Simulated Internal Cyber Attack Gained Control of Critical Census Bureau System

For our evaluation of the U.S. Census Bureau's (the Bureau's) cybersecurity posture, our objective was to determine the effectiveness of the Bureau’scybersecurity posture against a simulated real-world attack. To do this, we conducted a covertcyber red team with six goals tailored to relevant risks. We found that the red team was able to gain unauthorized and undetected access to a Bureaudomain administrator account as well as personally identifiable information of Bureauemployees; reduce the Bureau’s defensive options; use insecure programs to send fake emails; and carry out severalmalicious actions that identified 11 security weaknesses.