SALT LAKE CITY — While national conversations about hacking attempts aimed at disrupting U.S. elections are ongoing, security experts raised red flags Monday about the 2020 Census and the U.S. Census Bureau's failure to share details about keeping the effort safe from digital intruders.
The warnings carry extra heft with this version of the decennial effort as the population count is relying on technology at unprecedented levels, including allowing respondents to complete census forms online for the first time.
In a letter coordinated by Georgetown University Law Center's Institute for Constitutional Advocacy and Protection to U.S. Commerce Secretary Wilbur L. Ross Jr. and Ron S. Jarmin, acting director of the Census Bureau, numerous signatories with security backgrounds questioned why the bureau has failed to provide sufficient information about what it's doing to keep the new digital systems safe.
"Despite repeated requests from Congress and from the public for a better understanding of the Census Bureau’s preparations for the first electronic census, the bureau has not provided basic information such as whether two-factor authentication will be required for all access to the data obtained, whether relevant information will always be encrypted while in transit and also while at rest (and what specific encryption methods will be used), and whether other now-standard cybersecurity practices will be utilized," the letter reads.
The letter points to evidence of census cybersecurity system failures, including a February 2018 missive from the U.S. House Committee on Oversight and Government Reform that chastises Jarmin for failing to provide information requested by the committee last November 2017 about testing new technology at the bureau.
In testimony offered at a U.S. House hearing in April, the U.S. Government Accountability Office highlighted the Census Bureau was running behind on vetting new technology tools, even as the 2018 "end-to-end" test — a field assessment of new census technology tools — was already underway.
"...The bureau has not addressed several security risks and challenges to secure its systems and data, including making certain that security assessments are completed in a timely manner, and that risks are at an acceptable level," read the written testimony.
Pam Perlich, director of demographic research at the University of Utah's Kem C. Gardner Policy Institute, told the Deseret News while census cybersecurity issues fall outside her realm of expertise, cultivating confidence among respondents, who will have the option to complete census forms online for the first time in 2020, was a crucial effort.
"Cybersecurity is an extremely critical issue," Perlich said. "This will be the first online response to a decennial census for data that is absolutely essential to understanding how many people we have for political representation, funding decisions, planning decisions and so much more ... it's foundational data."
"Building confidence in security will have positive impacts on participation."
Perlich was also concerned that questions about security, coupled with the new citizenship question that will be included, could hurt response levels.
Joshua Geltzer, executive director of Georgetown's Institute for Constitutional Advocacy and Protection and the former senior director for counterterrorism for the National Security Council, told the Deseret News that a number of issues, including an initial dearth of funding for the 2020 effort, and a subsequent truncated field testing schedule, has likely put the entire vetting process behind. But he, like Perlich, underscored that bolstering public confidence was essential, even if it requires calling for reinforcements.
"Part of what the letter has called for is sharing information," Geltzer said. "If we're not going to end up with a tested and secured system, then it calls for bringing in outside help. There are ways to bolster public confidence."
To that end, the letter, which Geltzer signed, called for sharing census cybersecurity details to not only cultivate confidence in the security but as a way to bring private digital security expertise into the effort, if necessary, to build a safe and secure 2020 Census system.
"We urge the leadership of the bureau and of the Department of Commerce to share publicly their plans for protecting information vital to the future of American voting but also tempting for adversaries that seek to harm our country and its foundational democratic processes," the letter reads. "Such transparency and leadership would boost public confidence and also allow cybersecurity experts outside the government to offer assistance in addressing any concerns that they might identify."
A Census Bureau spokeswoman shared this statement on Tuesday in response to a Deseret News request for comment:
"The Census Bureau has a robust cybersecurity program in place to protect the nation’s information as we collect, process, and store it in our IT systems. We have incorporated industry best practices and follow federal IT security standards for encrypting data in transmission and at rest. As a matter of data security, we do not disclose our specific encryption methods, but we would like to note, in response to the concerns of the letter, that two-factor authentication is required for all who access the data.
"While many of our defenses are invisible to the public, know that we have strong and resilient security measures protecting every respondent's information."