Could the census be hacked?
These days, it takes little imagination — none at all, in fact — to conceive of a hostile foreign actor hungry for detailed information about millions of U.S. voters and determined to undermine Americans’ confidence in their democratic institutions. What does require just a bit of vision is recognizing that there is a fast-approaching opportunity for such actors to advance their agendas: the upcoming census.
That’s because the 2020 census will be the first electronic census in U.S. history. Going digital will enable the process to become cheaper and more inclusive — both good things. But it also provides the opportunity for bad actors to exploit any cybersecurity vulnerabilities that this digitized approach might generate.
That risk takes at least two forms.
First, foreign governments — Russia in particular — could use the bounty of information from the decennial census for microtargeting on social media to propagandize and polarize U.S. voters.
Second, these countries could undermine Americans’ trust in democratic institutions, as governments from Moscow to Beijing have already made clear is in their interest.
Imagine if it became public that a Russian or Chinese hacker had penetrated the database where the 2020 Census results will be held, or even hackers had just penetrated the transmission of information from respondents to that database. Americans might well begin to doubt whether the results of the census — which determine the allocation of seats in the House and votes in the electoral college — are trustworthy.
These are not idle concerns; they’re very real. Special counsel Robert Mueller described similar cyberinterference strategies by Moscow during the 2016 presidential election in his recent indictment of 12 Russian officials for hacking the Clinton campaign and Democratic National Committee. So too did the bipartisan report from the Senate Intelligence Committee.
Yet, despite repeated requests from Congress and from the public for a better understanding of the Census Bureau’s preparations for our nation’s first electronic census, the bureau has not provided basic information on those preparations, let alone a comprehensive approach to ensuring adequate cybersecurity for this landmark undertaking. While the bureau has released a considerable array of materials regarding the 2020 census and even of its electronic component, none appears to specify how it is implementing even basic cybersecurity practices.
That’s why we were among a dozen signatories to a letter sent this month to the leadership of the Census Bureau and Commerce Department (of which the bureau is a part) urging greater transparency regarding cybersecurity preparations for the 2020 census.
The letter — which reflects cybersecurity experience across the federal government, including the intelligence community, and the private sector — encourages Census Bureau leaders to share their plans for protecting this vital information.
To its credit, the bureau issued a response the next day, but, to our disappointment, the response fell short.
The 121-word statement acknowledged the use of a single standard cybersecurity practice — two-factor authentication — and then urged the public to “know that we have strong and resilient security measures protecting every respondent’s information.” In light of the massive 2015 cyberbreach at the Office of Personnel Management, which resulted in the theft of highly sensitive security clearance information for more than 20 million current and former federal employees, the public deserves more than generic assurances.
This is a missed opportunity. As the bureau itself has rightly recognized, “Safeguarding and managing information is essential to the credibility of the Census Bureau and to the success of its mission.”
The accuracy of the 2020 census would be improved by enhancing the American people’s confidence in the secure collection and safe storage of the information on millions of us that is at the core of the census.
As our letter indicated, no cybersecurity expert would suggest that the government reveal publicly any vulnerabilities that might exist. If that’s the bureau’s concern, it should simply retain a reputable outside cybersecurity firm to audit current plans for data protection, then have this firm either confirm publicly the adequacy of existing cybersecurity protocols or assist the government in addressing any gaps identified.
In the wake of the 2016 presidential election, Americans know all too well that hostile actors abroad are focused on spreading disinformation and undermining confidence in our institutions.
When it comes to cybersecurity preparations for the 2020 census, our government has the power to share accurate information and boost Americans’ confidence in this foundational element of American voting. We urge the government to do so.
Joshua A. Geltzer, senior director for counterterrorism at the National Security Council from 2015-17, is executive director of Georgetown Law’s Institute for Constitutional Advocacy and Protection and a fellow at New America. Matthew G. Olsen, director of the National Counterterrorism Center from 2011-14, is an executive at IronNet Cybersecurity and a lecturer on national security law at Harvard Law School. They wrote this commentary for the Washington Post.