The Government Accountability Office has urged the Census Bureau to step up its efforts to implement hundreds of action items on its cybersecurity to-do list, as well as recommendations made by the Department of Homeland Security.
GAO, in a report released Tuesday, said the bureau still needs to address more than 500 cybersecurity vulnerabilities discovered during its security reviews, about half of which the bureau considers “high-risk” or “very high-risk.”
The watchdog office also recommends that Census develop a formal process for tracking and implementing the 17 cybersecurity recommendations the Department of Homeland Security has made to the Bureau over the past two years.
Nick Marinos, GAO’s director of information technology and cybersecurity, told members of the House Appropriations Subcommittee on Commerce, Justice, Science and Related Agencies that shoring up these vulnerabilities would reduce the Bureau’s overall risk of a data breach.
“The bottom line is that the security assessment efforts conducted by DHS and the Bureau itself will only be as valuable as the security fixes that the Bureau fully implements,” Marinos said on Tuesday.
Census Bureau Director Steven Dillingham told lawmakers that the organization reviews more than 100 of these critical tasks a week and color-codes them based on their priority.
“If it needs management attention, we put it in yellow, and if it’s more than nine days late … we put it in red to make sure we get the people and the resources assigned to that particular need,” Dillingham said.
To the Bureau’s credit, it’s completed work on three of DHS’s recommendations, but GAO in its report notes that the bureau created an “informal document” to track the DHS recommendations. But it didn’t consistently include details such as “the resources required, expected completion date, or whether the recommendations do not warrant agency action.”
Lawmakers focused their questions on the inclusion of a citizenship question on the 2020 form and funding for the Bureau, but didn’t raise any questions about its cybersecurity operations. However, Rep. Jose Serrano (D-N.Y.), the subcommittee’s chairman, questioned the Bureau’s efforts to collect administrative data from U.S. Customs and Immigration Services,
“Certain bells go off when you say citizenship question, and other bells go off with when you hear DHS will be providing information to the census,” Serrano said.
Census Bureau runs drills with DHS to ‘stay ahead of cyber threats’
Dillingham said the Census Bureau relies on administrative data from other agencies for “quality assurance” purposes, but said the Bureau, under law, doesn’t transmit decennial information to other agencies.
“It’s well known we have access to certain Social Security and IRS data for the purpose of verifying our data, but it’s a one-way street,” Dillingham said.
In addition, Dillingham said his agency has agreed to inject some “noise” into its data to make it harder for someone to take public-facing data and reverse-engineer it to closely resemble the raw data collected from households, but said the Bureau hadn’t yet determined the right amount of noise needed for the data.
“We view it somewhat as a dial, and you have to set the dial on a certain level of protection,” Dillingham said, adding that the Bureau would strike the balance between protecting the confidentiality of the data and ensuring that aggregate data released to the public remains accurate down to a granular level.
GAO Director Robert Goldenkoff told lawmakers that “significant operational uncertainties” lie ahead on whether some of the 2020 count innovations, such as greater use of geospatial data to verify addresses and the ability to respond to the census online, will, in the end, drive down decennial count costs.
“These innovations show promise for controlling costs, but they also introduce new risks in part because they have not been used extensively, if at all, in earlier enumerations,” Goldenkoff said.
Commerce Secretary Wilbur Ross previously told lawmakers the 2020 census may cost as much as $15.6 billion, but Dillingham said the Bureau has yet to encounter any major obstacle that would warrant dipping into its contingency funding.
Census Bureau Director Steven Dillingham said the 2020 count will be the “most innovative census by far,” and noted that receiving a majority of census responses electronically would result in more efficient operations.
GAO added the 2020 count to its high-risk list in February 2017, but the watchdog agency has added most previous decennial counts to the list, due to its overall cost and scope of operations.
“This is a mammoth operation. It deserves special scrutiny and it deserves the resources that are needed to get the job done, so yes, we’re on the high-risk list,” Dillingham said. “I expect we will be on there until we complete this census. Every census will probably be on the high-risk list.”