Census called a likely target of hacking, disinformation

Census called a likely target of hacking, disinformation

Going digital to cut costs might put the survey at unprecedented risk, cybersecurity experts say.

  • Tara Bahrampour The Washington Post
  • Monday, April 1, 2019 6:41am
  • Nation-World

By Tara Bahrampour / The Washington Post

With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time.

Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade’s worth of federal funding, congressional apportionment and redistricting throughout the country.

“Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power,” said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. “I think there will be lots of attempts. We should be concerned.”

So far, there has been no indication of anyone trying to target the survey, but experts say the risks will probably grow as the launch draws closer. Census Bureau officials say they are working with experts in the government and private sector, including at the Department of Homeland Security, Facebook, Microsoft and Google, to defend against people or foreign states who try to undermine the U.S. government or prevent certain groups from being counted.

They plan to encrypt incoming information, scan responses for unusual activity and monitor social media to spot attempts to mislead the public. The bureau has bought up more than 100 census-related domain names so they can’t be used to create fake census sites, and it plans to aggressively push the message that completing the survey is safe and that being counted is beneficial to communities.

Yet cybersecurity experts cite several reasons to be concerned with the plan. It comes at a time when trust in the government generally is low. Many people’s trust in the census in particular has been eroded by fears about the Trump administration’s decision last year to add a citizenship question to the survey. The question has been struck down by two federal courts and the Supreme Court is expected to decide this spring whether it will appear on the forms.

At the same time, previous data breaches have left many Americans leery of sharing personal information online. The federal government’s troubled track record in building and maintaining technological systems includes the repeated meltdowns of healthcare.gov in 2013 and the Office of Personnel Management hack, revealed in 2015, that exposed names, Social Security numbers, salaries and other information on more than 21 million federal workers, allegedly to Chinese hackers. More recently, the Federal Emergency Management Agency exposed the personal addresses and banking information of 2.5 million disaster survivors.

Joshua Geltzer, a former National Security Council official who has warned of security risks to the census and called for greater transparency on it, said it is particularly important to clarify how it will be protected given how Russian interference in the last presidential election spawned years of questions – many still unanswered – about how seriously outside forces were able to affect a major American vote.

“We know that actors like the Russians and others are interested in finding ways to make our democracy seem weak, brittled, flawed,” said Geltzer, who is executive director of Georgetown Law’s Institute for Constitutional Advocacy and Protection. He added, “I don’t think it’s crazy to worry that there might still be problems when this thing rolls around. We haven’t cracked the code on this in terms of other contexts, of the elections, of the general democracy, so I wouldn’t expect the Census Bureau to have figured this out.”

Disrupting a census is not unprecedented: When Australia put its census online in 2016, cyberattackers launched what experts call a Distributed Denial of Service attack, in which hackers intentionally overload online systems. The onslaught crashed a critical website, slowing the count.

In past U.S. censuses, survey forms arrived in people’s mailboxes, and those who didn’t mail them in received visits from enumerators carrying another set of paper forms. This time, most households will receive an initial mailing inviting them to log on to the bureau’s website (paper forms will be mailed at that point to the 20 percent least likely to be online, including older people and those in areas with low Internet connectivity).

Households that don’t respond electronically will then receive paper forms by mail, and when enumerators knock on doors to follow up with those who still haven’t responded, they will intake respondents’ information electronically, via an iPhone 8.

The decennial census does not gather Social Security numbers or financial information “Most people fill out credit card applications with much more personal information,” said the bureau’s assistant director of communications, Stephen Buckner.

The bureau has systems in place to guard against hacks. After encrypting the data at two points in the process, it will store the data in its own secure Cloud environment through the Amazon Web Services’ GovCloud. (Amazon Chief Executive Jeff Bezos owns The Washington Post.) It will continuously monitor incoming data, using an automated system that will look for suspicious activity, check information against existing records, and refer questionable surveys to analysts for follow-up. In the event of a website slowdown or crash, there will be a backup system as well as options to complete the survey via telephone or mail.

Indications of hacks might include unusual patterns of activity, such as a single-family home reporting that it has 30 residents, or responses coming in too rapidly for a survey that should take about 10 minutes to fill out online.

“If the Census Bureau sees a response is being generated every 15 seconds from a certain computer or a certain area,” that would raise suspicions, said Maria Filippelli, public interest technology census fellow with New America, a nonpartisan Washington think tank. Any unusual spikes “would be investigated, isolated and shut down.”

But the system for collecting information has built-in vulnerabilities, some security experts say. For example, there is no way to stop a person from uploading information about a particular address even if he or she is not a resident there. (While the mailings will include an ID number, respondents can fill out the survey without using the number.)

Census Bureau officials say such activity will be detected as incoming responses are automatically checked against existing records; if a discrepancy is spotted, it will be flagged for human review.

“We constantly scan it to see if some new vulnerability occurred, and if it occurred, then we fix it,” said Kevin Smith, the bureau’s chief information officer. “We are absolutely performance-testing it above and beyond the level that we need to.”

The bureau has been working with DHS’s Cybersecurity and Infrastructure Security Agency (CISA), where a team of about 20 people is focused on helping secure the system and gaming out possible hacks.

