Census Chief Assures Lawmakers IT and Cyber Risks are Under Control

The Census Bureau still faces a lengthy list of IT and cybersecurity risks less than a year before the 2020 count, but on Tuesday the agency’s chief told lawmakers that they have the situation under control.

“This is a mammoth operation ... there will be risk throughout the 2020 Census,” Director Steven Dillingham said before the Senate Homeland Security Committee. “We’re managing those risks and we’re making progress, and we’ll continue to make progress.”

His reassurance came as officials from the Government Accountability Office reiterated longstanding concerns that delayed IT rollouts, shortened security tests and opaque cyber patching processes could leave the decennial census vulnerable to system failures and digital attacks. The office has included the 2020 count on its list of high-risk government programs since 2017.

“I don’t think we’re looking at disaster but there’s still a lot of work [that] needs to be done going forward,” Robert Goldenkoff, director of GAO’s strategic issues office, said during the hearing.

For the last year, most discussions around the census focused on the Trump administration’s controversial citizenship question, but with the proposal now dead, policymakers are turning their attention to the actual implementation of the program.

During the hearing, GAO officials warned the bureau risks missing even more deadlines for rolling out dozens of IT systems that will support the 2020 count. The implementation schedule, which has already been compressed over the years, “leaves little room for any delays in completing the remaining development and testing activities,” officials wrote in a report accompanying their testimony.

Officials also haven’t completed security testing for many of those IT systems, according to Nick Marinos, director of GAO’s IT and cybersecurity team. While the bureau has authorized 37 of the 52 systems needed for the 2020 count, nine systems must have their security controls reassessed due to additional development work and another five have yet to receive their initial approval, he said. 

Officials still have months to complete the tests, Marinos said, but “we’re running short on time.” The bureau has also been slow to patch many of the riskiest vulnerabilities it uncovered in its systems, he said, which exacerbates the risk of malicious activity.

Officials are generally aware of the risks, Marinos said, but it’s important they prioritize the most critical fixes ahead of Census Day.

Since 2017, Census officials have worked with the Homeland Security Department to enhance the security of its tech infrastructure, and though Marinos commended the voluntary partnership, he said it’s often unclear how the bureau is addressing the department’s recommendations. Today, officials are working to create a formal process for tracking and implementing those cyber improvements.

The Census is also working with Homeland Security, the intelligence community and tech companies to combat foreign misinformation campaigns and other emerging threats that will inevitably face the 2020 count. Dillingham stressed the importance of communicating accurate information about the census process and how the data will be used, especially in the wake of the citizenship question controversy. Dillingham repeatedly stressed that census data can’t be used for any law enforcement purposes, but foreign actors will likely try to persuade underrepresented communities otherwise.

“Regretfully we’re in that age now where [misinformation] … is a potential vulnerability and a threat,” he said. “We’re planning for it, we’re thinking of ways to help prevent it.”