At the August 3rd quarterly meeting of the U.S. Census Bureau (the “Bureau”), Kevin Smith, the Bureau’s Chief Information Officer (“Smith”), attempted to ease concerns regarding the vulnerability of data to be collected in the Bureau’s first wholly digital census in 2020. The Bureau has been under the scrutiny of federal lawmakers and national security officials, who have panned the Bureau’s lack of transparency regarding its readiness and ability to implement basic cybersecurity practices and safeguard census information gathered.

The updated Data Protection and Privacy Statement (“DPP Statement”) published recently to the Bureau’s website offers only a minimal description of the Bureau’s procedures regarding encryption and security. The Bureau’s policy broadly states: “All web data submissions are encrypted to strengthen further the protection of the information we collect online. Per the Federal Cybersecurity Enhancement Act of 2015, your data are protected from cybersecurity risks through screening of the systems that transmit your data.”  Further, the DPP Statement states: “[T]his government IT system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to our computer system. Web sites identified as representing an actual or potential security threat to Census Bureau information and/or information resources are blocked.”

Critics have questioned whether the Bureau has fallen dramatically behind, and complaints have been issued surrounding the lack of information regarding its cybersecurity preparations. In October 2017, the House Committee on Oversight and Government Reform (the “Oversight Committee”) questioned Wilbur Ross, the Secretary of the Department of Commerce, of which the Bureau is a part, as to the significant delay in cyber infrastructure required to execute a digital census. At that time, only four of the 43 required IT systems had even been implemented. In February 2018, members of the Oversight Committee sent a bipartisan letter demanding answers regarding the Bureau’s ability and readiness, noting a failure on the Bureau’s part to provide any information and that a briefing with the Government Accountability Office “heightened our initial concerns.”

Further, in July, a group of former senior national security officials wrote to the Bureau urging it “to set out publicly the technical protocols and systems that it will use to ensure the security of the data obtained electronically in the 2020 Census as well as the security of the data obtained through paper forms before being scanned and also stored electronically,” or, alternatively, “to retain a reputable outside cybersecurity firm to conduct an end-to-end audit of current plans for data protection associated with the 2020 Census.”

At the quarterly meeting, Smith argued, “that’s kind of putting the playbook out there when you don’t want people to see the playbook.” While no technical details were offered at the quarterly meeting, Smith summarized the top-level strategies of the Bureau:

• Encryption is in use in all places data is collected and stored including on the census website and on devices used by census workers who attempt to collect information. Immediately upon collection, data is moved away from the public-facing internet.
• Phishing attempt protections are employed, such as the purchase of domain names that could potentially be used by hackers to collect information, and intrusion monitoring is used for the census website.
• The Bureau has partnered with the Department of Homeland Security and the private sector to test the Bureau’s defenses. Smith offered that no data was taken during testing and that no major problems were observed.

Data collection and testing of the integration of operations and systems is currently underway. Beginning at the end of 2017, 80,000 random households were selected to provide responses by internet, which enabled the Bureau to assess online system integration. A more in-depth final test of full operations, such as mobile technology, geospatial data, and internet self-response, has now commenced in Providence, R.I.