Incident: Cybersecurity Risks in Public Libraries for 2020 Census Software Failure

Published Date: 2019-08-22

Postmortem Analysis
Timeline 1. The software failure incident mentioned in the article happened in the past, as it discusses previous cyberattacks on public libraries, such as in 2017, 2018, and last month. 2. The article was published on August 22, 2019. 3. Estimating from the information provided, the software failure incident likely occurred in July 2019.
System 1. Public library computers [88378] 2. Census Bureau's cybersecurity measures [88378]
Responsible Organization 1. Hackers targeted public libraries' computers, leading to incidents such as ransomware attacks and viruses infecting systems [88378]. 2. Lack of federal funding for cybersecurity assessments and critical infrastructure for the 2020 Census contributed to the vulnerability of public library systems [88378].
Impacted Organization 1. Public libraries across the United States [88378] 2. Census Bureau and the 2020 United States Census [88378]
Software Causes 1. Lack of proper cybersecurity measures in public libraries, leading to vulnerabilities for cyberattacks [88378] 2. Ransomware attacks on public library computer networks, compromising systems and disrupting services [88378] 3. Insufficient funding for cybersecurity assessments and technological updates in public libraries, impacting the security of systems [88378]
Non-software Causes 1. Lack of federal funding for the 2020 Census, leading to reduced hiring, delayed cybersecurity assessments, and canceled field tests [88378]. 2. Budget cuts in public libraries across the country, resulting in reduced hours of operation, closures, and canceled funding for broadband internet [88378].
Impacts 1. The software failure incident led to ransomware attacks on public library computer networks, affecting hundreds of computers in various locations like St. Louis, Anne Arundel County, Spartanburg, and Onondaga County [88378]. 2. The incident caused disruptions in public library services, with some computers being taken offline for weeks due to virus infections and ransomware compromises [88378]. 3. The failure resulted in increased cybersecurity risks for individuals using public library computers, exposing them to malware and potential data theft due to lack of control over protective software and increased opportunities for hackers [88378]. 4. Budget cuts in public libraries across the country, including reductions in funding for cybersecurity assessments and technological updates, were exacerbated by the software failure incident, impacting the readiness of libraries for the 2020 Census [88378].
Preventions 1. Implementing robust cybersecurity measures such as encryption, dual-factor authentication, and leveraging cybersecurity systems like EINSTEIN 3 Accelerated [88378]. 2. Providing solid and proactive cybersecurity training programs, system backups, and risk-management plans for public libraries [88378].
Fixes 1. Implementing solid and proactive cybersecurity training programs, system backups, and risk-management plans in public libraries to safeguard against cyber threats [88378].
References 1. The Public Library Association [88378] 2. The American Library Association [88378] 3. The Institute of Museum and Library Services (IMLS) [88378]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The article mentions incidents of cyberattacks on public libraries, such as the St. Louis Public Library, Anne Arundel County, Maryland, Spartanburg, South Carolina, and Onondaga County, New York. These incidents involved malware infections, ransomware attacks, and compromised computer networks within the library systems [88378]. (b) The software failure incident having happened again at multiple_organization: The article highlights cyberattacks on public libraries across the United States, indicating a pattern of similar incidents occurring at different organizations. Examples include the St. Louis Public Library, Anne Arundel County, Maryland, Spartanburg, South Carolina, and Onondaga County, New York, all facing cyber threats and malware attacks on their systems [88378].
Phase (Design/Operation) design, operation (a) The article mentions incidents where public library computers were infected with viruses, compromised by ransomware, and attacked by criminal ransomware, leading to system failures and disruptions [88378]. These incidents can be attributed to contributing factors introduced during system development, system updates, or procedures to operate or maintain the system. (b) The article highlights that public library internet users may be susceptible to more malware than typical private computer users due to the operation and misuse of the system. Factors such as lack of control over protective software, multiple users on a single computer, and increased opportunities for hackers to pass through contribute to the higher risk of malware infections in public libraries [88378].
Boundary (Internal/External) within_system (a) The software failure incident related to the 2020 United States Census and public libraries can be categorized as within_system. The article highlights how the public library computers were infected with viruses, compromised by ransomware, and attacked by criminal ransomware, leading to disruptions in services [88378]. These incidents occurred within the system of public libraries and were not caused by external factors.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The article mentions incidents where public library computers were infected with viruses, compromised by ransomware, and attacked by criminal ransomware from Eastern Europe. These incidents were not directly caused by human actions but rather by external factors such as malware and cyberattacks [88378]. (b) The software failure incident occurring due to human actions: The article discusses the potential for cyber scams related to the 2020 Census, including phishing emails, text messages with malicious links, and harassing phone calls demanding private information. These actions are initiated by humans with malicious intent to deceive individuals into providing sensitive data [88378].
