Lawmakers grill Census Bureau officials after report on cybersecurity issues

Lawmakers grilled top Census Bureau officials on Wednesday about the cybersecurity of the 2020 census, which kicks off nationwide next month and marks the first time that Americans will be able to fill out the form online.

Officials are facing new urgency over the issue after the Government Accountability Office (GAO) released a report earlier Wednesday highlighting cybersecurity concerns and following the breakdown of the app used by the Iowa Democratic Party to count votes in the state’s caucuses last week.

Those issues were front and center during a House Oversight and Reform Committee hearing on Wednesday that featured testimony from Census Bureau Director Steven Dillingham and GAO officials.

According to the GAO report, the bureau faces “significant cybersecurity challenges in securing its systems and data.” The report said the Census Bureau, one month before the online launch, still has to fix identified cyber vulnerabilities, implement Department of Homeland Security recommendations and ensure that collected information is safe from data breaches. 

Nick Marinos, the director of IT and cybersecurity at GAO, told lawmakers the bureau still has work to do before the census goes live.

“The technology innovations that the bureau intends to rely on for the 2020 census create opportunities for efficiency and effectiveness of the count,” Marinos said. “However, they also bring with them significant cybersecurity and IT risks. Ultimately the success of operations in the upcoming months will be directly tied to how the Bureau continues to manage these risks.”

The clock is ticking. The census will be available to fill out online beginning in mid-March, while the bureau plans to send out census forms to most U.S. households by April 1. The 2020 census formally kicked off in January, when officials from the bureau visited a remote town in Alaska to personally collect census information, which includes ages, dates of birth, and addresses. 

Those cyber challenges were highlighted in Australia in 2016 when the country’s online census website crashed after multiple foreign “denial of service” cyberattacks. The Australian Bureau of Statistics was forced to take down the website temporarily in order to secure the data.

Ahead of the hearing Wednesday, Dillingham and Census Bureau Deputy Director Ron Jarmin detailed in a blog post the steps the agency has taken to protect the census, including the creation of “secure data collection systems” and having security experts available to assist “24/7.”

Dillingham said Wednesday that the Census Bureau has adequately prepared for potential cyber issues and had prepared enough paper forms for every person in the country to complete the census if the online option fails.

“All 2020 census IT systems have been successfully tested or deployed and are on track,” Dillingham said, adding that “we have a high degree of confidence.”

But lawmakers were skeptical of those claims, citing the GAO report and the debacle in Iowa.

“Cybersecurity is going to have to be a top priority for you all,” Rep. John Sarbanes (D-Md.) said during the hearing. “If ever there was a juicy target for those who want to hack in and sow discord and all the rest of it, it would be our 10-year census where we are putting it online like never before.” 

Committee Chairwoman Carolyn Maloney (D-N.Y.) highlighted both cybersecurity concerns and challenges in recruiting enough census workers, which she warned could “cause grave harm to this year’s census and could jeopardize a complete and accurate count.”

Rep. Mark Meadows (R-N.C.), who sits on the committee, told The Hill he had been concerned about the cybersecurity of the census “for years.” He said the census website was more “complex” than the app used in Iowa and therefore has “a lot more chances for cyber intrusions.”

Those concerns are shared across the Capitol.

“I think the idea that we ought to be using 21st century tools to make sure we get the most people counted makes a lot of sense, but I want to really look into specific cybersecurity concerns,” Sen. Mark Warner (Va.), the top Democrat on the Senate Intelligence Committee, said.

The GAO report released Wednesday was the second in under a year by the agency regarding the census. A report released last year also raised concerns about the security of the online count. 

When the last report was released, the bureau had 330 cyber “corrective actions” that had not been addressed, but in the most recent report, GAO said the bureau had not addressed 28 of its overall recommendations for improving the 2020 census.

Dillingham said the bureau was constantly performing risk management tasks assessments that brought up more issues. 

“The Census Bureau engages in a very sophisticated risk management process,” Dillingham said. “The whole concept of risk management is to always be looking for a risk. … We will never, in my opinion, not have a risk list. We will always have risk.”

Despite the assurances by Dillingham, Maloney said the committee would continue to conduct oversight hearings of the Census Bureau as the year progressed. 

“The GAO report shows that there are simply too many gaps, red flags that are out there in the hiring, in the partnerships, in technology testing and in cybersecurity,” Maloney said. “We have to respond to these red flags that are thrown up by GAO, and if these gaps are not filled, it is our most vulnerable citizens who will suffer.”