Census Bureau disputes Inspector General claim that hacking team gained unauthorized access
The U.S. Census Bureau disputed a report from the Office of Inspector General (OIG) that found the organization vulnerable to cyberattacks, claiming that they knowingly allowed a "red team" of hired hackers to access their systems.
On Tuesday, the OIG published a redacted report detailing a recent “red team” exercise – where hired cybersecurity officials pose as hackers – and said the U.S. Census Bureau “did not have an effective cybersecurity posture in place to protect against a simulated real-world attack.”
According to the report, the red team gained unauthorized and undetected access to a Census Bureau domain administrator account and was able to obtain access to personally identifiable information of employees.
That information included hiring forms with Social Security numbers, first and last names, and home addresses.
“The red team observed two instances where approximately 10 individuals appeared then were removed from this file share over the course of 2 weeks. The red team was then able to access and simulate transferring this information outside of the Bureau’s network without generating any alerts,” OIG explained.
The report found that red team was able to "reduce the Bureau’s defensive options," though it was unclear how they did so because of a redaction. They also used "insecure programs" to send fake emails from a "census.gov" address and carried out “several malicious actions that identified 11 security weaknesses.”
The report notes that in January 2020, malicious hackers were able to successfully exploit a security weakness in the Bureau's virtual desktop infrastructure just prior to the official start of the 2020 Census.
“The hackers' success came from exploiting a known vulnerability, and our office reported on this incident in an August 2021 report. In light of that incident, we launched a cyber red team to provide a realistic assessment of the Bureau's susceptibility to advanced cyber threats,” OIG said.
But in a statement to The Record on Friday, a Census Bureau spokesperson disputed OIG’s characterization of the simulated attack, claiming that the security firm “failed to gain access to our system or information via their own efforts.”
“The Census Bureau believes the best way to ensure a robust system is to thoroughly test it using real-world attack techniques. In that spirit, we agreed to go a step further and grant the red team special internal access to assess any potential areas of improvement. The members of the red team were vetted in advance,” a Census Bureau spokesperson said.
“During this exercise, the security firm identified areas of improvement and we are already taking action to make our robust cyber network even stronger. The bottom line: the contracted security firm was unable to access our system until we gave the red team the necessary access to complete the assessment.”
The Census Bureau did not respond to follow-up questions about the discrepancies between their claims and the OIG report.
The spokesperson would only say that they “value OIG’s role and appreciate the audit which allowed for a strong cyber exercise.” They added that it will help them further improve their “already robust cyber framework.”
“Cybersecurity has long been a core priority for the Census Bureau given our role as the nation’s leading provider of quality data. Our deep commitment to protecting data will continue,” the agency said.
The Census Bureau runs the decennial census, which determines the apportionment of congressional lawmakers in the U.S. House of Representatives and provides a framework for how billions in federal funding is dispersed across the country for infrastructure and public services, such as highways, hospitals, and schools.
The Bureau “collects, analyzes, and publishes demographic and economic statistics which can include sensitive financial and personal information on U.S. residents and businesses.”
The agency uses an information technology enterprise network to store, process, and transmit data.
The OIG report suggests the Census Bureau take several actions to remedy the issues they found, including implementing periodic reviews and verifying that Active Directory permissions are protected from common attacks, and find ways to further limit employee access to certain parts of the system.
OIG also urged the agency to implement advanced authentication security controls, verify proper protection against the discovered vulnerabilities, develop an alert system, limit permissions around file shares that contain personal information, update logging configuration requirements and establish a process to periodically test and inspect Bureau websites and web applications for vulnerabilities and susceptibility of malicious input.
The report notes that the Bureau needs to continue the process of removing legacy code from its systems and conduct a “full after-action review on the detailed red team report” that includes a plan to correct the specific issues identified.
Several of the recommendations are redacted.
The report includes a letter from Frederick Meny, Jr., Assistant Inspector General for Audit and Evaluation, that said the Bureau “concurred with all of our findings and recommendations” in a response issued on October 19.
The Bureau has to submit an action plan within 60 days of the report's publication.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.