Census Should Be More Transparent About Cyber Protections, Former Officials Say

The U.S. Census Bureau should detail for the American people how it will secure their information as it prepares to accept online questionnaires for the first time during the 2020 decennial survey, former top government cyber officials said Monday.

That should include technical details about how the bureau will encrypt questionnaires and whether it will encrypt them both in transit and once they’ve arrived in government computer networks, the former officials said in a letter organized by a division of Georgetown University’s Law Center.

The bureau should also say whether it will require two-factor authentication—such as a password and a thumbprint or a unique code texted to a smartphone—before workers access those questionnaires, according to the letter.

Technical transparency about the bureau’s cyber protections will allow outside cyber experts to vet the protections and raise concerns, the letter states.

If the bureau isn’t willing to share those details, it should, at least, hire an independent cybersecurity firm to “conduct an end-to-end audit of current plans for data protection,” the former officials said.

“Our country’s elected representatives and, indeed, the American people deserve to understand the technical protocols and systems being utilized by the Census Bureau to ensure that the electronic collection and storage of information about millions of Americans will be handled as securely as possible,” the letter states.

The dozen letter signers include former White House Cybersecurity Coordinator Michael Daniel, former State Department Cyber Coordinator Chris Painter, former general counsel of the U.S. intelligence community Robert Litt, former Homeland Security Department policy official Paul Rosenzweig, and former FBI cyber lead James Trainor.

The letter was addressed to leaders of the Census Bureau and the Commerce Department, which houses the bureau. It was also cc’d to the chair and ranking members of the House Oversight Committee and the Senate Homeland Security Committee, which have some oversight responsibilities for cybersecurity.