With a census just two years away, the Census Bureau has a cybersecurity problem.
That’s a key takeaway from the congressional watchdog, the Government Accountability Office, which oversees the government’s spending. In a new report published Thursday, the non-partisan agency said that the government’s Census Bureau has only a few months to fix thousands of security vulnerabilities that may put personal citizen data at risk.
The census, conducted by the federal government decennially, provides the government data on the population.
Ahead of the 2020 census, the Bureau began testing all 44 key systems necessary to support the new option of allowing citizens to send their responses over the internet, a scheme that will save the government billions of dollars.
The two-year test, set to complete in April 2019, has found close to 3,100 security issues and weaknesses, the report said.
In total, 43 security issues were classified “high” or “very high” risk, which reflect cases where an unpatched system has a vulnerability for a known exploit, for example.
“Because the 2020 Census involves collecting personal information from over a hundred million households across the country, it will be important that the Bureau addresses system security weaknesses in a timely manner and ensures that risks are at an acceptable level before systems are deployed,” said the report.
According to the report, 33 of the 44 key systems have so far been authorized to operate in the 2020 Census, but eight systems will need to be reauthorized after extensive changes were made. Three systems that are integral for census work are not yet authorized to operate.
These authorizations are granted after officials evaluate a system’s security, and are necessary for government operations. Once an authorization is granted, those systems are monitored to ensure that the risk level remains “acceptable.”
But the Bureau is running out of time to get these issues fixed.
“The Bureau is facing system development and testing challenges that are delaying the completion of milestones and compressing the time available for security testing activities,” the report said. “It will be important that the Bureau provides adequate time to perform these security assessments, completes them in a timely manner, and ensures that risks are at an acceptable level before the systems are deployed.”
The Government Accountability Office said the Census Bureau has implemented 61 of its 93 recommendations, and has made initial progress on 32 recommendations.
A spokesperson for the Census Bureau did not comment beyond the report.