Census CIO Says DHS Penetration Tests Confirm Data Security

U.S. Census Bureau CIO Kevin Smith said that the Department of Homeland Security performed penetration tests this year that were unable to break through Census’ data safeguards, confirming the strength of Census’ cybersecurity programs for both its self-response website and in-field mobile devices.

Smith’s statements–delivered last Friday during a 2020 Census Quarterly Program Management Review–were aimed at dispelling recent worries of potential data security issues at the bureau.

Numerous former top Federal government officials recently wrote the Department of Commerce–which houses the Census Bureau–for more information on security practices. The bureau shortly after released a statement citing its robust security. Last week, Smith provided more color on the steps taken to ensure security.

“This year, we had the Federal government, Department of Homeland Security, go through penetration testing of not just our internet self-response site, trying to break in, [but also] into the enumeration solutions that are on the cell phones, into the address listing and mapping applications that will list the U.S., into all of the devices and solutions to collect data for the 2020 Census. No critical or high findings were found in this both from the industry as well as from DHS,” Smith said. “No data was able to be taken because of the design and the way to go through and do things, because of the diligence of the processes we follow to continually keep systems up-to-date,” he said.

Much of the concern over Census data security centered on the mobile devices that Census data collectors–called enumerators–use to log data on U.S. households, through in-person canvassing. Smith repeatedly stated that data is only transmitted–but never stored–on devices, minimizing potential risk from phishing or other means of device compromise.

“Once the enumerator collects the on the device and hits submit, the data is off the device. It is gone, it is removed, it is locked away in a vault inside of the Census, so the exposure of data on this phone is minimal,” Smith said. “They do not have access to the data of the Census. They are simply an input submission device.”

Smith’s summary delved into four phases of Census’ data stewardship program, and he said that Census has been collaborating with the office of the Federal CIO and the intelligence community to bolster cyber resilience and “to proactively get in front of potential cyber threats that are not known in the general industry.”

Concerns about data encryption also prompted Smith to reinforce that Census is encrypting data–both in transit and at rest–and making it a priority to shield it from outside interference.

“We don’t just encrypt the data and protect it. We’re using a strategy to isolate the data away from the public internet as quickly as possible once the data is submitted,” he said.

As for why his organization has been mum on the details of many of its cybersecurity practices, Smith seemed to echo the July 18 statement from the Census Bureau, saying that revealing details of security practices would work to the bureau’s detriment. He did, however, say that the “playbook” is being shared with the relevant parties–the Federal government, intelligence community, trusted industry partners, and the Federal CIO staff, but not the full public.

“That’s kind of putting the playbook out there when you don’t want people to see the playbook,” Smith said.

Recent