Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2020
11:10 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Does the 2020 Online Census Account for Security Risk?

Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.

For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.

This year's census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its 2018 test indicated 61% of those who responded on their own did so online. 

People can fill out the Web form with a census ID they should receive in the mail. However, they don't have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.

The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a statement to the House Oversight and Reform Committee. "The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away," he explained. The ability to respond via Internet or phone means "people can reply almost anywhere, at any time."

A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019 report mandating the Census Bureau fix "fundamental cloud security deficiencies" in order to better secure the 2020 census. An audit of the Census Bureau's cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.

One month before the 2020 census began, it was on the GAO's "High Risk" list. A February 2020 report found "the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns." It had made progress, the GAO noted, but more work remained.

"When I see things like the census going online, my initial reaction is there is room for threat," says Jason Truppi, co-founder of Shift State Security. But this doesn't mean it's a bad decision, he adds: "I think more and more people might prefer now, and into the future, that it would be only online and not mail-based." Still, he continues, the census will inherit more risks by going on the Web, and the census has ordered millions of extra paper forms in case people can't respond online.

This is the government's best and only ability to collect population data without legal process, and it says it's ready to bring things online. It will reportedly encrypt responses to keep them confidential and it's blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?

Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.

As such, it's an appealing target for adversaries.

There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. "In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process," says Steve Moore, chief security strategist at Exabeam.

Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. "I would spend my effort on the low-hanging fruit, as a hacker," Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

"Intelligence gathering and disruption are some of the main motivations for nation-state threat actors," says Kacey Clark, threat researcher at Digital Shadows. "These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons."

A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has reportedly built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.

(Continued on next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
4/2/2020 | 6:56:58 AM
The post hit some great points about the potential of risk.
The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

This is not all that true, it is true they collect addresses and demographics but they also work with the other agencies to create a profile of the person so the data that is provided is also cross-referenced against other data-sets for verification. In short, they don't collect financial data, but it is matched against other sources to create a maxtrix of personal information (PII).

In addition, the Census Bureau was hacked, and a buddy of mine stated that they have numerous security holes that he himself expressed but they did nothing about, another gentlemen provided similiar information, once he found out they did not listen to him or even threatened him, he left the office. He was a security sevant and was not trusted when he brought information to their attention (2019).

Refernce - https://www.consumeraffairs.com/news/yet-another-us-government-cybersecurity-breach-this-time-its-the-census-bureau-072415.html

Hackers stole massive amount of data from the US Census Bureau ...Anonymous Hacks US Census Bureau Against TPP/TTIPSecurity Affairs

And by the way, they have been removing compotent personnel from the various security teams. So if they get hit again, it won't be surprising because the management staff has not been willing to listen to individuals who have a keen sense of cybersecurity operations, it is almost a travesty of their disarray of IT operations.

T
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...