Does the 2020 Online Census Account for Security Risk?
Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.
For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.
This year's census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its 2018 test indicated 61% of those who responded on their own did so online.
People can fill out the Web form with a census ID they should receive in the mail. However, they don't have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.
The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a statement to the House Oversight and Reform Committee. "The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away," he explained. The ability to respond via Internet or phone means "people can reply almost anywhere, at any time."
A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019 report mandating the Census Bureau fix "fundamental cloud security deficiencies" in order to better secure the 2020 census. An audit of the Census Bureau's cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.
One month before the 2020 census began, it was on the GAO's "High Risk" list. A February 2020 report found "the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns." It had made progress, the GAO noted, but more work remained.
"When I see things like the census going online, my initial reaction is there is room for threat," says Jason Truppi, co-founder of Shift State Security. But this doesn't mean it's a bad decision, he adds: "I think more and more people might prefer now, and into the future, that it would be only online and not mail-based." Still, he continues, the census will inherit more risks by going on the Web, and the census has ordered millions of extra paper forms in case people can't respond online.
This is the government's best and only ability to collect population data without legal process, and it says it's ready to bring things online. It will reportedly encrypt responses to keep them confidential and it's blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?
Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.
As such, it's an appealing target for adversaries.
There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. "In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process," says Steve Moore, chief security strategist at Exabeam.
Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. "I would spend my effort on the low-hanging fruit, as a hacker," Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.
"Intelligence gathering and disruption are some of the main motivations for nation-state threat actors," says Kacey Clark, threat researcher at Digital Shadows. "These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons."
A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has reportedly built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.
(Continued on next page)
In another scenario, an attacker may inundate the census site with fake accounts and data to influence results. Exabeam's Moore notes this is less likely, unless a significant amount of data is entered.
"You would want to look for things that move the needle greatly," he explains. This might include peaks or changes in rapid volume, which might prompt questions like: Where is the volume coming from? Are submissions coming from the same, or similar, IP address? At what time of day? Is there a strange number of people being added per household, per day?
Attackers who don't interfere with the website or data may leverage the census in phishing and disinformation campaigns. "As phishing attacks are the most common threat vector for compromise, it is possible that adversaries will send phishing emails to target US residents," Digital Shadows' Clark says.
As they often do with major events, attackers could trick victims into clicking links or downloading malicious attachments that promise information related to the 2020 census. The Bureau has been taking steps to fight disinformation affecting this year's population count.
Census in the Time of COVID-19: A Broader Scope of Risk
Compounding these security concerns is the heavy reliance on technology and stay-at-home mandates to prevent the spread of coronavirus. If census field workers can't collect data in-person, could it exacerbate the risk to data collection?
This spring, the Census Bureau planned to hire between 300,000 to 500,000 temporary workers to conduct nonresponse follow-up and other field operations, Dillingham said. On March 18, it announced it would suspend field operations until April 1 to help slow the spread of coronavirus and evaluate operations to avoid putting workers or the public at risk. Ten days later, the Bureau confirmed suspension of field operations for two more weeks, until April 15.
Field workers handle face-to-face encounters to collect data from people who don't respond in other manners – in particular, marginalized populations: people who can't get mail, the homeless, and people who live in remote locations. It remains to be seen how the Census Bureau plans to reach these populations without field workers to contact them in person.
As the census is forced to heavily rely on Internet, phone, and mail responses, the threats shift, Clark says. "When census employees go door-to-door, they can more easily validate that the person is who they say they are, but the barrier between census employees and computers or mobile devices introduces the need for advanced authentication processes," she explains.
The IRS, for example, uses mortgage-based authentication to confirm identities with questions about mortgage payments or car purchases. It's a useful method but also flawed, she adds. Some of these questions can be answered with simple open source data collection methods.
Depending on Internet responses means depending on the security of devices people use to enter them. The census can take steps to strengthen the integrity of field workers' mobile devices, and its employees can be trained to spot rogue Wi-Fi networks and avoid malicious emails, explains Bob Stevens, vice president of the Americas at mobile security firm Lookout. The problem is, the Census Bureau can't train all Americans to avoid the same everyday security risks.
"The census is focused on ensuring the data they collect is secure once they collect it," says Stevens. "[It's] not as focused on ensuring the data or people entering it are secure when they do the survey." Cybercriminals who learn of the reliance on digital responses could launch phishing attacks with fake census applications or links to get people to download malware.
Looking Ahead: Government Interactions Go Digital
The census is one of many government processes going digital. As people more heavily depend on technology, especially now, it will influence the way we continue to interact in the future.
"The world as we know it has definitely changed," Stevens says. "And a lot of it will be permanent. I think most of us agree to that." People and businesses that never thought they could telework are learning they can and relying on digital communications to do it. Some government processes, like paying taxes and renewing driver's licenses, have long been digital.
This is the "new norm" for interfacing with the government, says The Shift State's Truppi, and the shift demands a set of standards are put in place to ensure people and their information are protected. As more of these government interactions are moved online, it could expand the attack surface.
There are already discussions around how lessons from the 2020 census can be applied to the presidential election, says Moore, who notes that getting the census right could inform how the government collects data in the future. "We have to have not only adequate representation, but participation in this," he says. "Do we get an accurate account? Do we participate?"
The way the census unfolds will carry implications for a range of future government activities.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024