GAO Flags New Cybersecurity Issues for Upcoming Census

The Government Accountability Office made two new recommendations to improve the Census Bureau’s cybersecurity efforts in a testimony released this week.

To conduct the 2020 Decennial Census, the bureau will collect sensitive insights about more than 100 million American households including birth dates, marital status, people’s living situations, ages and other data that’s considered personally identifiable information. For the first time ever, the bureau will enable the public to respond to the census via the internet and field-based enumerators to use mobile device applications to survey households—both efforts increase the risk of that private information being digitally hacked.  

To protect from impending threats, GAO said the bureau should “better ensure that cybersecurity weaknesses are addressed within prescribed time frames” and “improve its process for addressing cybersecurity weaknesses identified by [the Homeland Security Department].”

The testimony demonstrates why the 2020 Census has remained on GAO’s high risk list since 2017 and highlights new takeaways from GAO’s examination around the status of cybersecurity risks that threaten well-run enumeration.

The bureau conducts a security assessment of the systems to be used in the Census and determines corrective actions to mitigate deficiencies. GAO said 500 corrective actions needed to be addressed as of March. The agency also noted that 250 of those were labeled “high risk” or “very high risk” and 70 were delayed for more than 60 days.

Homeland Security has been collaborating with the bureau for the last two years to help sustain a scalable and secure network connection for Census respondents and strengthen responses to cyber threats. As a result, the department offered the bureau 17 recommendations to improve its posture against the risks. As of February, Census had completed three of the recommended actions.

The bureau will utilize 52 new and legacy IT systems to complete the Census. GAO said 32 systems may need to be reauthorized ahead of the Census and six systems presently do not have authorization to operate.

GAO also laid out other cyber-related challenges related including phishing and disinformation on social media, ensuring adequate control in a cloud environment—cloud solutions will be a key component of Census IT infrastructure—and putting contingency and incident response plans are in place to encompass all IT systems that will be utilized.

The testimony further warns that the compressed time frame for development and testing of the systems leaves almost no room for any delays in the process and recommends that the bureau quickly finalize all plans related to its IT infrastructure.

The 2020 Census has been on GAO’s high risk list since 2017. As of April, the bureau implemented 72 of the 97 recommendations the agency has made. The two cyber recommendations are the latest on the list.

At a hearing about the testimony, GAO’s director of IT and cybersecurity elaborated on the vulnerabilities that could put Americans’ data at risk during the Census. During the entire two-hour panel, Congress-members did not ask a single question about the cybersecurity weaknesses.