Adam Levin

2020 Census Outreach Runs Counter to Cybersecurity Best Practices

Photo source: Getty Images

Distracted by a pandemic, historic social unrest, a general election, fire tornados and murder hornets, the Trump administration seems intent on handing Republicans a prize equal to if not greater than the parade of federal judges appointed over the last 44 months — namely, an undercount in the 2020 decennial population census.

Legally mandated every ten years, the census determines where the 435 seats of the House of Representatives should go, and how federal funds should be allocated. It is a population count of the nation as it stands, not as those in power would like it to be. In addition to a skewed Electoral College, an undercount could decrease federal funding for crucial programs, potentially harming Medicaid, food stamps, public education as well as the quality and availability of healthcare.

The 2010 Census had an overall undercount of only 0.01 percent, which is very good. The problem in 2010 was not how many people were undercounted, but rather who wasn’t counted: 700,000 Latin Xers and almost five percent of the Native American and Alaska native population living on reservations; a million children under the age of four; 1.1 percent of renters, and a whopping 2.1 percent of the Black population.

The non-Hispanic white population was overcounted by 0.8 percent in 2010. That error produced about 1.5 million non-existent white people.

Undercounts hurt people as much if not more than overcounts do.

With 60 million households still uncounted, the Census Bureau recently announced that the current count would end four weeks early, a move that many, including the New York Times editorial board, saw as blatant sabotage aimed at “whitewashing” the census.

Four in ten households — many of them non-white and harder-to-reach — now have to be counted in a matter of weeks. To accomplish this Sisyphean assignment the Census Bureau is sending emails — email that will join the steady stream of phishing scams and spam already at our inboxes and discarded several times a day.

This email outreach will not solve the undercount problem. For starters, we have to assume that recipients will include people who have already completed the census questionnaire. With an average open rate of around 22 percent and a click-through rate of 3.4 percent, a fraction of the hard-to-reach (many of whom do not have email accounts) will get to the point where they might answer the census questions.

The tactic seems of a piece with President Trump’s “suburban strategy.” Undocumented immigrants are well represented among the households yet to respond. Given the Trump administration’s immigration policy, undocumented immigrants are probably wary of government communications of any kind. They may simply worry about getting hacked.

Setting this aside, from a cybersecurity perspective the Census Bureau’s planned outreach seems almost designed to fail since it asks people to provide personal information using an inherently insecure protocol. As such, the email strategy mirrors recent attacks on the United States Postal Service and mail-in voting.

Joe Biden’s campaign was targeted by the Chinese with phishing emails earlier this summer. More recently, North Korea targeted Israel’s defense industry. We all know email is not secure. We are increasingly wary of email from senders who aren’t already in our contacts. Millions of spam emails are sent every day and lurking in that shoal of digital bait are plenty of bot-launched cyberattacks. As consumers, we hate spam and we know a thing or two about phishing exploits. Spam filters and anti-virus programs make many unsolicited solicitations disappear before they even get to our inbox. People who do direct email campaigns know all this.

The current Census 2020 outreach runs completely counter to cybersecurity best practices. The email campaign was announced in a press release that got picked up by news wires. It included information about when citizens could expect a communication from the Census Bureau, and the email address it would come from.

By indicating when people should expect a communication from the Census Bureau, the communiqué gave hackers time to create spoof communications, and a window when they could predictably trick people into clicking malicious links. The attacks could point to secure websites on URL addresses that look like the real thing thanks to exceedingly difficult to detect typo-squatting variations. They can infect networks and devices with malware, and trick users into providing sensitive personal information that can be later used in an identity-related crime.

The early end of the 2020 Census and the email campaign follow in the wake of two earlier attempts to manufacture an undercount: the addition of a citizenship question (a ploy rejected by the Supreme Court) and the attempt to ban undocumented immigrants from the count. The recent and extraordinary appointment of a third deputy director at the U.S. Census Bureau should only serve to give us still more pause. It will provide a fig leaf to the current administration’s naked ambition regarding the 2020 Census, allowing them to say they did their best while delivering yet another Republican coup.

Scams and zero-day exploits target unforeseen vulnerabilities that arise from even the best laid plans. While it’s hard to know if we’re looking at a mistake or a scam here, we can be certain we’re not looking at a winning strategy.

In a world where data breaches are as common as an all caps tweet from the President, and identity theft has become the third certainty in life (right behind death and taxes), most consumers know not to provide personal information when it is requested online–even the very general information in the census questionnaire. In a head count that could pivot on a fraction of a percentage point, one person exercising caution could tip the scale for any number of bad budgetary and electoral outcomes.

While it’s hard to know what would perform best given the manufactured crisis of a shortened count, anything beats email. The Census Bureau has a $500 million public education and outreach budget. Newspaper inserts with the questionnaire might perform better than an email, as might newspaper ads, television ads, an online ad campaign or a traditional PR campaign.

The stakes are high. An undercount will hurt the neediest among us while making it easier for Republicans to win future elections. There is still time to make sure we get the most accurate count possible. We should use it.

--

--

--

Founder, CyberScout. Co-founder, Credit.com.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to decode timelock

Is Dawn.com being used as a cyber attack vector in Pakistan?

Roadmap Q2: EPNS Showrunners Framework and Backend SDK Beta v1.0 are Live!

SSD Security Recap — February 18

Mobile Device Cybersecurity Checklist for Consumers

Make API scanning a daily practice

ICON in Numbers #16 (week 41–2020)

TryHackMe’s Complete Beginner and PenTest+ Paths

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Levin

Adam Levin

Founder, CyberScout. Co-founder, Credit.com.

More from Medium

Cato the Younger

The best New York Rangers second-round preview on the internet

Gif of the Rangers celebrating Artemi Panarin’s game seven winner vs the Pittsburgh Penguins

Do I Need a VPN?

Tropicália: More Than Just a Musical Genre

Photo of Christ the Redeemer statue in Rio de Janeiro, Brazil.