“Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power,” said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. “I think there will be lots of attempts. We should be concerned.”
So far, there has been no indication of anyone trying to target the survey, but experts say the risks will probably grow as the launch draws closer. Census Bureau officials say they are working with experts in the government and private sector, including at the Department of Homeland Security, Facebook, Microsoft and Google, to defend against people or foreign states who try to undermine the U.S. government or prevent certain groups from being counted.
They plan to encrypt incoming information, scan responses for unusual activity and monitor social media to spot attempts to mislead the public. The bureau has bought up more than 100 census-related domain names so they can’t be used to create fake census sites, and it plans to aggressively push the message that completing the survey is safe and that being counted is beneficial to communities.
Yet cybersecurity experts cite several reasons to be concerned with the plan. It comes at a time when trust in the government generally is low. Many people’s trust in the census in particular has been eroded by fears about the Trump administration’s decision last year to add a citizenship question to the survey. The question has been struck down by two federal courts and the Supreme Court is expected to decide this spring whether it will appear on the forms.
At the same time, previous data breaches have left many Americans leery of sharing personal information online. The federal government’s troubled track record in building and maintaining technological systems includes the repeated meltdowns of healthcare.gov in 2013 and the Office of Personnel Management hack, revealed in 2015, that exposed names, Social Security numbers, salaries and other information on more than 21 million federal workers, allegedly to Chinese hackers. More recently, the Federal Emergency Management Agency exposed the personal addresses and banking information of 2.5 million disaster survivors.
Joshua Geltzer, a former National Security Council official who has warned of security risks to the census and called for greater transparency on it, said it is particularly important to clarify how it will be protected given how Russian interference in the last presidential election spawned years of questions — many still unanswered — about how seriously outside forces were able to affect a major American vote.
“We know that actors like the Russians and others are interested in finding ways to make our democracy seem weak, brittled, flawed,” said Geltzer, who is executive director of Georgetown Law’s Institute for Constitutional Advocacy and Protection. He added, “I don’t think it’s crazy to worry that there might still be problems when this thing rolls around. We haven’t cracked the code on this in terms of other contexts, of the elections, of the general democracy, so I wouldn’t expect the Census Bureau to have figured this out.”
Disrupting a census is not unprecedented: When Australia put its census online in 2016, cyberattackers launched what experts call a Distributed Denial of Service attack, in which hackers intentionally overload online systems. The onslaught crashed a critical website, slowing the count.
In past U.S. censuses, survey forms arrived in people’s mailboxes, and those who didn’t mail them in received visits from enumerators carrying another set of paper forms. This time, most households will receive an initial mailing inviting them to log on to the bureau’s website (paper forms will be mailed at that point to the 20 percent least likely to be online, including older people and those in areas with low Internet connectivity).
Households that don’t respond electronically will then receive paper forms by mail, and when enumerators knock on doors to follow up with those who still haven’t responded, they will intake respondents’ information electronically, via an iPhone 8.
The decennial census does not gather Social Security numbers or financial information “Most people fill out credit card applications with much more personal information,” said the bureau’s assistant director of communications, Stephen Buckner.
The bureau has systems in place to guard against hacks. After encrypting the data at two points in the process, it will store the data in its own secure Cloud environment through the Amazon Web Services’ GovCloud. (Amazon chief executive Jeffrey P. Bezos owns The Washington Post.) It will continuously monitor incoming data, using an automated system that will look for suspicious activity, check information against existing records, and refer questionable surveys to analysts for follow-up. In the event of a website slowdown or crash, there will be a backup system as well as options to complete the survey via telephone or mail.
Indications of hacks might include unusual patterns of activity, such as a single-family home reporting that it has 30 residents, or responses coming in too rapidly for a survey that should take about 10 minutes to fill out online.
“If the Census Bureau sees a response is being generated every 15 seconds from a certain computer or a certain area,” that would raise suspicions, said Maria Filippelli, public interest technology census fellow with New America, a nonpartisan Washington think tank. Any unusual spikes “would be investigated, isolated and shut down.”
But the system for collecting information has built-in vulnerabilities, some security experts say. For example, there is no way to stop a person from uploading information about a particular address even if he or she is not a resident there. (While the mailings will include an ID number, respondents can fill out the survey without using the number.)
