Australian Census Disrupted by DDoSNo Data Compromised, But Investigation Continues
The Australian Bureau of Statistics, already mired in a fierce privacy debate over over this year's census, took the online submission form offline after repeated distributed denial-of-service attacks.
The agency expected millions of households to submit their census data online on the evening of Aug. 9. But it shut down the submissions form around 7:30 p.m., which was prime time for census respondents: 150 forms were being received per second. The attacks have brought questions over how prepared the agency was for the major civic exercise.
ABS head David W. Kalisch tells ABC news radio that the agency saw three minor DDoS attacks on census day that were successfully blocked. But after a fourth attack in the early evening, Kalisch says the ABS opted to "close down the system to ensure the integrity of the data."
Census data were believed not to have been compromised as a result of the attacks, and more than 2 million forms were completed before the system was taken offline. "I can certainly reassure Australians that the data that they provided is safe," Kalisch says.
We apologise for the inconvenience. The 2016 online Census form was subject to four Denial of Service attacks of varying nature & severity.— Census Australia (@ABSCensus) August 9, 2016
Nonetheless, regulators are worried. The Office of the Australian Information Commissioner has launched an investigation under the country's Privacy Act of 1988, which is a set of guidelines for handling personal information.
"My first priority is to ensure that no personal information has been compromised as a result of these attacks," according to a statement from Timothy Pilgrim, the acting Australian Information Commissioner.
The DDoS attacks originated overseas, but Kalisch says more information about the source was not available. The Australian Signals Directorate, an intelligence unit within the Department of Defence, is investigating, he says.
When asked if the attacks were a deliberate attempt to sabotage the census, Kalisch responded: "We believe so."
"The scale of the attack - it was quite clear it was malicious," he says.
Near the end of the interview, Kalisch was asked how confident the agency was about its ability to counter attacks. He said: "There was one breach that did actually get through via a third party, and we have looked to and believe that we've plugged that gap."
It wasn't clear if Kalisch was conflating a DDoS attack with a data breach, and he didn't further explain how the third party related to the attacks.
DDoS On the Rise
DDoS attacks can take a variety of forms, but all are aimed at making an online service inaccessible by sending a barrage of data traffic. Such attacks can be crippling for businesses and expensive to mitigate.
Akamai, which runs a large content delivery network, said that DDoS attacks increased by 22 percent in the first quarter of this year versus the last quarter of 2015.
It can be difficult to trace DDoS attacks since they're often launched from proxy servers or from other systems that have been manipulated by attackers rather than from their own computers.
Arbor Networks, a network security vendor that specializes in DDoS mitigation, hasn't noticed any particular spike in malicious traffic aimed at Australia over the last day, says Dan Holden, director of Arbor's Security Engineering and Response Team. Holden says it's not unusual for a DDoS attack to not be widely seen since detection can depend on geography and the type of attack launched.
Holden says many experts thought DDoS attacks would have faded away over the years, but they're actually growing as the internet grows. There are reasons: they're relatively cheap to conduct and achieve a highly visible impact. Government services tend to be more vulnerable.
"I would just generically say most government services aren't that well protected," Holden says.
Groups such as Anonymous became well known for their use of DDoS attacks as part of activist campaigns against governments, banks and companies. Greg Singh, regional director of sales engineering for Cylance, says the attacks are likely cyber vandalism related to the opposition to the census.
The attacks "probably have had the desired effect," Singh says. "It's kept a lot of Australians away from the census and probably caused a loss of confidence in the government."
The DDoS attacks couldn't come at a worst time for the ABS, which has for weeks been battling a large backlash against the census from privacy activists and politicians (see Australia in Privacy Furor Over Census).
A major bone of contention has been the mandatory submission of names and addresses through the online form. The ABS has actually always required people to submit their names and addresses, but some have chosen to ignore the requirement when using the paper form.
The online form, however, will not allow people to progress to other census questions without that information. It has left many with the impression that name and address submission had only become mandatory for the 2016 census.
As opposed to many other countries, the ABS destroys collected names and addresses after it finished running statistical queries. For this census, the ABS has extended the maximum period that it retains the information from 18 months to four years. Critics have argued the longer period means there's a greater risk the data could be mishandled or breached by hackers.
As a result, seven Australian senators have said they will not submit their names, according to the ABC. Those who do not fill out the census can face fines of up to $180 a day.
Australia first offered an online option for census forms in 2006. The ABS strongly pushed this round for people to go online, which is estimated to save the agency $100 million over distributing paper forms to 9 million households. Due to the online hiccups, the ABS has said no one will face a fine for not completing their form on census night.
The online census form remained offline as of late afternoon Aug. 10.