Census’ Cybersecurity Plan is Full of Holes, Watchdog Says


The 2020 Census will be a prime target for digital adversaries, but the plans for fighting those threats are incomplete and outdated, the Government Accountability Office found.

Federal auditors uncovered numerous holes in the Census Bureau’s plans for combating the significant cybersecurity and tech threats facing the 2020 count, which could leave officials struggling to respond to disruptions.

The Government Accountability Office found the bureau’s plan for mitigating cybersecurity risks during the 2020 Census left out many of the defensive tactics officials previously said they would use to defend IT systems from attack. For example, the initial plan included no information about how the bureau would gather threat intelligence from other federal agencies, something officials had long said they planned to do, auditors said in a report published Friday.

After GAO pointed out the omission, Census officials updated the plan to include threat sharing activities, but it remains “just one of several [cybersecurity] services” other agencies are expected to perform on the bureau’s behalf, auditors said.

“If the bureau’s plan for mitigating cybersecurity risks to the census omits such key activities, then the bureau is limited in its ability to track and assess those activities, and to hold individuals accountable for completing activities that could help manage cybersecurity risks,” they wrote.

While most of the attention on the 2020 Census has focused largely on the Trump administration’s controversial citizenship question, GAO officials and others have for years warned that tech and cyber issues could be one of the biggest obstacles to an accurate count. The upcoming decennial will mark the first time residents can submit responses over the internet, which makes it particularly susceptible to online attacks and misinformation.

The bureau fell far behind schedule on rolling out the various IT systems needed to conduct the decennial, and in the most recent report, auditors confirmed there remains lots of work to be done ahead of the 2020 count. As of February, the bureau was still in the process of developing 39 of the 52 IT systems needed for the decennial, and 43 of the systems still hadn’t fully completed testing, GAO said.

The bureau is also “relying heavily” on a single contractor, T-Rex Solutions, to integrate, test and scale up numerous tech operations for 2020, as well as address any potential IT problems that arise during the count. However, auditors found the bureau’s IT risk mitigation and contingency plans make no mention of “the integral role played by the contractor.”

“By largely omitting the role of the technical integration contractor from the mitigation and contingency plans for this risk, Bureau management is hampered in its ability to manage key contractor support and, therefore, to respond to and manage this risk,” they said.

GAO also found the cyber and IT risk management plans were not up to date and included no procedures for monitoring the effectiveness of the bureau’s response to threats. The cyber strategy also failed to put a single individual in charge of overseeing the plans, something that could ultimately prevent them from ever getting executed.

In addition to serving as a blueprint for combating threats as they arise, the bureau’s risk management plans also help officials better prioritize how they address those challenges, according to Nick Marinos, director of GAO’s IT and Cybersecurity team. And without a clear strategy, he said, the bureau might not make the best use of its limited resources.

“At the end of the day, the plan is also going to be a way to communicate to high level management, ‘here’s where we’re putting our priorities,’” Marinos said in a conversation with Nextgov. “If they have to make decisions about what to pursue first over something else, [and] the plan doesn’t have the reflection of where efforts are going, it’s going to be difficult to know the efforts are going to the right place.”

In the report, auditors also highlighted numerous other issues that could threaten the 2020 Census, including a 34% vacancy rate in the bureau’s IT program management office and inadequate plans for reporting fraud.

GAO officials determined many of the shortcomings in the bureau’s risk management strategy resulted from Census officials failing to hold staffers accountable for completing all their responsibilities. GAO made seven recommendations for improving the bureau’s risk management, and the Commerce Department said it would begin working to put them in place.

"The U.S. Census Bureau has a robust risk management process that has been in place throughout the decade that focuses on the key areas of vulnerability cited by GAO, including cybersecurity and the integration of the 52 IT systems necessary for the 2020 Census," a Census spokesperson told Nextgov. "The Census Bureau will continue to align with best practices in the areas identified by GAO, particularly with respect to risk mitigation, contingency plans and documentation. We have increased our contract support for program management in the 2020 program, and will issue a revised risk management plan and supporting documents later in 2019."

Editor's note: This story has been updated with comments from the Census Bureau.