“The two most important things that I’ve got going on in both prepping and executing next year are the election and the census,” an official there said. “The risk to the census is fairly broad, and they’re well aware of this, they’re taking a lot of really good actions to secure against these. But then you could have anything from an individual hacker trying to get into some aspect of it to just be difficult, to nation-states trying to gain access in order to get access to personally identifiable information to potentially change census collection, and then you’ve got the foreign influence piece as well, sowing confusion and discord. The census is a key tenet of our democracy, and so some of the same risks and threats you saw to elections are applicable to census.”

A research company that surveys the Web for signs of malfeasance said it detected some chatter about the census a couple of years ago, but so far has seen no evidence of a concerted campaign. That is not surprising given the survey is a year off. A more coordinated effort might not come together until later in the process, said a researcher at the company, which asked for anonymity because of the private nature of its work.

But even if census data aren’t hacked, concerns over cybersecurity could create an atmosphere ripe for disinformation campaigns seeking to influence how, or whether, respondents fill out the survey. This could come in the form of fake reports of Immigration and Customs Enforcement officials accompanying census enumerators to people’s homes, fake news stories about census data being hacked, or phishing websites that trick people into thinking they have filled out the real survey.

Any of this could lower response rates, jeopardizing the quality of the data and driving up costs as the agency attempts to collect information for nonresponding households by going door to door and combing government and public records.

The bureau must navigate a delicate balance between warning people about these dangers and scaring them off.

“It’s tough, for those who care about the census,” Dutta-Gupta said. “We have to be careful in not raising false alarms or concerning people more than they need to be, since trust is essential in ensuring a fair and accurate count.”

The bureau has been meeting with companies such as Microsoft, Google, Facebook and Twitter to plan how to identify and stop misinformation as it comes online. In March, Facebook hosted an event with the bureau and other technology companies and civic organizations to talk about the census. “They’re opening their doors, they realize the importance of this, they’re being collaborative,” Buckner said.

Last year Facebook and Twitter adopted clear, specific prohibitions around voter suppression, hoping to stop the spread of posts, videos and other content designed to deceive users about how to vote. Representatives from these companies would not say whether they are planning something similar for the census. Facebook said only that census-related posts could be submitted to its third-party fact-checkers for review, while Twitter said it would take action against inauthentic accounts created with the intention to deceive users about the census. Google declined to discuss the census, and Microsoft said it is working with the bureau on cybersecurity but did not provide details.

Educating the public about how the census works and what information to believe is a key part of protecting it, the CISA official said. “We need to ensure that the public understands where the information is coming from,” the official said. “An informed public is our best defense.”

The U.S. Government Accountability Office has put the 2020 count on its high-risk list, and in a report last month it cited more than 1,000 system security weaknesses and warned that the bureau needs to address “before systems are deployed.” At a full dress rehearsal for the count last year (which was scaled down from three locations to one because of funding shortages), “the Bureau did not test all 2020 Census systems and IT capabilities,” the report said, adding that incomplete testing “increases the risk that innovations and IT systems will not function as intended,”

The bureau said it meets regularly with the GAO to address its recommendations, but added that not all the systems needed to be tested during the dress rehearsal, as some were up and running for other census surveys, and it was too early to test others.

Nick Marinos, director of IT and cybersecurity issues at the GAO, said although the bureau’s innovations make sense, it is coming up against a hard deadline to make sure its systems run smoothly.

“This is an unprecedented effort… . Globally, there haven’t been too many online censuses performed,” he said. “I think the bureau itself is anxious and I think that is warranted. I think we are also holding our breath, waiting to see what the next six months brings.”

The Washington Post’s Ellen Nakashima, Tony Romm and Craig Timberg contributed to this report.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Nation-World

FILE - Britain's Queen Elizabeth II looks on during a visit to officially open the new building at Thames Hospice, Maidenhead, England July 15, 2022. Buckingham Palace says Queen Elizabeth II is under medical supervision as doctors are “concerned for Her Majesty’s health.” The announcement comes a day after the 96-year-old monarch canceled a meeting of her Privy Council and was told to rest. (Kirsty O'Connor/Pool Photo via AP, File)
Queen Elizabeth II dead at 96 after 70 years on the throne

Britain’s longest-reigning monarch and a rock of stability across much of a turbulent century died Thursday.

A woman reacts as she prepares to leave an area for relatives of the passengers aboard China Eastern's flight MU5735 at the Guangzhou Baiyun International Airport, Tuesday, March 22, 2022, in Guangzhou. No survivors have been found as rescuers on Tuesday searched the scattered wreckage of a China Eastern plane carrying 132 people that crashed a day earlier on a wooded mountainside in China's worst air disaster in more than a decade. (AP Photo/Ng Han Guan)
No survivors found in crash of Boeing 737 in China

What caused the plane to drop out of the sky shortly before it was to being its descent remained a mystery.

