The Cybersecurity 202: The 2020 Census Could Be A Prime Target For Hackers
The Census Bureau is trying to quell concerns that it’s not prepared to protect Americans’ data from cyber intrusions when it conducts the first fully digital census in 2020.
Kevin Smith, the Census Bureau’s chief information officer, used a little-publicized quarterly meeting Friday to explain how the agency is working with the Department of Homeland Security and using tools such as encryption to safeguard the troves of information it will gather in the next population count. “I want to stress that protection of the data we collect is census’s highest priority,” he said.
Smith outlined some fairly basic steps, which are unlikely to satisfy a growing group of critics who say the bureau has for months avoided answering questions about its cybersecurity preparations. These critics, including members of the House Oversight Committee and former senior national security officials, argue the bureau, which is part the Commerce Department, has fallen behind on important equipment tests and left the public in the dark about whether it had implemented even minimal cybersecurity practices. They want more transparency at a time when Russian election hacks and other data breaches are increasingly putting Americans’ personal information at risk.
“It’s good to see the Census Bureau beginning to address these concerns but, as we have seen from the threats to our electoral systems, the threat is great and the census data will be an extremely attractive target,” Christopher Painter, the State Department’s former top cyber diplomat, told me in an email.
“Moreover a breach or, worse yet, an intrusion that calls into question the integrity of the information, will have a major impact on citizen confidence,” said Painter, who was one of a dozen former officials who wrote to the bureau last month about their concerns. “Given the stakes, and the magnitude of the threat, continued focus and vigilance, and continued oversight and transparency, are needed to ensure that cybersecurity concerns are adequately prioritized and resourced.”
Indeed, foreign governments have already targeted Americans’ personal information. Moscow used such data to microtarget social media users during its disinformation campaign in 2016, and Russian hackers stole records on 500,000 voters when they breached a state voter database that year. The federal government is still dealing with the fallout from the massive hack of federal employee records from the Office of Personnel Management in 2015, which has been linked to the Chinese government.
Smith didn’t offer much technical detail about the bureau’s efforts during his remarks Friday. “That’s kind of putting the playbook out there when you don’t want people to see the playbook,” he said. But he did map out some of the bureau’s strategies. Here are a few:
— The bureau is using encryption “everywhere we’re collecting the data,” Smith said. That includes the census website, where people will be asked to enter data in 2020, as well as the devices used by census workers who go out on foot to gather information. Once the data is submitted, Smith said, it gets immediately “vaulted” away from the public-facing Internet.
— The bureau is also trying to protect people from phishing attempts. Smith said the bureau has bought “many” domain names that hackers could use to impersonate the census website and trick people into giving away personal information. The bureau is also hunting down “rogue websites” that may exist, he said. Additionally, officials are monitoring the census site for irregular activity that might signal an intrusion, such as an unusually high amount of data going out or coming in.
— The private sector and other federal agencies are helping. According to Smith, DHS and private-sector groups have tested the defenses of the census networks. “Nothing major was discovered,” Smith said, “No data was able to be taken.” The bureau is also working with telecommunications companies to stave off malicious activities such as denial-of-service attacks, which can disable a website by flooding it with fake traffic.
The remarks were a promising start, Joshua Geltzer, former senior director for counterterrorism on the National Security Council during the Obama administration, told me in an email. But “clarifying other elements, and ensuring that the strategies as a whole are actually implemented effectively, will remain an ongoing project for the bureau in the lead-up to, and during, the 2020 Census,” said Geltzer, who was also among the officials who wrote to the bureau last month.
Geltzer and others said in their July 16 letter that the bureau hadn’t clarified whether it has implemented even basic security procedures. They asked for the bureau to reveal the “technical protocols and systems” to safeguard data, and to consider hiring an outside cybersecurity firm to audit its efforts.
House Republicans have also expressed frustration with the bureau. The Oversight Committee grilled Commerce Secretary Wilbur Ross in a hearing last fall over delays in rolling out new IT systems. And in February, Oversight Chair Trey Gowdy (R-S.C.), and Reps. Mark Meadows (R-N.C.) and Rep. Gerald E. Connolly (D-Va.) sent a sharply worded letter chiding the bureau for failing to respond to requests for details about the systems. “The bureau’s failure to respond to the committee’s request is unacceptable,” the lawmakers wrote.
PINGED, PATCHED, PWNEDPINGED: National security adviser John Bolton in an interview on “Fox News Sunday” dismissed suggestions that President Trump is at odds with his own administration over Russian threats to American elections. Bolton said Trump directed top national security and intelligence officials to conduct a briefing on election security at the White House last week because “he felt it was important that the American people hear directly from the people responsible for election security at the federal level — hear what they were up to — at least in a nonclassified environment.”
Also on Fox News, Sen. Marco Rubio (R-Fla.) said he would be open to modifying a bill to deter future foreign interference in U.S. elections that he and Sen. Chris Van Hollen (D-Md.) introduced in January.Rubio said a provision of the bill, which would require the director of national intelligence instead of the president to determine whether foreign interference occurred in a federal election, has met “a little bit of pushback.” “We want to get something done,” Rubio said. “We’re willing to do whatever it takes to pass a law that has real sanctions that will deter, but at the same time can pass the House, pass the Senate and will be signed into law by the White House.”
