On April 1, the first primarily online census goes live. While a digital census should be more accessible — and accurate — going online will also leave the census vulnerable to threats from nation-states, cyber criminals, or hacktivists determined to undermine trust in public institutions.
So why would someone want to attack the 2020 Census?
Census data informs how $1.5 trillion a year in federal funding — which fuels critical services like emergency response, transportation and healthcare — is distributed across the states. Adversaries could target the census to cause maldistribution of these funds with consequences such as utilities shortages, misdirected public works funds and other threats to our communities and critical national infrastructure.
Whether to simply cause chaos or further a more calculated interest, millions of dollars in resources could be funneled towards or away from targeted areas, say, from rural areas to growing cities, and vice versa.
The results of the census will also be used to redraw voting districts, redistribute congressional seats and portion Electoral College votes. Manipulated census data could disrupt the balance of political representation in a capacity that ripples across the entire government. A successful cyber attack could ultimately have an enduring impact on our democracy that long outlasts the duration and extent of the census itself.
There are a variety of ways an adversary could target the census.
Imposter or fake persona flooding: attackers could flood the online portal with armies of fake accounts in order to distort the collected data. They can easily work around the restriction on geographic locations — which the census has put in place as part of its security strategy — by purchasing infrastructure that routes through a U.S. network.
Denial-of-Service (DoS): attackers might inundate the platform with web traffic the minute the census goes online, overwhelming the servers and crashing the platform. Australia’s first online census was targeted with a successful DoS attack in 2016. It took days and $21 million for the government to recover. A large-scale outage would not only undermine access, but also hurt the government’s credibility.
Data manipulation: an attacker gaining access to the census’s operational infrastructure and manipulating the results poses the greatest threat. An adversary might be subtle — slightly altering data to tip the scales toward a form of resource allocation or representation that benefits a segment of the population or a foreign actor. Alternatively, an adversary may seek to be intentionally noticeable. Obvious examples of gross data manipulation may lead people to doubt the entire census process.
Disinformation and phishing: although the Census Bureau has already been working to combat disinformation campaigns, disinformation operations are increasingly leveraging social media and multiple platforms to launch advanced social engineering attacks. If people are under the impression that data collected will be used to vet immigration status, employment or credit history, they may choose to not participate, which could ultimately skew the results. Importantly, these types of cyber attacks need not directly target the census’s own infrastructure, but can use public channels to manipulate census data from the outside in.
A Government Accountability Office (GAO) report from July 2019 warned that the Census Bureau faced “significant cybersecurity challenges.” While Census Director Steven Dillingham recently assured Congress that they have taken preemptive measures to prevent data loss and avoid operational outages, no system is fully secure. We must assume that attackers will target the census in a way that we cannot fully anticipate, nor fully prepare for.
The impacts of a successful attack on the census could have just as long-lasting consequences on our national institutions as an attack on the election. We need to expand our understanding of what constitutes an attack against our democracy, as well as ensure that other governmental systems receive additional funding, media attention, and expert support.
In the face of motivated, creative adversaries, government’s – and businesses’ – strategy around security needs to fundamentally change. We know that systems will be attacked. Organizations should look towards technology like artificial intelligence that can identify abnormalities indicative of an emerging threat and then take action to limit the impact of an attack, even if it’s never been seen before. Especially as we see adversaries begin to leverage AI to supercharge attacks, government cyber efforts will struggle to keep up with adversaries unless they themselves also begin to incorporate these proven advanced technologies into their security strategies.
Marcus Fowler is the director of strategic threat at Darktrace. Previously, he spent 15 years at the Central Intelligence Agency developing global cyber operations and technical strategies, led cyber efforts with various U.S. Intelligence Community elements and global partners, has extensive experience advising senior leaders on cyber efforts, and was an officer in the United States Marine Corps.