Tech

Census Bureau missed opportunities to avert 2020 cyberattack — report

A report by the Department of Commerce’s Inspector General identifies critical IT failings.

August 18, 2021

Photo Illustration by Justin Sullivan/Getty Images

The U.S. Census Bureau was slow to report a major cyber breach in early 2020 and missed key opportunities to limit vulnerabilities, according to the Department of Commerce’s Office of Inspector General.

An investigation published Wednesday by the oversight body found that the bureau was failing to scan its remote server prior to the cyberattack, and the failure to keep sufficient system logs hindered a subsequent investigation into the incident.

“We found that the bureau should make improvements to its cyber incident response process. Specifically, the bureau missed opportunities to mitigate a critical vulnerability, which resulted in the exploitation of vital servers,” the IG said in its report. “Once the servers had been exploited, the bureau did not discover and report the incident in a timely manner.”

The breach took place in January 2020, when hackers accessed the agency’s remote servers. None of the compromised servers were involved with the 2020 census, and the count was unaffected by the attack.

According to the report, the bureau was also operating servers that were no longer supported by the relevant vendor.

The IG has issued a string of recommendations, including that the Census Bureau’s CIO review procedures for notifying IT staff when critical vulnerabilities are publicly disclosed. These include the recommendation that the CIO review the automated alert capabilities of the bureau’s security information and event management tool.

The IG also called on the bureau’s director to ensure that the CIO incorporates periodic reviews of IT asset configurations and also updates bureau response policies to include a specific timeframe.

Earlier this year, FedScoop revealed that the Census Bureau had installed Luis Cano as its chief information officer after previously working as chief of the agency’s Decennial Contract Execution Office. He replaced Kevin Smith, who left the bureau in January to join the Federal Housing Finance Agency.

Under federal policy, the statistical agency is required to adhere to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program, which operates regular vulnerability scanning of all systems.

Census Bureau missed opportunities to avert 2020 cyberattack — report

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

DOJ seeks public input on AI use in criminal justice system

Top Stories

GSA taps TTS deputy director to take top Login.gov role next month

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

Scientists must be empowered — not replaced — by AI, report to White House argues

404 page: the error sites of federal agencies

White House hopeful ‘more maturity’ of data collection will improve AI inventories

Generative AI could raise questions for federal records laws

Oracle approved to handle government secret-level data

More Scoops

How the U.S. Census Bureau leveraged cloud services to modernize security

Census Bureau spent $5.9B on IT contracts for 2020 survey

Watchdog calls on Census Bureau to improve cyber incident detection and alerting

Census Bureau shares analytics insights, not data, in pilot with IRS

Census Bureau moving beyond surveys and censuses with cloud-based data ecosystem

Census bureau redesigns website to make it more accessible for high-frequency users

Census Survey Explorer helping users find the data they need

Latest Podcasts

Census Bureau missed opportunities to avert 2020 cyberattack — report

Scientists Must Be Empowered, Not Replaced by AI

Leveraging modern access management to achieve zero trust

The role of the federal chief AI officer

Tech

Defense

Cyber

Acquisition