THE KEY

The 2020 Census faces major cybersecurity risks that could compromise the personal information of hundreds of millions of Americans.

But Congress doesn’t seem to be paying much attention.

When lawmakers convened Tuesday for a hearing about the decennial count, government auditor Nick Marinos described a litany of vulnerabilities that could leave Americans’ information hackable — and that are far more pressing because this is the first census that will be conducted primarily online.

Members of the House Appropriations panel, however, didn’t ask a single question about the cybersecurity weaknesses during the two-hour hearing, which focused primarily on the Trump administration’s plan to add a question about citizenship to the count. They also did not devote any time to grilling Census Bureau Director Steven Dillingham, who also testified at the hearing, about the progress (or lack thereof) making security fixes his own department identified as critical. 

The apparent lack of attention is a troubling sign for the security of the constitutionally mandated count — which is also the most comprehensive database of Americans’ personal information.

If vulnerabilities in census systems aren’t dealt with, there’s a risk that hackers could compromise Americans’ data — such as birth dates, marital status and telephone numbers — on a mass scale. And that data could be used to help file phony tax returns, apply for credit cards or for other nefarious purposes.

More troubling, if hackers manipulated information collected by the bureau, that could compromise all manner of government tasks, including drawing congressional districts and allocating federal grants.

“Until the bureau implements a formal process for tracking and implementing appropriate corrective actions to remediate identified cybersecurity weaknesses … it faces an increased likelihood that these weaknesses will go uncorrected and may be exploited to cause harm,” according to prepared testimony from Marinos, director of cybersecurity and information technology at the Government Accountability Office.

Here's a quick tally of digital risks Marinos outlined, which include: 

  • An outstanding backlog of over 500 security fixes identified in the Census Bureau's own security review that officials still had not made as of March. Nearly 250 of them were labeled “high risk” or “very high risk." And 70 had been delayed by two months or more.
  • Six of the 52 IT systems that support census operations haven’t yet been authorized to operate, leaving only limited time for security assessments before the count. And 32 others may need to be reauthorized before 2020.
  • The bureau has scaled back numerous trial runs of gathering census information. By reducing their scope, the Census has made it more difficult to gather information about possible security problems during the actual count.
  • And out of 17 recommendations to improve census security made by government cybersecurity pros at the Department of Homeland Security, Census officials have implemented only three of them.

Those DHS recommendations focused on better testing for how hackers might penetrate census IT systems, testing for phishing attacks and developing better processes for responding to digital attacks, according to Marinos’s testimony. He didn’t identify specific vulnerabilities because they could be exploited by hackers.

Marinos also noted that U.S. adversaries could launch online disinformation campaigns aimed at degrading Americans’ trust in the Census Bureau’s ability to safely collect and store their information.

“According to the bureau, if a substantial segment of the public is not convinced that the Bureau can safeguard public response data against data breaches and unauthorized use, then response rates may be lower than projected, leading to an increase in cases for follow-up and subsequent cost increases,” the testimony states.

Though time is running short before the 2020 count, Congress could force quicker fixes to cybersecurity vulnerabilities by ramping up oversight or demanding fuller testing of IT systems. Lawmakers could also press DHS to boost cybersecurity assistance to the Census as it has done with state and local election systems. 

Dillingham, the Census chief, didn’t address cybersecurity extensively but said in his testimony that the bureau has “a comprehensive approach to maintaining data security,” “test[s] all systems for security well before they are deployed” and has “plans and procedures in place to respond immediately to existing or perceived threats.”

PINGED, PATCHED, PWNED

PINGED: Presidential candidates, by and large, aren’t using email security protections that prevent supporters from receiving phishing and scam emails that appear to come from their campaigns.

A study by the email security firm Agari of 12 candidates found that only two of them were fully using the tool called Domain-based Message Authentication, Reporting, and Conformance, or DMARC — Sen. Elizabeth Warren (D-Mass.) and former Massachusetts governor Bill Weld, who is launching a long-shot challenge to President Trump for the Republican nomination.

DMARC basically verifies that emails that look as if they come from an organization’s Web domain — such as ElizabethWarren.com — were actually sent from that domain.

Another email security firm, ValiMail, showed me a separate tally that found former vice president Joe Biden was also protected by DMARC — but was directing phony emails to recipients’ spam folders rather than rejecting them entirely. 

