Government report reveals severe deficiencies in US Census Bureau tech security

The US Census Bureau was accessed by a team of hackers, which the agency had hired itself, between August 2021 and March 2022, exposing flaws and weaknesses in the government system.

Surprised? Don’t be. On January 11, 2020, hackers breached remote Census Bureau servers and installed malicious code. While the hackers were unable to set up backdoors for ongoing access and were blocked from the servers by a firewall two days later, the breach was not discovered until more than two weeks later, on January 28.

Thus, the hiring of a group of “red team” hackers—a group paid to act as adversaries—to expose any ongoing insufficiencies. According to the Office of the Inspector General (OIG) and the US Department of Commerce (DOC), the agency still has work to do.

The extent of the simulated attack was revealed in a November 22, 2022, OIG and DOC report. At first, hackers were unable to make their way reliably into the internal network and establish a foothold there.

In order to fully imitate the possibility of a breach, the agency-hired hackers were given the internal foothold they failed to achieve, the report said. The team was then able to get into systems through a domain administrator’s account. From there, the team had free access to private profiles and even sent emails from agency staffer accounts.

“Once a domain administrator account is under their control, advanced threat actors can pivot across a network, evade security defenses, maintain a foothold on the network, access sensitive files, and run malicious commands,” the report explained. “By bypassing multiple security countermeasures and evading detection by the bureau’s staff, the red team demonstrated a critical threat to the bureau’s information security.”

The Census Bureau, in a statement given to media outlets, downplayed the report’s findings and argued that while there was a need for beefed-up security measures, the exercise by and large had shown that the systems in place were secure.

“During this exercise, the security firm identified areas of improvement and we are already taking action to make our robust cyber network even stronger,” a Bureau spokesperson said. “The bottom line: The contracted security firm was unable to access our system until we gave the red team the necessary access to complete the assessment.”

That may be. But according to the report, internal security measures are still insufficient.

“Once the Bureau provided the red team with an internal foothold under an assumed breach scenario, we determined that the Bureau did not have an effective cybersecurity posture in place to protect against a simulated real-world attack,” the report said.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].