The 2020 Census Is a Cybersecurity Fiasco Waiting to Happen

For the first time, the census will be conducted mostly online. What could possibly go wrong?

In 2016, Australia tried to run a more efficient national census by conducting it online. Things went badly from the start. On the day the survey was posted, hackers launched a denial-of-service attack that brought down the system for 40 hours. The census was eventually taken, but the government suffered massive embarrassment.

Now the United States is planning its first census that will be conducted primarily online. And with ongoing hacking of US political and government data by foreign powers, it’s no surprise security experts are warning that things could go very wrong.

“We know that certain foreign intelligence services like to mess with US institutions and to try and cause distrust in the system, right?” says Patrick Gray, a leading cybersecurity journalist based in Australia who was the first to piece together what happened there in 2016. “Messing with the census would be a good way to do that.”

The US Census Bureau tested an internet survey in 2000 and scrapped it in 2010 because of concerns over data collection effectiveness and security. Now, despite cost overruns, underfunding, understaffing, and tight deadlines, it’s back for 2020.

Jake Williams, a former National Security Agency hacker, says there are several ways state-sponsored or politically motivated hackers could undermine the census. They could launch an attack like the one in Australia to overwhelm the system and undermine confidence in it. They could flood the portal with phony data to manipulate the results. Or they could breach the system and leak people’s personal information. Any of these would take substantial time and money to fix.

“It’s asymmetric warfare,” Williams says. “If I can spend $1 and force you to spend $10, that’s the Cold War all over again. That’s how we won.”

Already, problems have cropped up. The bureau’s compressed timeline prevented it from conducting reliable tests to detect holes in the computer system’s security. In tests it did conduct, data collected by census workers could not be transmitted and in some cases was deleted completely.

A lack of confidence in the internet census could be self-fulfilling. In Australia in 2016, people opted to leave some personal information blank on their forms after civil liberties groups warned that their data might not be properly secured.

Kenneth Prewitt, who led the Census Bureau from 1998 to 2001, says a breach of the basic information people submit to the census probably wouldn’t lead to identity theft but could erode trust in government. “It wouldn’t amount to much because there’s not much to learn,” he says. “But the optics of it would be devastating.”

Image credit: Mother Jones illustration; Ylivdesign/Getty