Oversight Lawmakers Demand Overdue Data Security Plan from Census

For the first time in 2020, the federal government will allow millions of American households to fill out census forms using the internet. It’s part of the U.S. Census Bureau’s grand plan to leverage technology in a bid to shave billions off the price tag for the decennial count.

But even as the Government Accountability Office has listed cybersecurity as a “critical” challenge for the effort, bureau officials are nearly six months late in delivering a congressionally mandated report on data security procedures at the bureau.

The report appeared to have fallen almost entirely off the bureau’s radar until officials were prodded about it by members of the House Oversight and Government Reform Committee last week.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

In a June 14 letter to Commerce Secretary Penny Pritzker, the two top members of the oversight committee call the missed deadline “problematic,” pressed the bureau to deliver the report by the end of the month and asked agency officials to hand over all documents and communications relating to the drafting of the report.

“Many federal agencies store Americans’ personally identifiable information (PII), but few if any agencies store more such data than the Census Bureau,” wrote Reps. Jason Chaffetz, R-Utah, and Elijah Cummings, D-Md.

In the letter, Chaffetz and Cummings called Census a “prime target” for hackers, pointing to last year’s massive hack at the Office of Personnel Management, in which cyberintruders made off with background check data on more than 22 million federal employees and contractors.

Last fall, Congress mandated the report into Census’ data security practices be completed by Jan. 20. At an oversight hearing last week that examined the bureau’s plans for managing the rollout of the 2020 census, Chaffetz questioned agency officials about the status of the report.

Steve Cooper, the Commerce Department’s chief information officer, said he didn’t know why the report was late but that he took responsibility for the missed deadline.

“It is being completed as we speak,” he said. “It came to my attention more recently that we had missed the deadline. My staff is now working to complete that report.”

Cooper said he only became aware last month that the report was months behind schedule.

“It’s federal law,” Chaffetz said. “I don’t know how you miss things like that. It gives me no confidence when you come and testify and say, ‘Oh, but we’re going to get this census done on time, on budget.’”

In the letter, Chaffetz and Cummings sought Commerce Department communications between Pritzker and top agency officials about the data security report. The letter also seeks communications between Census officials and members of the bureau’s IT shop. The committee wants responses by June 28.

As part of its tech plans for the 2020 count, Census is planning for up to 55 percent of American households to complete questionnaires via the internet.

In a recent report, GAO warned of a possible rash of phishing attacks targeting both census respondents and employees.

A phishing attack on a Census worker “could act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive personal information, or disrupt business operations,” auditors concluded.

At the hearing last week, Chaffetz said he had “deep concerns” about the bureau’s internet-friendly plans.

Census has already fallen victim to two data breaches over the past year, one last July and another in February. Harry Lee, Census’ acting chief information officer, told lawmakers last week, the breaches were confined to external-facing websites. Some data that was already publicly available was exfiltrated, Lee said, but it was considered of “low sensitivity.”