedule “lacks a risk assessment” and that 21 of 44 positions remain vacant in the office overseeing the $886 million contract for integrating the information technology systems needed to conduct the 2020 census. Moreover, “nearly 1,100 system security weaknesses” still need to be addressed. It outlines priorities from filling the vacant positions to addressing “cybersecurity weaknesses in a timely manner and ensure that risks are at an acceptable level before systems are deployed.” It echoes concerns voiced by other experts.

The census is required by the Constitution and is critical data for economic policy, health care, representation, and more. For example, census data is used to apportion congressional districts that accurately represent rising and falling state populations. It is also used for allocating federal funding across a wide variety of programs. Census data is not just important to government. Census data is publicly available information that is used by private sector companies as they consider investment opportunities and try to grow their businesses. Time is quickly running out so the federal government and the private sector must take these six actions now to mitigate the multiple risks to the decennial census.

First, the federal government should launch a “hiring sprint” to make resources available to fill vacant positions not only at the Census Bureau but the other agencies whose work supports preparing the 2020 census. Such personnel and their activities across agencies should be considered “essential” so they will not be affected by future government shutdowns. Every week matters to prepare and this cannot be neglected again.

Second, there must be a comprehensive plan in place to test information technology systems and to conduct exercises at a reasonable scale. The 2020 census is a gargantuan modernization exercise and information technology upgrade. Even without any interference, such information technology upgrades are prone to accidental failures and disruptions.

Third, the federal government should have an interagency incident response plan in place that includes the national security community to be ready in case any interference does occur. Interference may not only be direct cyberattacks but malign actors seizing the opportunity of any systems malfunction to undermine trust with social media campaigns.

Fourth, technology companies should be prepared that their platforms may be used to interfere in the 2020 census in ways similar to the 2016 election. They have taken important steps in the past two years, especially ahead of the 2018 midterms, and now in the run up to the 2020 election to avoid a similar outcome. Technology companies should treat any potential interference in the 2020 census with similarly grave concern.

Fifth, the federal government should make clear that it will not accept any interference in the census process. Such a declaratory statement by the top levels of the administration will be a clear warning to deter potential attackers. It would emulate similar statements issued ahead of the 2018 midterms, except in this case trying to prevent interference in the first place rather than avoid a repeat. The administration must be prepared to make good on these threats should an attack come from any adversary.

Finally, the United States should take a leadership role at the upcoming two processes at the United Nations focusing on cyber norms. Protecting the integrity of census data is in the common interest of all countries and provides an opportunity for international cooperation even with countries that are not like minded out of shared national security interest.

It be nice if after years of one surprise cyberattack after another, we could get ahead of the curve and ensure an attack will actually not happen.

Tim Maurer is a cybersecurity expert and a director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. He is the author of the book “Cyber Mercenaries: The State, Hackers, and Power.”