Speaking on NBC’s “Meet the Press” yesterday, Sen. Amy Klobuchar (D-Minn.) said she worries about the prospect of a successful cyberattack during the 2018 midterm elections. “I’m very concerned that you could have a hack that finally went through,” she said. She added that efforts to defend against cyberthreats should go beyond the protection of elections.
“I’d love to see this broadened out so we start to discuss also the threats to our power grid system, the threats to our financial system, because the Russians aren’t just stopping at the election equipment,” Klobuchar said.
Appearing on NBC before Klobuchar, Sen. Roy Blunt (R-Mo.) said he voted against directing an additional $250 million to election security last week because the way states use such funding should be “more specified. And I don’t want this to become an annual entitlement.”
PATCHED: “At least three groups that Facebook banned this week for spreading disinformation shared similar names and traits with Twitter accounts that had been linked publicly to Russia six weeks earlier, underscoring the challenges of swiftly shutting down a foreign influence campaign even once strong hints emerge of who is behind it,” The Washington Post’s Elizabeth Dwoskin, Tony Romm and Craig Timberg reported.
“Facebook announced Tuesday that it had removed 32 accounts and pages as part of a sweep of malicious activity ahead of the November midterm elections. It said it identified the first of those pages — which the company said it couldn’t directly attribute to Russian operatives — two weeks ago.”
My colleagues report that security researchers said Facebook should have taken action against the inauthentic pages and profiles sooner given the similarities between some accounts on Facebook and Twitter. “One of the accounts, called ‘Resisters’ on Facebook and Twitter, billed itself on both platforms as a feminist page that emphasized themes of gender equality and female empowerment — with a clear opposition to [Trump’s] agenda,” Elizabeth, Tony and Craig wrote. “Another Twitter account, @Warriors_Aztlan, tweeted regularly about the oppression of Native Americans and indigenous people. So too did the Facebook page ‘Aztlan Warriors,’ and both referenced Aztec culture and imagery related to anti-colonial struggles.”
PWNED: A bipartisan group of senators sought answers from Google about reports that the company plans to launch an Android app version of its search engine in China that would abide by the country’s censorship rules.
“If true, this reported plan is deeply troubling and risks making Google complicit in human rights abuses related to China’s rigorous censorship regime,” Rubio as and a biparrisan group wrote in a letter to Google chief executive Sundar Pichai.
The senators said Google’s move may set a precedent for other businesses. “It is a coup for the Chinese government and Communist Party to force Google — the biggest search engine in the world — to comply with their onerous censorship requirements, and sets a worrying precedent for other companies seeking to do business in China without compromising their core values,” they wrote. The Intercept’s Ryan Gallagher last week first revealed the company’s project, which is called Dragonfly.
In addition, Google is facing discontent from its own employees about the plan, Gallagher reported. “Just a few hundred of Google’s massive 88,000-strong workforce had been briefed on the project prior to the revelations, which triggered a wave of disquiet that spread through the internet giant’s offices across the world,” Gallagher wrote. “Company managers responded by swiftly trying to shut down employees’ access to any documents that contained information about the China censorship project, according to Google insiders who witnessed the backlash.”
— More cybersecurity news:
PUBLIC KEY— “The Democratic National Committee warned party candidates running in November elections not to use devices made by Chinese telecommunications companies ZTE Corp and Huawei Technologies because they pose a security risk, a Democratic source said on Friday,” Reuters reported. “U.S. lawmakers and the Trump administration have pressured U.S. companies to not sell Huawei or ZTE products, saying they potentially could be used to spy on Americans.”
— My colleague Craig Timberg explores how an online account named AllForUSA that was created over a decade ago by a legitimate user before being abandoned reemerged years later and ended up in the Russia investigation. AllForUSA has appeared on different platforms and has been active in different languages.
“A clue to the mystery of this multi-lingual burst of activity appeared in a February indictment by Special Counsel Robert S. Mueller III, which said the Russians who operated fake social media accounts to manipulate American voters used email@example.com to fraudulently access a PayPal account and to promote a ‘March for Trump’ campaign rally in New York,” Craig wrote. “The other ‘AllForUSA’ accounts likely were operated in tandem with this email address and with each other, according to a report Monday from cyber-intelligence firm GroupSense, whose researchers found a subtle tangle of connections left in records discovered online.”
— “Top administration officials are devising new penalties to hit back more forcefully at state-sponsored hackers of critical infrastructure to deter attacks such as the successful penetration of U.S. utilities by Russian agents last year,”The Wall Street Journal’s Rebecca Smith reported on Sunday. “The push for explicit action is coming from top federal agencies to fight worsening threats to the country’s electricity system and other critical industries, particularly menacing actions from Russia, China, Iran and North Korea.”
— The Energy Department plans to host an exercise simulating cyberattacks on American energy infrastructure and test how the power grid would restart following widespread blackouts, E&E News’s Blake Sobczak reported Friday. “The ‘Liberty Eclipse’ exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure,” Sobczak wrote. “The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”
— More cybersecurity news from the public sector:
PRIVATE KEY SECURITY FAILS THE NEW WILD WEST— “Iraq’s election commission ignored an anti-corruption body’s warnings about the credibility of electronic vote-counting machines used in May’s parliamentary election, according to investigators and a document seen by Reuters,” Ahmed Rasheed, Raya Jalabi and Ahmed Aboulenein of Reuters reported Sunday. “The devices, provided by South Korean company Miru Systems under a deal with the Independent High Elections Commission (IHEC), are at the heart of fraud allegations that led to a manual recount in some areas after the May 12 election.”