Shh! No Hacking the Census in the Library

Credit to Author: Leeza Garber| Date: Thu, 22 Aug 2019 13:00:00 +0000

The 2020 United States Census will be the first to request a majority of Americans to respond online. The benefits are obvious. A digitized census is more efficient than the 230-year-old paper method, streamlining the processing of individual data for a population that has increased nearly a hundredfold since 1790, to 330 million. But connecting the country’s biggest and most important questionnaire to the internet also creates vulnerabilities to hacks. And what could be the most popular census survey station is also an underfunded and maliciously targeted American institution: the public library (and its computers).

Leeza Garber is a cybersecurity and privacy attorney and Drexel University’s Kline School of Law adjunct law professor specializing in information privacy.

The Census Bureau is aware of digitization risks (and expenses, with cost projections upwards of $15 billion, including an IT budget). The bureau has responded to cybersecurity concerns with encryption, dual-factor authentication, use of the Department of Homeland Security’s EINSTEIN 3 Accelerated cybersecurity system, and a partnership with Microsoft to leverage its expertise.

Not only must census data be secured, kept private, and counted accurately, we must also feel safe providing data within an internet-connected system. When the census arrives, so will cyber scams: phishing emails from bad actors claiming to be bureau representatives, text messages with malicious links, and harassing phone calls demanding private information.

Among the most widespread scams may be ransomware at public libraries, which could temporarily halt internet access. Twenty percent of Americans—about 66 million people—don’t have home internet access, which is exactly why the bureau encourages going to public libraries to fill out the 2020 Census. Libraries will offer internet-connected desktops and designated census “kiosks.” Unfortunately, the Americans who rely on libraries for internet access may face greater cybersecurity risk. Cyberattacks on libraries continue to wreak havoc across the United States. In 2017, hackers locked access to 700 public computers at the St. Louis Public Library. In 2018, some 600 public library computers in Anne Arundel County, Maryland, were infected with a virus that took them offline for weeks, while 13 of the 23 servers within the Spartanburg, South Carolina, public library system were compromised by ransomware. Just last month, the Onondaga County, New York, library computer network was attacked by criminal Eastern European–based ransomware. Moreover, public library internet users may be susceptible to more malware than the typical private computer user; they can't control what protective software is in use, and more users on a single computer creates more opportunities for hackers to pass through. Malicious opportunists can attempt to steal users’ information from public access computers with keystroke loggers or other data filching viruses.

It’s impossible to completely prevent malware, as attacks morph to catch victims off guard and capitalize on changing vulnerabilities. The Public Library Association published a robust malware overview, and the American Library Association has a dynamic privacy page. The ALA also offers guidance for securing public access computers and networks, and the Patron Privacy Technologies Interest Group prioritizes data privacy.

But is this enough for the 2020 Census? Not when library budgets are being slashed across the country. Last December, the New York Library Association issued a statement claiming the state was “unprepared for the 2020 Census,” and that a “lack of federal funding has caused the Bureau to cancel field tests, reduce hiring, and delay critical cybersecurity assessments.” ($1.4 million in city funding was approved this August.) Other states are suffering from similar cuts. In Connecticut, the West Haven Public Library executive director is fighting against years of flat funding that has forced reduced hours of operation. Budget cuts in Louisville, Kentucky, required the closure of two public libraries this year. Alaska state funding for broadband internet in its public libraries was canceled last month.

While funds aren’t being reduced across the board (cities like Philadelphia are celebrating recent wins), when budgeting is approved it is more often for construction, facade renovations, and other non-tech issues. At the federal level, the 2020 budget proposes eliminating the Institute of Museum and Library Services (IMLS), the primary source of federal support for US libraries. This is the third year in a row that the White House has moved to eliminate the IMLS, but past congressional support pushed library funds through. The ALA responded to this latest budget-cut threat by stating that “discouraging as it is that the administration has again proposed eliminating the … IMLS, the bipartisan support in Congress over the past two years gives us reason to hope.”

To safeguard against cybersecurity threats to tens of millions, we need much more than hope. We need federal-, state-, and local-level recognition of the necessity of budgeting for technological updates for public libraries. The upcoming census will require public libraries to have solid and proactive cybersecurity training programs, system backups, and risk-management plans to meet our national needs, lest hackers make fools of us come April 1, 2020.

WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here. Submit an op-ed at opinion@wired.com.

https://www.wired.com/category/security/feed/