| Rawpixel.com, Shutterstock

Census Bureau's push for Internet data-gathering raises security concerns

In testimony before the House Committee on Oversight and Government Reform, the Government Accountability Office's Carol Cha Harris said the Census Bureau's plans to use the internet to conduct the 2020 census could leave people open to phishing and other cyber attacks.

The Census Bureau is working on a substantial redesign of the census, focusing on new technology the Bureau hopes will save nearly $5.2 billion.

A key component of the new technology will be a highly publicized promotional campaign to encourage citizens to complete their census forms online, either from a computer or mobile device.

The Bureau projects that up to 47 percent of the estimated 300 million potential census respondents will use the internet to complete their census forms.

According to Harris's prepared testimony, the Bureau's internet strategy "will likely increase the risk that cyber criminals will use phishing in an attempt to steal personal information."

Harris noted a report from a Bureau contractor, which warned "criminals may pretend to be a census worker caller, or website, to phish for personal information such as social security numbers and bank information."

Harris added that phishing attacks may not be limited to census respondents, stating that criminals could also target "census employees, including approximately 300,000 temporary employees."

According to Harris, the United States Computer Emergency Readiness Team (US-CERT) had identified "phishing campaigns targeting federal government agencies that are intended to install malware on government computer systems."

These malicious computer programs, Harris said, "could act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive personal information, or disrupt business operations."

Harris said that given the volume of personal information the census will gather and store, "it will be important for the bureau to ensure that only respondents and bureau officials are able to gain access to this information."

Harris also pointed out that the Census Bureau intends to give its nearly 300,000 in-person census takers mobile devices to collect information from people who do not respond to the initial survey on their own.

These hand-held devices, Harris said, have a number of "common vulnerabilities," including weak or non-existent passwords, and software that isn't updated with the latest security patches.

"Because of their small size and use outside an office setting," Harris added, "mobile devices are easier to misplace or steal, leaving their sensitive information at risk of unauthorized use or theft."

Harris said the government can work with manufacturers to create devices and software that meet government specifications, "limit storage on mobile devices, and ensure that all data on the device are cleared before the device is disposed of."

Harris also noted the Department of Homeland Security (DHS) and the Department of Commerce launched a national public awareness campaign on the need for people to keep their devices updated and secure in order to avoid identity theft.

The Census Bureau also intends to use cloud computing resources whenever possible to limit cost and increase efficiency.

But as Harris noted, such solutions, while they can lessen some security risks, and allow for low-cost data recovery and storage, are not immune to criminals intent on stealing data.

Harris pointed to previous GAO studies, which urged federal agencies to specify that cloud computing contractors must implement an agency's security performance requirements for reliability, privacy and accessibility.

"Without these safeguards," Harris said, "computer systems and networks, as well as the critical operations and key infrastructures they support, may be lost, and information — including sensitive personal information — may be compromised, and the agency’s operations could be disrupted."

Harris also told the committee that the Census Bureau still hasn't made a decision on all the components it will use to conduct the census, including security and monitoring.

Harris noted the bureau also hasn't decided "whether it will develop a mobile application to enable respondents to submit their survey responses on their mobile devices, and is deciding how it plans to use cloud providers."

"As key design decisions are deferred and the time to make such decisions becomes more compressed," Harris said, "it is important that the bureau ensures that information security is adequately considered and assessed when making design decisions about the IT solutions and infrastructure to be used for the 2020 Census."

Census Bureau Director John H. Thompson told the committee he is "very confident in our ability to protect the information we collect and protect our information systems through our current cybersecurity policies and procedures."

"As we have reported to GAO," Thompson said, "our cybersecurity program already takes into consideration the information security challenges they mentioned in a recent draft report."