Census Bureau details cybersecurity protections for 2020 count
With the Census Bureau preparing to make signification leaps in its technology for the 2020 count of the nation’s population, agency officials are seeking to allay concerns about how citizen data will be protected.
The 2020 census figures to use a mix of internet-based self-reporting options with traditional information collection methods and enumerators equipped with mobile devices. Previous delays in testing the 40 IT systems that will be utilized for the census have not only drawn criticism from Congress, but also concerns about the security of the data being collected and stored on federal networks.
At the quarterly 2020 census Program Management Review on Friday, bureau CIO Kevin Smith said his office was in contact with stakeholders in both the private and public sectors to help address any potential cyberthreats. It’s not just about protecting collected data from breaches, it’s about ensuring the collection process itself is secure.
“There have been some conversations in the public about security and what the census is doing to secure data,” he said. “I want to stress that protection of the data we collect is the census’ highest priority. I am going the describe that it’s not just the technology, it’s also the people and processes that we also use within our culture to help make sure everyone is aware of the importance of the data.”
While not wanting to reveal the entirety of the bureau’s “playbook” for securing the collected data, Smith did outline multiple potential threat areas that officials are monitoring, as well as the vast array of federal partners collaborating with the bureau to monitor and secure data streams coming into the census.
“I want to assure the team that the playbook is shared within the federal government,” he said. “The playbook is shared within the federal intelligence community that we work with, it’s been shared with the Federal CIO within [the Office of Management and Budget], it’s been shared with Oversight committees who have been assisting us and guiding us forward to ensure the protection of your data. It’s also been shared with our industry partners that we work with on a daily basis.”
Protecting census data has been the most-often discussed topic surrounding the decennial count, with Department of Commerce CIO Rod Turk calling for cooperation from the IC in June to identify threat actors. The department oversees the Census Bureau.
For internal threats like attacks on the census’ self-response site, potential data breaches and the enumerators’ mobile devices, Smith said that the data will be both encrypted in-transit and at-rest, network activity will be heavily monitored and data collected and isolated from the internet.
Enumerator devices will also only contain data until it is transmitted to census systems and will in no way be retained.
For the external threats like a respondent’s compromised device, Smith said that the Bureau will launch public service campaigns to warn citizens about the threats of rogue websites, spearphishing attacks and other threats.
Data submitted to the census through its self-response option will be encrypted both in-transit and at-rest as well, Smith said, but users should be wary of how they handle the data on their end.
“Census is not storing any data on your respondent device, computer or your mobile phone to go collect data or to submit data to the internet self-response tool,” he said. “If you choose, as a respondent, on your device to store data locally, or cache it, there’s not much I can do to stop you from caching that data. That’s up to you, with how you use your internet browser and how you want to connect to rest of the internet.”
Officials said recent testing on the census systems, — including penetration testing — showed no serious issues. Census field offices are set to begin opening next year.