Census Bureau runs drills with DHS to ‘stay ahead of cyber threats’

The Census Bureau is doubling down on its partnership with the Homeland Security Department to ensure it’s prepared for a wide range of cyber threats facing the 2020 population count.

Atri Kalluri, the chief of the Census’ Decennial Information Technology Division, said more than 100 officials across Census took part in a half-day exercise on Sept. 26,  led by DHS, to assess the agency’s ability to respond to “simulated scenarios that could happen during the 2020 census.”

“While there are continued efforts from our office of information security to educate our employees on cybersecurity threats and how to be cyber secure at work, we are also working with federal partners to test our systems, stay ahead of cyber threats and enhance our incident response capabilities,” Kalluri said Friday at a quarterly performance management review at the agency’s headquarters in Suitland, Maryland.

Earlier this year, DHS conducted penetration testing on the Census website, the iPhones enumerators will use when they go door-to-door to follow up with households and the agency’s trove of address canvassing data.

Advertisement

The Census has also partnered with the intelligence community to beef up its cybersecurity efforts.

Kalluri said the September drill gave the agency an “opportunity to assess our processes and procedures as well as our organizational coordination and communication.”

“As we look forward, we are preparing to conduct additional tabletop readiness exercises, as well as systems testing, to ensure the overall security of our systems and readiness to respond to any potential incident,” he said.

As Census looks to stand up the first census that households can respond to online, agency officials have provided periodic updates about steps taken to ensure data privacy.

Ron Jarmin, the agency’s acting director, wrote in a May blog post that all the data collected in the decennial count will remain confidential. Under federal law, improper disclosure of census information can lead to five year in prison and a $250,000 fine.

This summer, Kevin Smith, the Census Bureau’s chief information officer, gave an in-depth look at how the agency plans to defend against internal and external cyber threats.

Census rethinking ways to protect personal data

The Census Bureau also plans on taking a “fundamentally different approach” to prevent the improper disclosure of personal information in the 2020 population count.

Simson Garfinkle, a senior computer scientist for confidentiality and data access at the Census, said advances in computing power in the last decade have made it easier to unscramble the aggregated data the agency releases to the public.

Through a process called database reconstruction, Garfinkle said malicious users can take public-facing data and reverse engineer it to closely resemble the raw data collected from households.

“Those statistics are susceptible to database reconstruction, provided that you have a computer that is large enough and fast enough to crunch the numbers. In 2010, this was not a realistic threat, but today it is,” Garfinkle said

Garfinkle said the research of two mathematicians in 2003 showed “it is far harder to protect a statistical database than had previously been thought.”

In order to counteract those efforts, he said the agency will deploy “noise injection,” which makes it harder to reconstruct the original database.

“Any noise doesn’t make database reconstruction impossible. Instead, it makes it so that there’s no way to tell if the reconstructed database is correct or not,” Garfinkle said.

But how much noise is too much noise?

“If you add a little bit of noise, the results are still fairly accurate, but so is the reconstructed database,” Garfinkle said. “Of course, you could add a lot of noise, which would result in more privacy and less accuracy. Essentially, as you add more noise, you increase the number of possible reconstructions.”

Garfinkle explained that the agency has developed a “mathematical relationship” between noise added, privacy loss and data accuracy.

When the agency launched its Disclosure Avoidance System (DAS) project in 2017, there wasn’t a commercial off-the-shelf system designed to handle a national population count.

“We’ve been creating a modern disclosure avoidance system that drops into the census data processing pipeline. Ours will be the first such implementation in the world,” Garfinkle said.

In addition, the Census has reopened its notice for comment on how the public uses agency data.

In a notice published in the Federal Register on Oct. 9, the agency said it’s conducting a “comprehensive review of the decennial census data products in preparation for the 2020 Census.”

“Public feedback is essential for a complete review of the decennial census data products and will assist the Census Bureau in prioritizing products for the 2020 Census,” Jarmin wrote in the notice.

The comment period closes Nov. 8.