Securing the 2000 Census
On a hilltop in Bowie, Md., overlooking the traffic flowing down Route 50, the Census Bureau's glass building that houses its central computer system nearly blends into the horizon.
On a hilltop in Bowie, Md., overlooking the traffic flowing down Route 50,
the Census Bureau's glass building that houses its central computer system
nearly blends into the horizon. Except for an eight-foot metal fence
built only the week before census forms were mailed out on March 13, it
looks like there is very little security. Don't be deceived.
Just as the 2000 census is the first fully automated head count of the
U.S. population, the bureau's data system is protected by the most highly
sophisticated technology ever used to secure a decennial count.
The computer center houses Digital Equipment Corp.'s GS 60 computers,
which edit the data; IBM Corp.'s RS/6000 computers, which house the data;
and Novell Corp.'s NetWare 4.11, the network operating system. The system
is driven by Lockheed Martin Corp.'s DCS 2000, the data capture system that
scans the data into systems at four regional centers and delivers it to
the computer center.
The statistics and individual data in the system are a treasure trove,
harvested by government agencies, companies and universities for research
and marketing that will affect trillions of dollars in government programs
and commerce each year. In short, the systems hold information that is a
hacker's dream.
Census Bureau officials said they believe they have taken every precaution
to secure their networks. The agency erected firewalls to protect the 2000
census data and does not allow e-mail to enter servers that handle census
information. The bureau also does not allow any outside computer to dial
up the census computer in the building.
To check how secure its networks are, the bureau called in the National
Security Agency to check out the security system and make sure it could
not be penetrated. Census also hired Science Applications International
Corp. (SAIC) to try to break into the Internet site where census respondents
are filing online.
"The initial penetration [attempt] will be from the external side, and
then from the internal side," said Tim Ruland, the chief census information
technology security officer. "I am very confident that the system is secure
as it can be and won't be compromised."
Census is well aware that hackers repeatedly try to break into its systems,
just as hackers attempt to crack other federal agencies.
The Justice Department reported that the number of hacking cases nearly
doubled last year, reaching 1,154, up from 547 in 1998. And the Defense
Department has said it has experienced tens of thousands of hacker attacks.
This month alone, the Army has reported nearly 4,000 attacks against its
systems. The Computer Emergency Response Team at Carnegie Mellon University
reports a 121 percent increase in computer intrusion incidents between 1998
and 1999.
Cyberattacks against the Census Bureau have failed so far. "We've been
looking for mischief, believe me," said J. Gary Doyle, who is responsible
for systems integration at the Census Bureau. "We haven't seen anything
yet."
What's at stake for the Census Bureau's automated head count goes well
beyond the agency. Because of the complexity and risk involved in automating
the 2000 census, with all of its private data, the effort is seen as a key
test case for digital government as a whole on how to keep intruders out,
said Doug Sabo, security expert at the Information Technology Association
of America.
"It is a big test," he said. "To some extent, government needs to get
its feet wet."
Protecting the Count
Well aware that the census asks delicate questions and that people are
worried about their privacy, Census Director Kenneth Prewitt has repeatedly
assured the public that no one — except the Census Bureau — has access to
the data.
"There is an absolute firewall between a statistical operation and enforcement,"
he said at a recent press conference. "No court of law, not even the president
of the United States, can find out your answer."
For many security experts, Census' security measures, especially hiring
an outside firm to hack its computers, is a good sign that the bureau is
taking security seriously.
Jack Brock, director of governmentwide and defense information systems
at the General Accounting Office, said it is not unusual for federal agencies
to test their own systems by bringing in outside firms to check them out
and by asking NSA to check their security capacities.
"The fact that Census is engaged in such tests is a positive sign,"
Brock said.
To make sure the information is protected, the data is encrypted from
the moment it leaves one of four data capture centers via a T-1 or T-3 line
to the moment it arrives at the computer center in Bowie, where the numbers
are crunched and massaged. Encrypted again, it is sent on to Census headquarters
in Suitland, Md., where the numbers are analyzed.
"If you saw it streaming down the line, you wouldn't know what it was,"
said Dominick L. Wisniewski, assistant division chief of operations at the
center in Bowie. "Unless you had the scheme, you can't get any useful information."
Faced with new technology and new problems, the Census Bureau has proceeded
cautiously through the web of change. For example, although the Internet
is increasing in popularity, Census opted to make it possible to file a
census form over the Internet but did not advertise the availability of
that method.
"This is a whole new technology," said the Census Bureau's Doyle. "We
know mail-out, mail-back does fine. We were very conservative and cautious
in how we dealt with public data, and we're always concerned about security.
We expect the next census will have more use of the Internet."
The system is on alert in other ways, too. If someone attempts to return
a questionnaire by mail and then file another one online, the computer will
know it. If someone tries to file online more than once, it will know that,
too, and discount the information.
"We have a way of unduplicating," Doyle said.
Such plans have paid off. Private security experts give Census high
grades for the steps taken to protect the system.
Howard Schmidt, Microsoft Corp.'s chief information security officer,
said it appears that Census is doing everything right by hiring their own
trusted source to try to break their system. And their other security efforts
have worked, too.
"It sounds pretty robust," he said. "It takes constant vigilance."
Congressional oversight committees are watching carefully to make sure
there are no security problems with the head count. Chip Walker, spokesman
for the House Government Reform Census Subcommittee, said Census officials
have assured Congress that the system is secure. So far, nothing remiss
has been reported.
But others warn that Census officials should not be too confident their
data is safe. "Anyone who says all data is secure is fooling themselves,"
said Rick Lane, director of e-commerce and Internet technology at the U.S.
Chamber of Commerce. "There is no such thing as a fully secure system."
Security Isn't Just "Cyber'
To make sure data is not lost, three copies of every tape are made.
One copy is trucked each week — in an escorted, but unarmed, convoy — to
Census headquarters in Suitland and placed in a vault for safekeeping.
Two other copies are kept in a tape vault at the center, which was built
with a fail-safe equipment system.
There are two air-conditioning systems, in case one fails. The air is
kept at a cool 68 degrees at all times to protect the computers. Eight generators
provide emergency backup power, in the event of a blackout.
"When we back up a system, we back up a system," said a top systems
official at the computer center.
In the event of fire, the floors at the computer center have been built
four feet above the subfloor so water can drain and not ruin the computer
hardware.
Eighteen cameras are mounted around the building, and guards watch for
problems or unusual activity 24 hours a day via indoor monitors.
There is a sophisticated smoke detector system as well as closed-circuit
TV and a badge access system to get a visitor past the front door. If you
are not supposed to be there, you won't be.
Keeping Constant Watch
The components of a successful operation, experts say, include properly
training employees to handle the data.
"One of the key things we do is employee training, because...really
the easiest way to lose data is someone being careless with the data," said
George Alfs, spokesman for Intel Corp., the California-based high-tech company.
Census has gone a step farther in hiring both temporary and permanent
employees. Every worker must undergo a background and fingerprint check
before they are hired.
The second important procedure is to close down the pipeline between
the source of the information and destination. By using encryption techniques
and providing dedicated telephone lines, Census appears to have done that,
according to security experts.
And the third is to make sure hardware systems, such as processors and
other key pieces of equipment, are secure.
"Census is using all of the proper security practices," said Richard
Smith, vice president of federal operations at Internet Security Systems.
"I would guess the likelihood of someone getting in is small."
But the challenge of protecting the system is always there.
"Every day, people are scanning our ports. It's not just our site. It's
any site," Doyle said. "The most persistent ones are the ones we watch.
NEXT STORY: AMS hooks up with govWorks