Census Bureau officials say such activity will be detected as incoming responses are automatically checked against existing records; if a discrepancy is spotted, it will be flagged for human review.
“We constantly scan it to see if some new vulnerability occurred, and if it occurred, then we fix it,” said Kevin Smith, the bureau’s chief information officer. “We are absolutely performance-testing it above and beyond the level that we need to.”
The bureau has been working with DHS’s Cybersecurity and Infrastructure Security Agency (CISA), where a team of about 20 people is focused on helping secure the system and gaming out possible hacks.
“The two most important things that I’ve got going on in both prepping and executing next year are the election and the census,” an official there said. “The risk to the census is fairly broad, and they’re well aware of this, they’re taking a lot of really good actions to secure against these. But then you could have anything from an individual hacker trying to get into some aspect of it to just be difficult, to nation-states trying to gain access in order to get access to personally identifiable information to potentially change census collection, and then you’ve got the foreign influence piece as well, sowing confusion and discord. The census is a key tenet of our democracy, and so some of the same risks and threats you saw to elections are applicable to census.”
A research company that surveys the Web for signs of malfeasance said it detected some chatter about the census a couple of years ago, but so far has seen no evidence of a concerted campaign. That is not surprising given the survey is a year off. A more coordinated effort might not come together until later in the process, said a researcher at the company, which asked for anonymity because of the private nature of its work.
But even if census data aren’t hacked, concerns over cybersecurity could create an atmosphere ripe for disinformation campaigns seeking to influence how, or whether, respondents fill out the survey. This could come in the form of fake reports of Immigration and Customs Enforcement officials accompanying census enumerators to people’s homes, fake news stories about census data being hacked, or phishing websites that trick people into thinking they have filled out the real survey.
Any of this could lower response rates, jeopardizing the quality of the data and driving up costs as the agency attempts to collect information for nonresponding households by going door to door and combing government and public records.
The bureau must navigate a delicate balance between warning people about these dangers and scaring them off.
“It’s tough, for those who care about the census,” Dutta-Gupta said. “We have to be careful in not raising false alarms or concerning people more than they need to be, since trust is essential in ensuring a fair and accurate count.”
The bureau has been meeting with companies such as Microsoft, Google, Facebook and Twitter to plan how to identify and stop misinformation as it comes online. In March, Facebook hosted an event with the bureau and other technology companies and civic organizations to talk about the census. “They’re opening their doors, they realize the importance of this, they’re being collaborative,” Buckner said.
Last year Facebook and Twitter adopted clear, specific prohibitions around voter suppression, hoping to stop the spread of posts, videos and other content designed to deceive users about how to vote. Representatives from these companies would not say whether they are planning something similar for the census. Facebook said only that census-related posts could be submitted to its third-party fact-checkers for review, while Twitter said it would take action against inauthentic accounts created with the intention to deceive users about the census.
Google declined to discuss the census. Microsoft said it is working with the bureau on cybersecurity on issues including threat modeling and detection and defense tactics
Educating the public about how the census works and what information to believe is a key part of protecting it, the CISA official said. “We need to ensure that the public understands where the information is coming from,” the official said. “An informed public is our best defense.”
The U.S. Government Accountability Office has put the 2020 count on its high-risk list, and in a report last month it cited more than 1,000 system security weaknesses and warned that the bureau needs to address “before systems are deployed.” At a full dress rehearsal for the count last year (which was scaled down from three locations to one because of funding shortages), “the Bureau did not test all 2020 Census systems and IT capabilities,” the report said, adding that incomplete testing “increases the risk that innovations and IT systems will not function as intended,”
The bureau said it meets regularly with the GAO to address its recommendations, but added that not all the systems needed to be tested during the dress rehearsal, as some were up and running for other census surveys, and it was too early to test others.
Nick Marinos, director of IT and cybersecurity issues at the GAO, said although the bureau’s innovations make sense, it is coming up against a hard deadline to make sure its systems run smoothly.
“This is an unprecedented effort. . . . Globally, there haven’t been too many online censuses performed,” he said. “I think the bureau itself is anxious and I think that is warranted. I think we are also holding our breath, waiting to see what the next six months brings.”
Ellen Nakashima, Tony Romm and Craig Timberg contributed to this report.