The U.S. Census Bureau was slow to report a major cyber breach in early 2020 and missed key opportunities to limit vulnerabilities, according to the Department of Commerce’s Office of Inspector General.
An investigation published Wednesday by the oversight body found that the bureau was failing to scan its remote server prior to the cyberattack, and the failure to keep sufficient system logs hindered a subsequent investigation into the incident.
“We found that the bureau should make improvements to its cyber incident response process. Specifically, the bureau missed opportunities to mitigate a critical vulnerability, which resulted in the exploitation of vital servers,” the IG said in its report. “Once the servers had been exploited, the bureau did not discover and report the incident in a timely manner.”
The breach took place in January 2020, when hackers accessed the agency’s remote servers. None of the compromised servers were involved with the 2020 census, and the count was unaffected by the attack.
According to the report, the bureau was also operating servers that were no longer supported by the relevant vendor.
The IG has issued a string of recommendations, including that the Census Bureau’s CIO review procedures for notifying IT staff when critical vulnerabilities are publicly disclosed. These include the recommendation that the CIO review the automated alert capabilities of the bureau’s security information and event management tool.
The IG also called on the bureau’s director to ensure that the CIO incorporates periodic reviews of IT asset configurations and also updates bureau response policies to include a specific timeframe.
Earlier this year, FedScoop revealed that the Census Bureau had installed Luis Cano as its chief information officer after previously working as chief of the agency’s Decennial Contract Execution Office. He replaced Kevin Smith, who left the bureau in January to join the Federal Housing Finance Agency.
Under federal policy, the statistical agency is required to adhere to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program, which operates regular vulnerability scanning of all systems.