Sen. Tom Carper (D-DE) recently wrote to Director of the Cybersecurity and Infrastructure Security Agency Christopher C. Krebs and Census Bureau Director Steven Dillingham to inquire “how the agencies are working together to ensure that personally identifiable information will be secured” in the 2020 Census. “It is critical that the information systems and networks that hold this data be continuously monitored for vulnerabilities, and that any discovered vulnerabilities be quickly remediated.”
Carper seeks to find out if “an outside auditor validated the sufficiency of the Census Bureau’s encryption strength?”
- “Are the responses from the 2020 Census going to be stored on a separate Census Bureau network dedicated solely to handling census data, or the Department of Commerce’s preexisting network?”
- “Will the information be stored or reviewable by any other Agency?”
- “Aside from the two-factor authentication, will other security protections and tools be in place to protect the information and manage risks, and if so, what are those other security protections and tools?”
- “What are CISA and the Bureau assessing the highest risks to be, and what is being done to mitigate those risks specifically?”
- “Will the information collected be stored in a segmented way to create boundaries in accessing the information already in the system?”
- “Please explain how the Census Bureau would be able to determine if data integrity was compromised and data was inappropriately manipulated – either during collection, or while in storage. What processes are in place to understand ‘ground truth’ and react swiftly and appropriately to any concerns identified?”
Carper also asked about DHS and Census Bureau response to the Government Accountability Office’s (GAO) recommendations in recent testimony.
- “Please describe what steps, if any, are being taken by DHS or the Bureau, to identify and combat potential social engineering efforts by malicious actors to obtain and exploit Americans’ personally identifiable information by fraudulently claiming to be associated with the Census.”
- “To what extent, if at all, are other Federal agencies such as the National Security Agency, U.S. Cyber Command, and the Office of the Director of National Intelligence, involved in working with DHS or the Bureau in addressing potential cyber threats, and what will that involvement be as the census begins in earnest in April 2020?”
Sen. Carper and his staff are seeking answers to all these tough census cybersecurity questions by the end of September.