WASHINGTON—To fulfill an 18th century constitutional requirement, the Census Bureau is using 21st century tools – primarily online, but their ease of use and speed also create new risks to a 10-year counting that is used for everything from creating congressional districts to allocating federal funding.
“When I was there, I was, of course, worried about the cybersecurity because everybody had to be,” said John H. Thompson, director of the Census Bureau from August 2013 to June 2017. “I thought that the bureau was doing everything they should do and could do, but a lot has transpired since June of 2017.”
As of December 2018, the bureau had identified nearly 1,100 census system security weaknesses that needed to be addressed, according to a Government Accountability Office report.
The GAO report, released in March of 2019, found the bureau has not hired the adequate staff “to oversee the $886 million contract for integrating the Information Technology (IT) systems needed to conduct the 2020 Census.”
According to the report, as of November 2018, 21 of 44 positions in the government program management office responsible for integrating the IT systems were vacant.
Exacerbating the problem, Steven Dillingham only was sworn in as the Census Bureau’s director on Jan. 7, 2019, filling the position of permanent director after a nearly 18-month vacancy.
During the 2018 final test leading up to the 2020 census, the report found “the bureau’s data management reporting system did not always provide accurate information because of a software issue.”
With congressional and state legislative representation as well as federal funding reliant on the headcount in each state and locality, the accuracy, security and processes of the 2020 census are crucial.
“Any part of [the census] that is digitized is at risk,” said Paul Rosenzweig, a former Department of Homeland Security official and founder of homeland security consulting firm Red Branch Consulting.
In July 2018, Rosenzweig was one of 11 individuals, many of whom were former government officials in cybersecurity, who authored a letter to the Department of Commerce and Census Bureau, asking them to share how they would ensure the security of the census data.
The response was basically “trust us, don’t worry,” according to Rosenzweig.
Kevin Smith, the chief information officer for the bureau said in an August 2018 management review meeting, “It is not standard or best practice in security to share things like, ‘What are your solutions?’
“It’s kind of putting your playbook out there when you don’t want people to see the playbook.”
While past censuses involved workers walking around the entire country to confirm addresses, mailing paper questionnaires and using scanners to record census results, “we said we need to take the census process into the 21st century,” said Thompson, the former bureau chief who oversaw the developing and initial testing of many systems that will be used in next year’s census.
One of Thompson’s concerns is to avoid a repeat of the healthcare.gov rollout when the nascent healthcare site was overloaded and shut down temporarily almost immediately after its debut in 2013. Thompson also said he is concerned that foreign interests could try to interfere in the census.
“I would not be surprised if that there will be attempts to disrupt the census either through cyber-hacking or through disinformation campaigns like we saw in the last election,” he said.
In 2016, the Australian government shut down its online census website to protect the integrity of the data from a potential attack, according to a statement from Timothy Pilgrim, the Australian privacy commissioner.
The online nature of the 2020 census makes confirming the accuracy of U.S. census records more difficult, according to Rosenzweig.
“The lack of a hard copy backup makes it very difficult to determine whether or not the information you’re dealing with has been tampered with,” said Rosenzweig, adding that the decision to not have a backup saves money, but incorporates large amounts of risk.
“The democracy of the United States depends on having an accurate, well-thought-of census,” said Thompson.
With the census less than a year away, Thompson said everyone should be concerned about its security.
“You have to keep working very, very hard with people that are doing state-of-the-art cybersecurity to stay abreast of what’s going on,” said Thompson.