Dimension (Hardware/Software) software (a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident mentioned in the articles is related to cybersecurity threats and attacks on public library computers used for the 2020 Census. These attacks include ransomware infections and compromises by malicious actors targeting public library systems [88378].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident mentioned in the articles is related to malicious factors introduced by humans with the intent to harm the system. The incident involves cyberattacks on public libraries, specifically targeting their computer systems. Hackers have been responsible for locking access to public computers, infecting them with viruses, compromising servers with ransomware, and launching ransomware attacks on library computer networks [88378]. Additionally, the articles highlight the vulnerabilities and risks associated with the upcoming 2020 United States Census being conducted online. There are concerns about cyber scams, phishing emails, text messages with malicious links, and harassing phone calls aimed at stealing private information from individuals participating in the census. The incident involving ransomware at public libraries is a clear example of a malicious software failure incident [88378].
Intent (Poor/Accidental Decisions) unknown The articles do not provide specific information about a software failure incident related to poor decisions or accidental decisions.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The article mentions incidents where public library computers were infected with viruses and ransomware, leading to disruptions in services [88378]. These incidents could be attributed to development incompetence as they highlight vulnerabilities in the systems that were exploited by hackers due to potential lack of professional competence in implementing robust cybersecurity measures. (b) The article also discusses the susceptibility of public library internet users to malware due to lack of control over protective software and the increased risk posed by multiple users on a single computer [88378]. These factors contribute to accidental software failures as they create opportunities for malware to infiltrate systems unintentionally.
Duration temporary The software failure incident discussed in the articles is more aligned with a temporary failure rather than a permanent one. The articles highlight instances where public library computer systems were infected with viruses or ransomware, causing them to be offline for weeks or compromised by cyberattacks [88378]. These incidents resulted in temporary disruptions to the systems, indicating that the failures were due to contributing factors introduced by certain circumstances rather than being permanent.
Behaviour crash, other (a) crash: The articles mention incidents where public library computers were affected by ransomware, leading to the temporary halt of internet access and locking access to public computers [88378]. (b) omission: There is no specific mention of a software failure incident related to omission in the provided articles. (c) timing: The articles do not discuss any software failure incident related to timing issues. (d) value: The articles do not provide information about a software failure incident related to the system performing its intended functions incorrectly. (e) byzantine: The articles do not describe a software failure incident related to the system behaving erroneously with inconsistent responses and interactions. (f) other: The other behavior mentioned in the articles is the infection of public library computers with a virus that took them offline for weeks, as well as compromising servers with ransomware, which could be categorized as a form of system failure [88378].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: There is no mention of any deaths resulting from the software failure incident in the provided article [88378]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [88378]. (c) basic: The software failure incident did not impact people's access to food or shelter as per the article [88378]. (d) property: The software failure incident did impact people's material goods, money, or data. For example, in 2018, some 600 public library computers in Anne Arundel County, Maryland, were infected with a virus that took them offline for weeks [88378]. (e) delay: People did not have to postpone an activity due to the software failure incident as mentioned in the article [88378]. (f) non-human: Non-human entities were impacted due to the software failure incident. For instance, public library computer networks were attacked by ransomware, affecting their operations [88378]. (g) no_consequence: There were observed consequences of the software failure incident, so this option does not apply [88378]. (h) theoretical_consequence: The article discusses potential consequences of the software failure incident that did not occur, such as cyber scams like phishing emails, text messages with malicious links, and harassing phone calls demanding private information [88378]. (i) other: The article does not mention any other specific consequences of the software failure incident beyond those discussed in the options (a) to (h) [88378].
Domain information, government (a) The failed system mentioned in the article is related to the information industry, specifically the 2020 United States Census. The article discusses the digitization of the census and the vulnerabilities it creates to hacks, cyber scams, and ransomware attacks, especially targeting public libraries where individuals without home internet access are encouraged to fill out the census [88378]. (l) Additionally, the failed system is related to the government industry as the 2020 United States Census is a crucial government initiative. The article highlights the cybersecurity risks associated with digitizing the census and the budget cuts affecting public libraries, which play a significant role in facilitating census participation [88378].

Sources

Back to List