Weaknesses in Census Bureau security symptomatic of poor information security program

A news story in today’s Washington Post calls attention to a recent audit report from the Government Accountability Office, released last month, that identified numerous weaknesses in security controls at the U.S. Census Bureau that pose risks to the bureau’s ability to properly safeguard the information it collects. The weaknesses GAO found raise legitimate concerns about protecting the confidentiality of personal information on U.S. residents and the integrity of that information. Given the vast amount of personal information the Census Bureau collects and maintains and the reliance on the government of census data to determine legislative boundaries, allocate federal funding for social programs, and shape policy, the lack of effective security controls is both troubling and a bit surprising. GAO emphasized weaknesses in access controls, where it identified six distinct issues, and also pointed to operational and programmatic problems in information security management. The audit findings related to access controls included the following issues:

  1. Insufficient boundary protection controls for network devices, namely conducting management and administration of such devices using the regular network rather than dedicating a separate subnet for such purposes;
  2. Failure to enforce system, device, and individual user authentication and to fully implement federal authentication protocols such as personal identify verification;
  3. Incomplete implementation of authorization controls, notably including granting unnecessary elevated privileges to users and operating some infrastructure devices without access control lists;
  4. Lack of strong encryption on network devices, databases, and system components, including the use of invalid or unsigned digital certificates;
  5. Inconsistent implementation of audit and monitoring controls, including the absence of real-time monitoring and the operation of intrusion detection controls that did not cover some network segments and that had insufficient capacity to process the existing volume of network traffic;
  6. Inconsistent implementation of physical access controls to bureau facilities, including disabling access readers.

Other cited weaknesses include those in patch management and device configuration procedures, contingency planning, in the bureau’s implementation of its information security program. The findings of deficiencies within the security management program help explain a lot of the more detailed weaknesses addressed in the report. GAO noted that the Census Bureau is in the process of implementing a risk management program consistent with current NIST guidelines to federal agencies, but it seems the bureau has not moved beyond a system-specific view of security to better incorporate an enterprise-wide perspective and, within system-level procedures, often failed to fully document security controls, control assessments, weaknesses and vulnerabilities, and remediation plans. Indeed, the 13 recommendations for corrective action offered by GAO can be interpreted in the aggregate as an admonishment to follow existing standards and guidance to federal agencies to which the Census Bureau is already supposed to be adhering. The official bureau response to the audit findings, included as part of the published GAO report, suggests minor changes undertaken to achieve compliance but give no indication that the bureau is taking any steps to improve its information security program. This offers little reassurance to members of the public that any meaningful improvement is forthcoming, either in security posture of the Census Bureau’s computing environment or the protection of personal information entrusted to the bureau’s stewardship.