Securing the 2000 Census

On a hilltop in Bowie, Md., overlooking the traffic flowing down Route 50,

the Census Bureau's glass building that houses its central computer system

nearly blends into the horizon. Except for an eight-foot metal fence

built only the week before census forms were mailed out on March 13, it

looks like there is very little security. Don't be deceived.

Just as the 2000 census is the first fully automated head count of the

U.S. population, the bureau's data system is protected by the most highly

sophisticated technology ever used to secure a decennial count.

The computer center houses Digital Equipment Corp.'s GS 60 computers,

which edit the data; IBM Corp.'s RS/6000 computers, which house the data;

and Novell Corp.'s NetWare 4.11, the network operating system. The system

is driven by Lockheed Martin Corp.'s DCS 2000, the data capture system that

scans the data into systems at four regional centers and delivers it to

the computer center.

The statistics and individual data in the system are a treasure trove,

harvested by government agencies, companies and universities for research

and marketing that will affect trillions of dollars in government programs

and commerce each year. In short, the systems hold information that is a

hacker's dream.

Census Bureau officials said they believe they have taken every precaution

to secure their networks. The agency erected firewalls to protect the 2000

census data and does not allow e-mail to enter servers that handle census

information. The bureau also does not allow any outside computer to dial

up the census computer in the building.

To check how secure its networks are, the bureau called in the National

Security Agency to check out the security system and make sure it could

not be penetrated. Census also hired Science Applications International

Corp. (SAIC) to try to break into the Internet site where census respondents

are filing online.

"The initial penetration [attempt] will be from the external side, and

then from the internal side," said Tim Ruland, the chief census information

technology security officer. "I am very confident that the system is secure

as it can be and won't be compromised."

Census is well aware that hackers repeatedly try to break into its systems,

just as hackers attempt to crack other federal agencies.

The Justice Department reported that the number of hacking cases nearly

doubled last year, reaching 1,154, up from 547 in 1998. And the Defense

Department has said it has experienced tens of thousands of hacker attacks.

This month alone, the Army has reported nearly 4,000 attacks against its

systems. The Computer Emergency Response Team at Carnegie Mellon University

reports a 121 percent increase in computer intrusion incidents between 1998

and 1999.

Cyberattacks against the Census Bureau have failed so far. "We've been

looking for mischief, believe me," said J. Gary Doyle, who is responsible

for systems integration at the Census Bureau. "We haven't seen anything

yet."

What's at stake for the Census Bureau's automated head count goes well

beyond the agency. Because of the complexity and risk involved in automating

the 2000 census, with all of its private data, the effort is seen as a key

test case for digital government as a whole on how to keep intruders out,

said Doug Sabo, security expert at the Information Technology Association

of America.

"It is a big test," he said. "To some extent, government needs to get

its feet wet."

Protecting the Count

Well aware that the census asks delicate questions and that people are

worried about their privacy, Census Director Kenneth Prewitt has repeatedly

assured the public that no one — except the Census Bureau — has access to

the data.

"There is an absolute firewall between a statistical operation and enforcement,"

he said at a recent press conference. "No court of law, not even the president

of the United States, can find out your answer."

For many security experts, Census' security measures, especially hiring

an outside firm to hack its computers, is a good sign that the bureau is

taking security seriously.

Jack Brock, director of governmentwide and defense information systems

at the General Accounting Office, said it is not unusual for federal agencies

to test their own systems by bringing in outside firms to check them out

and by asking NSA to check their security capacities.

"The fact that Census is engaged in such tests is a positive sign,"

Brock said.

To make sure the information is protected, the data is encrypted from

the moment it leaves one of four data capture centers via a T-1 or T-3 line

to the moment it arrives at the computer center in Bowie, where the numbers

are crunched and massaged. Encrypted again, it is sent on to Census headquarters

in Suitland, Md., where the numbers are analyzed.

"If you saw it streaming down the line, you wouldn't know what it was,"

said Dominick L. Wisniewski, assistant division chief of operations at the

center in Bowie. "Unless you had the scheme, you can't get any useful information."

Faced with new technology and new problems, the Census Bureau has proceeded

cautiously through the web of change. For example, although the Internet

is increasing in popularity, Census opted to make it possible to file a

census form over the Internet but did not advertise the availability of

that method.

"This is a whole new technology," said the Census Bureau's Doyle. "We

know mail-out, mail-back does fine. We were very conservative and cautious

in how we dealt with public data, and we're always concerned about security.

We expect the next census will have more use of the Internet."

The system is on alert in other ways, too. If someone attempts to return

a questionnaire by mail and then file another one online, the computer will

know it. If someone tries to file online more than once, it will know that,

too, and discount the information.

"We have a way of unduplicating," Doyle said.

Such plans have paid off. Private security experts give Census high

grades for the steps taken to protect the system.

Howard Schmidt, Microsoft Corp.'s chief information security officer,

said it appears that Census is doing everything right by hiring their own

trusted source to try to break their system. And their other security efforts

have worked, too.

"It sounds pretty robust," he said. "It takes constant vigilance."

Congressional oversight committees are watching carefully to make sure

there are no security problems with the head count. Chip Walker, spokesman

for the House Government Reform Census Subcommittee, said Census officials

have assured Congress that the system is secure. So far, nothing remiss

has been reported.

But others warn that Census officials should not be too confident their

data is safe. "Anyone who says all data is secure is fooling themselves,"

said Rick Lane, director of e-commerce and Internet technology at the U.S.

Chamber of Commerce. "There is no such thing as a fully secure system."

Security Isn't Just "Cyber'

To make sure data is not lost, three copies of every tape are made.

One copy is trucked each week — in an escorted, but unarmed, convoy — to

Census headquarters in Suitland and placed in a vault for safekeeping.

Two other copies are kept in a tape vault at the center, which was built

with a fail-safe equipment system.

There are two air-conditioning systems, in case one fails. The air is

kept at a cool 68 degrees at all times to protect the computers. Eight generators

provide emergency backup power, in the event of a blackout.

"When we back up a system, we back up a system," said a top systems

official at the computer center.

In the event of fire, the floors at the computer center have been built

four feet above the subfloor so water can drain and not ruin the computer

hardware.

Eighteen cameras are mounted around the building, and guards watch for

problems or unusual activity 24 hours a day via indoor monitors.

There is a sophisticated smoke detector system as well as closed-circuit

TV and a badge access system to get a visitor past the front door. If you

are not supposed to be there, you won't be.

Keeping Constant Watch

The components of a successful operation, experts say, include properly

training employees to handle the data.

"One of the key things we do is employee training, because...really

the easiest way to lose data is someone being careless with the data," said

George Alfs, spokesman for Intel Corp., the California-based high-tech company.

Census has gone a step farther in hiring both temporary and permanent

employees. Every worker must undergo a background and fingerprint check

before they are hired.

The second important procedure is to close down the pipeline between

the source of the information and destination. By using encryption techniques

and providing dedicated telephone lines, Census appears to have done that,

according to security experts.

And the third is to make sure hardware systems, such as processors and

other key pieces of equipment, are secure.

"Census is using all of the proper security practices," said Richard

Smith, vice president of federal operations at Internet Security Systems.

"I would guess the likelihood of someone getting in is small."

But the challenge of protecting the system is always there.

"Every day, people are scanning our ports. It's not just our site. It's

any site," Doyle said. "The most persistent ones are the ones we watch.