Census Gambles on Shorter Cybersecurity Testing for 2020 Count

The Census Bureau is behind schedule building and testing the technology it needs to count the population in 2020, and experts worry rushing the rollout of those IT systems will leave their cybersecurity below par.

The Government Accountability Office reports the bureau has fully tested only eight of the 44 IT systems involved in its 2018 end-to-end test, the last trial run for the decennial count. The congressional watchdog also found 14 of the 44 technologies are still in the development stages, and four of those, including the fraud detection system, had no functionality as of April.

The bureau also cut two of the three planned sites for the end-to-end test citing budgetary concerns. The trial run, which ends April 2019, serves as “the last opportunity to demonstrate census technology and procedures across a range of geographic locations, housing types, and demographic groups,” said GAO, and “without sufficient testing, operational problems can go undiscovered and the opportunity to improve operations will be lost.”

On Tuesday, officials from GAO, Census and the Commerce Department addressed these and other concerns before the House Oversight Committee. The vast majority of the hearing revolved around a controversial citizenship question many fear could suppress responses in communities of color, but witnesses also reiterated the negative consequences of delayed IT testing.

In October, Commerce Secretary Wilbur Ross asked Congress for an extra $3 billion in funding for the 2020 count, with about half going to cover additional IT costs.

“Since Secretary Ross announced this cost increase, we have seen strengthened governance at both the department and the bureau,” said David Powner, director of IT issues at GAO, in his opening statement. “Although positive, we still see need for improvements in the executive level reports that go to commerce on systems and security readiness.”

Of particular concern to Powner is how Census will ensure the cybersecurity of their technology.

As it stands, the bureau’s chief information officer must conduct a security assessment of each of the 44 IT systems and sign off on them before they can be deployed. While Powner said it’s impossible to eliminate risk completely, the authorization process is intended to make sure each system hits a certain threshold of security.

So far, only six systems have been fully authorized, 32 must be reauthorized after the end-to-end test, and another six remain unauthorized, according to GAO. The bureau usually takes six to eight weeks to complete this process for each technology, but GAO found the delayed rollout is forcing IT experts to spend only five to eight days testing some systems.

As the 2020 count grows closer, Powner told Nextgov he questions whether the bureau will have “enough time to do the rigorous [cybersecurity] reviews” it needs to do and patch up the gaps it uncovers.

“If you have more time, you can probably close more vulnerability and gaps,” he said. “The question is are they going to do whatever is needed and is that enough? There’s a likelihood they accept more risk with that authorization if there’s less time.”

Powner said he’s “encouraged” by the bureau’s collaboration with the Homeland Security Department on penetration testing and other cybersecurity checks, “but we need more visibility into what they’re finding there.”