A new report says the Census Bureau’s cloud-based IT systems have been plagued by a number of “security deficiencies” — a potentially hazardous situation as the bureau prepares to gather a vast amount of personal data as part of its 2020 population tally.
The recently released audit by the agency’s inspector general indicates that the bureau was rushing to deploy systems before a 2018 end-to-end test and got a little sloppy in the process. The deficiencies violate Department of Commerce and governmentwide policies, according to the report.
For example, the bureau failed to properly secure the root user accounts for eight Amazon Web Services GovCloud environments — seven operated by a commercial-cloud reseller and one run by the bureau itself. The root user, which is automatically created when a new cloud environment is spun up, has basically unlimited privileges to change accounts, delete data and more. That’s why AWS and the bureau’s own guidance suggest that this account be disabled. In fact, AWS is so intent on users disabling these accounts that it does not support multi-factor authentication for the root user keys, which, because of what happens next, ended up putting the bureau’s data at even more risk.
Not only did the bureau fail to disable its root user accounts, it then lost all the keys for these eight accounts for a “prolonged” period of time.
While the keys were lost, “the Bureau did not have control of the root user accounts and could not disable access to them,” the inspector general’s report notes. It wasn’t until the IG notified the bureau of this problem that officials went to AWS to get help resetting the keys.
In total it took six weeks for the bureau to fix the security weakness once it was noticed, a timeframe that the IG says “demonstrates the Bureau’s inability to have stopped a potential attacker with stolen root keys from modifying or destroying all cloud system resources hosted in its GovCloud environments.”
“Fortunately, we did not find evidence of the lost root keys being used maliciously,” the report states. “However, the Bureau could not know if they had been stolen or sold and, having lost the root user keys, would have been powerless to stop an attacker from causing irreparable harm to the cloud environments. Therefore, we conclude that the Bureau exposed the 2020 Census preparations to potentially catastrophic risk by not securing the root user accounts.”
The IG report also found that the bureau had failed to implement other “basic security practices” that could help keep census data safe in the cloud. The IG made eight recommendations and the Census Bureau agreed with all of them. “Our recommendations, if fully implemented, will help the Bureau manage its cloud environments in a more secure manner,” the report states.
“The U.S. Census Bureau understands the specific recommendations put forward by the Office of Inspector General (OIG) and has taken steps to enhance the robust IT security infrastructure in place for the 2020 Census,” the bureau said in an emailed statement. The agency has “already taken action” like securing GovCloud user keys and more, the statement went on.
In April, bureau officials spoke proudly about the “successful” deployment of the internet self-response capability during the 2018 end-to-end test. However this IG report suggests that, behind the scenes, things weren’t going quite so smoothly.
The 2020 census remains on the Government Accountability Office’s high risk list after being added to it in 2017.