In this photo taken by mobile phone released by Xinhua News Agency, a piece of wreckage of the China Eastern's flight MU5735 are seen after it crashed on the mountain in Tengxian County, south China's Guangxi Zhuang Autonomous Region on Monday, March 21, 2022. A China Eastern Boeing 737-800 with 132 people on board crashed in a remote mountainous area of southern China on Monday, officials said, setting off a forest fire visible from space in the country's worst air disaster in nearly a decade. (Xinhua via AP)
Boeing 737 crashes in southern China with 132 aboard

More than 15 hours after communication was lost with the plane, there was still no word of survivors.

Former Rep. Matt Gaetz, R-Fla., center, arrives at the U.S. Capitol in Washington D.C. with Sen. JD Vance, R-Ohio, right, the vice president-elect, on Wednesday morning. Gaetz withdrew from consideration Thursday, saying he was an unfair distraction to the transition. (Haiyun Jiang / The New York Times)
Matt Gaetz withdraws from consideration as attorney general

“It is clear that my confirmation was unfairly becoming a distraction,” Gaetz wrote Thursday on X.

Attendees react after Fox News called the presidential race for Former President Donald Trump, during an election night event at the Palm Beach County Convention Center in West Palm Beach, Fla., on Wednesday. Trump made gains in every corner of the country and with nearly every demographic group. (Haiyun Jiang / The New York Times)
Donald Trump returns to power, ushering in new era of uncertainty

Despite criminal convictions and fears of authoritarianism, Trump rode frustrations over the economy and immigration.

Voters cast their ballots at a polling place inside the Weisman Art Museum at the University of Minnesota in Minneapolis on Election Day, Tuesday, Nov. 5 2024. Voters headed into polling stations on Tuesday in the closing hours of a presidential contest that both major parties said would take the country in dramatically different directions, capping a contentious and exhausting 107-day sprint that began when President Joe Biden abandoned his bid for a second term. (Caroline Yang/The New York Times)
Live updates: Georgia called for Trump

The Daily Herald will be providing live updates on national election developments throughout Tuesday.

Liam Payne performs during the Jingle Ball at Madison Square Garden in New York in 2017. Payne, who rose to fame as a singer and songwriter for the British group One Direction, one of the best-selling boy bands of all time, died after falling from the third floor of a hotel in Buenos Aires on Wednesday. He was 31. (Chad Batka / The New York Times)
Liam Payne, 31, former One Direction singer, dies in fall in Argentina

Payne rose to fame as a member of one of the bestselling boy bands of all time before embarking upon a solo career.

In this photo taken from video provided by the Ukrainian Presidential Press Office, Ukrainian President Volodymyr Zelenskyy speaks to the nation in Kyiv, Ukraine, Sunday, Feb. 27, 2022. Street fighting broke out in Ukraine's second-largest city Sunday and Russian troops put increasing pressure on strategic ports in the country's south following a wave of attacks on airfields and fuel facilities elsewhere that appeared to mark a new phase of Russia's invasion. (Ukrainian Presidential Press Office via AP)
Ukraine wants EU membership, but accession often takes years

President Volodymyr Zelenskyy’s request has enthusiastic support from several member states.

FILE - Ukrainian servicemen walk by fragments of a downed aircraft, in in Kyiv, Ukraine, Friday, Feb. 25, 2022. The International Criminal Court's prosecutor has put combatants and their commanders on notice that he is monitoring Russia's invasion of Ukraine and has jurisdiction to prosecute war crimes and crimes against humanity. But, at the same time, Prosecutor Karim Khan acknowledges that he cannot investigate the crime of aggression. (AP Photo/Oleksandr Ratushniak, File)
ICC prosecutor to open probe into war crimes in Ukraine

U.N. human rights chief Michelle Bachelet confirmed that 102 civilians have been killed.

FILE - Refugees fleeing conflict from neighboring Ukraine arrive to Zahony, Hungary, Sunday, Feb. 27, 2022. As hundreds of thousands of Ukrainians seek refuge in neighboring countries, cradling children in one arm and clutching belongings in the other, leaders in Poland, Hungary, Bulgaria, Moldova and Romania are offering a hearty welcome. (AP Photo/Anna Szilagyi, File)
Europe welcomes Ukrainian refugees — others, less so

It is a stark difference from treatment given to migrants and refugees from the Middle East and Africa.

Afghan evacuees disembark the plane and board a bus after landing at Skopje International Airport, North Macedonia, on Wednesday, Sept. 15, 2021. North Macedonia has hosted another group of 44 Afghan evacuees on Wednesday where they will be sheltered temporarily till their transfer to final destinations. (AP Photo/Boris Grdanoski)
‘They are safe here.’ Snohomish County welcomes hundreds of Afghans

The county’s welcoming center has been a hub of services and assistance for migrants fleeing Afghanistan since October.

FILE - In this April 15, 2019, file photo, a vendor makes change for a marijuana customer at a cannabis marketplace in Los Angeles. An unwelcome trend is emerging in California, as the nation's most populous state enters its fifth year of broad legal marijuana sales. Industry experts say a growing number of license holders are secretly operating in the illegal market — working both sides of the economy to make ends meet. (AP Photo/Richard Vogel, File)
In California pot market, a hazy line between legal and not

Industry insiders say the practice of working simultaneously in the legal and illicit markets is a financial reality.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.