Audit report

Auditor Reports Shortcomings in Census Bureau’s Response to January 2020 Hack

The Census Bureau could have done better in mitigating a cybersecurity incident that affected its servers in January 2020, according to a federal auditor.

Hackers targetted the bureau’s remote access servers, which staffers use to access production, development and lab networks. System personnel said the servers are not linked to the ones used for the 2020 decennial census.

The Department of Commerce Office of Inspector General said it conducted the review to determine whether the Census Bureau’s cybersecurity response met federal and departmental requirements.

OIG reported that the bureau missed opportunities to mitigate a critical vulnerability and did not immediately report the exploit.

More than three weeks before the attack, the vendor of the bureau’s remote-access servers publicly released information about the vulnerability, including steps to mitigate it.

The National Institute of Standards and Technology assigned the exploit a rating of “critical,” the highest level in the National Vulnerability Database. OIG said the Census Bureau failed to address the issue despite the notices.

While the hackers were prevented by a firewall from establishing a backdoor, they got as far as making unauthorized changes to the servers.

The Census Bureau only became aware of the breach more than two weeks after the incident.

OIG said the delay occurred because the bureau was not using its security information and event management tool to proactively alert responders.

The SIEM tool was only being used for reactive, investigative actions. OIG said the bureau has since provided evidence that the tool is now using an automated alert capability.

OIG recommended establishing better procedures for breach alerts, frequently updating vulnerability scanning lists and reviewing the automated alert capabilities of its SIEM tool.