Does the 2020 Online Census Account for Security Risk?

  /     /     /  
Publicated : 23/11/2024   Category : security


Does the 2020 Online Census Account for Security Risk?


Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.



For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.
This years census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its
2018 test
indicated 61% of those who responded on their own did so online. 
People can fill out the Web form with a census ID they should receive in the mail. However, they dont have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.
The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a
statement
to the House Oversight and Reform Committee. The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away, he explained. The ability to respond via Internet or phone means people can reply almost anywhere, at any time.
A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019
report
mandating the Census Bureau fix fundamental cloud security deficiencies in order to better secure the 2020 census. An audit of the Census Bureaus cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.
One month before the 2020 census began, it was on the GAOs High Risk list. A February 2020
report
found the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns. It had made progress, the GAO noted, but more work remained.
When I see things like the census going online, my initial reaction is there is room for threat, says Jason Truppi, co-founder of Shift State Security. But this doesnt mean its a bad decision, he adds: I think more and more people might prefer now, and into the future, that it would be only online and not mail-based. Still, he continues, the census will inherit more risks by going on the Web, and the census has
ordered
millions of extra paper forms in case people cant respond online.
This is the governments best and only ability to collect population data without legal process, and it says its ready to bring things online. It will reportedly
encrypt
responses to keep them confidential and its blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?
Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.
As such, its an appealing target for adversaries.
There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process, says Steve Moore, chief security strategist at Exabeam.
Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. I would spend my effort on the low-hanging fruit, as a hacker, Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.
Intelligence gathering and disruption are some of the main motivations for nation-state threat actors, says Kacey Clark, threat researcher at Digital Shadows. These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons.
A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has
reportedly
built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.
(Continued on next page)
In another scenario, an attacker may inundate the census site with fake accounts and data to influence results. Exabeams Moore notes this is less likely, unless a significant amount of data is entered.
You would want to look for things that move the needle greatly, he explains. This might include peaks or changes in rapid volume, which might prompt questions like: Where is the volume coming from? Are submissions coming from the same, or similar, IP address? At what time of day? Is there a strange number of people being added per household, per day? 
Attackers who dont interfere with the website or data may leverage the census in phishing and disinformation campaigns. As phishing attacks are the most common threat vector for compromise, it is possible that adversaries will send phishing emails to target US residents, Digital Shadows Clark says.
As they often do with
major events
, attackers could trick victims into clicking links or downloading malicious attachments that promise information related to the 2020 census. The Bureau has been
taking steps
to fight disinformation affecting this years population count.
Census in the Time of COVID-19: A Broader Scope of Risk
Compounding these security concerns is the heavy reliance on technology and stay-at-home mandates to prevent the spread of coronavirus. If census field workers cant collect data in-person, could it exacerbate the risk to data collection? 
This spring, the Census Bureau planned to hire between 300,000 to 500,000 temporary workers to conduct nonresponse follow-up and other field operations, Dillingham said. On March 18, it
announced
it would suspend field operations until April 1 to help slow the spread of coronavirus and evaluate operations to avoid putting workers or the public at risk. Ten days later, the Bureau
confirmed
suspension of field operations for two more weeks, until April 15.
Field workers handle face-to-face encounters to collect data from people who dont respond in other manners – in particular, marginalized populations: people who cant get mail, the homeless, and people who live in remote locations. It remains to be seen how the Census Bureau plans to reach these populations without field workers to contact them in person.
As the census is forced to heavily rely on Internet, phone, and mail responses, the threats shift, Clark says. When census employees go door-to-door, they can more easily validate that the person is who they say they are, but the barrier between census employees and computers or mobile devices introduces the need for advanced authentication processes, she explains.
The IRS, for example, uses mortgage-based authentication to confirm identities with questions about mortgage payments or car purchases. Its a useful method but also flawed, she adds. Some of these questions can be answered with simple open source data collection methods.
Depending on Internet responses means depending on the security of devices people use to enter them. The census can take steps to strengthen the integrity of field workers mobile devices, and its employees can be trained to spot rogue Wi-Fi networks and avoid malicious emails, explains Bob Stevens, vice president of the Americas at mobile security firm Lookout. The problem is, the Census Bureau cant train all Americans to avoid the same everyday security risks. 
The census is focused on ensuring the data they collect is secure once they collect it, says Stevens. [Its] not as focused on ensuring the data or people entering it are secure when they do the survey. Cybercriminals who learn of the reliance on digital responses could launch phishing attacks with fake census applications or links to get people to download malware. 
Looking Ahead: Government Interactions Go Digital
The census is one of many government processes going digital. As people more heavily depend on technology, especially now, it will influence the way we continue to interact in the future.
The world as we know it has definitely changed, Stevens says. And a lot of it will be permanent. I think most of us agree to that. People and businesses that never thought they could telework are learning they can and relying on digital communications to do it. Some government processes, like paying taxes and renewing drivers licenses, have long been digital.
This is the new norm for interfacing with the government, says The Shift States Truppi, and the shift demands a set of standards are put in place to ensure people and their information are protected. As more of these government interactions are moved online, it could expand the attack surface.
There are already discussions around how lessons from the 2020 census can be applied to the presidential election, says Moore, who notes that getting the census right could inform how the government collects data in the future. We have to have not only adequate representation, but participation in this, he says. Do we get an accurate account? Do we participate?
The way the census unfolds will carry implications for a range of future government activities. 
Related Content:
The Wild, Wild West(world) of Cybersecurity
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Securing Your Remote Workforce: A Coronavirus Guide for Businesses
10 Security Services Options for SMBs
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
Untangling Third-Party Risk (and Fourth, and Fifth...).


Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Does the 2020 Online Census Account for Security Risk?