Agari Chief Marketing Officer Armen Najarian told me that sending phishing emails to a spam folder isn’t good enough when it comes to political campaigns, though. He noted that the spearphishing email that allowed Russian hackers to compromise Hillary Clinton’s 2016 campaign first arrived in chairman John Podesta’s spam folder.

The campaign for Rep. Tulsi Gabbard (D-Hawaii), who was not included in the Agari tally, also has DMARC set up to reject phony emails entirely. 

Correction: This version of the newsletter has been updated to correct the Gabbard campaign's DMARC status and to include the Agari official who commented on phishing emails.

PATCHED: Lawmakers on the House Homeland Security and Appropriations committees are beating the drum for more cybersecurity funding at DHS.   

Rep. Lucille Roybal-Allard (D-Calif.), who chairs the Appropriations Committee’s DHS panel, will decry proposed cuts to that department’s cybersecurity budget during a hearing this morning, according to a draft of her opening statement that was shared with me.

She’ll be joining House Homeland Security Chairman Bennie Thompson (D-Miss) and cyber panel chair Cedric Richmond (D-La.) who made similar complaints during a separate budget hearing Tuesday. The Committee’s ranking Republican, Mike Rogers (Ala.), also earlier urged more DHS cyber funding in a letter to appropriators that was also signed by Thompson.

Chris Krebs, who leads DHS’s cybersecurity division, told Homeland Security lawmakers at Tuesday’s hearing that the administration’s most recent budget request is outdated and doesn’t reflect his agency’s expanding mission -- which includes helping state and local governments with cybersecurity and helping protect the 2020 elections. When one lawmaker asked Krebs whether he’d spend all the money if Congress doubled his budget, he replied: “Yes, sir.”

PWNED: The Trump administration has signaled it may seek the permanent renewal of a controversial surveillance law that has allowed the National Security Agency to gather and analyze Americans’ phone records as part of terrorism investigations, my colleague Ellen Nakashima reports this morning.

The White House was preparing a public statement calling on Congress to fully reauthorize Section 215 of the Patriot Act, but that plan was put on hold without explanation, Ellen reported.

“Section 215 was last revised in 2015 as part of the USA Freedom Act after a former NSA contractor, Edward Snowden, exposed how the government was collecting vast quantities of Americans’ phone logs to be able to scan them for clues to terrorist plots,” Ellen explained. The NSA later suspended the program because of technical issues that “put Americans’ privacy at risk.”

On Tuesday, the NSA revealed that it disclosed the identities of about 75 percent more U.S. residents or corporations to other government agencies than it did the previous year under a separate surveillance law, according to an annual transparency report.

But the statistics…may reflect an increase in the number of people or American businesses being victimized by a foreign government, including through computer hacks, and whose identities were revealed to warn them, a U.S. official said,” my colleague Shane Harris reported.

In 2018, the NSA unmasked the identities of 16,721 “U.S. persons,” a term that includes corporations, according to the report. “That was a more than 7,000-person increase from 2017,” Shane reported.The law that governs that surveillance program is due to expire in December and the NSA has recommended letting it lapse.

PUBLIC KEY

Cybersecurity news from the public sector:

National Security
In a letter and phone call, special counsel Robert S. Mueller III and Attorney General William P. Barr went back and forth over Mueller’s concerns. “The summary letter the Department sent to Congress and released to the public . . . did not fully capture the context, nature, and substance of this office’s work and conclusions,” Mueller wrote.
Devlin Barrett and Matt Zapotosky
U.S. border officials are asserting “broad, unconstitutional authority” to conduct warrantless searches of travelers’ phones, tablets and laptops, according to a new court filing.
TechCrunch
Senate Minority Leader Charles Schumer (D-N.Y.) is calling for the Trump administration to brief the Senate on what actions it is taking to prevent interference in the 2020 presidential election.
The Hill
Security officials from British telecoms operators are to meet with the leading ...
Reuters
A new Binding Operational Directive from the Cybersecurity and Infrastructure Security Agency requires agencies to move faster on addressing known security flaws in federal systems.
FCW
PRIVATE KEY

Cybersecurity news from the private sector:

The data was stolen from Citycomp, which provides internet infrastructure for dozens of companies including Oracle, Airbus, Toshiba, and Volkswagen.
Motherboard
Transportation
But the auto industry is downplaying a report that a hacker’s use of GPS trackers allowed him to monitor the location of thousands of vehicles in commercial fleets and even turn off their engines.
Fredrick Kunkle