IBM Settles With Australian Government Over Census DebacleGovernment Cybersecurity Adviser Slams Poor Incident Response Planning
The Australian government has reached a confidential settlement with IBM over the online census it held in August. The ambitious project was designed to save money through technology. But it turned calamitous when the census site crashed, resulting in diminished public confidence and worries over the government's ability to safely collect or store people's personal information.
The government, however, now has some time to get its act together before the next census, due to be held in 2021. In a Nov. 24 statement, Minister for Small Business Michael McCormack acknowledges that before then, "there are lessons to be learned and ... improvements are necessary." But he emphasized that despite the 2016 census missteps, 96 percent of Australians still completed the census, which is on par with the 2011 census. In addition, "a record 58 percent of Australians completed their 2016 census online," he says.
Some of that was no doubt due to an aggressive marketing campaign that the government commissioned this year, encouraging people to fill out the census online. The move was intended to reduce the number of field officers needed to knock on doors, saving upwards of $100 million (U.S. $74 million). The savings were projected in part based on smaller online census trials conducted by the Australian Bureau of Statistics in 2006 and 2011.
But this year, four minor distributed denial-of-service attacks disrupted the census site on Aug. 9, which was the same night that ABS had encouraged millions of Australians to go online and simultaneously complete their census.
When the website started to experience disruptions, the ABS voluntarily took the e-census offline for nearly two days. Officials at first suspected that attackers might be trying to steal personal data - concurrent with the DDoS attacks - but a later investigation found that suspicion to be incorrect.
Regardless, the mess prompted a flood of embarrassing criticism, much of it disseminated via the #CensusFail hashtag across Twitter. The ABS estimates that the problems cost the government as much as $30 million.
But on Nov. 25, Prime Minister Malcolm Turnbull said that the settlement would "absolutely cover" the costs of the outage, ABC reported.
IBM, which received $9.6 million for the e-census contract, blamed some of the related technical failures on third-party contractors that it had employed, but ultimately took responsibility for the incident. The technology giant has been slammed for not being better prepared for DDoS attacks, which are one of the most common and easy-to-execute types of online attacks.
The settlement announcement comes with the release of two reports, including one from the Senate Economics References Committee that in large part rehashes how IBM was awarded the contract. It's also filled with relatively bland bromides, such as recommending that "the ABS take a more proactive role in validating the resilience of the eCensus application for the 2021 census."
The second report, from Alastair MacGibbon - a special cybersecurity adviser to the prime minister - is much more direct in its recommendations and doesn't shy away from assigning blame. "One of the government's most respected agencies - the Australian Bureau of Statistics (the ABS) - working in collaboration with one of the technical world's most experienced companies - IBM - couldn't handle a predictable problem," he writes in his report.
But MacGibbon also blames the ABS for having failed to create and test an incident response plan, in the event that something went wrong. "While the ABS and IBM had a library of incident management documents to guide them through the events of 9 August, they were impractical, poorly tested and none outlined a comprehensive cyber incident response or communications plan that could be effectively implemented," he wrote.
DDoS Attack Was Minor
Based on reports that have been released about the census site failures and related responses, IBM and its associated contractors had planned to deal with any DDoS attacks using a strategy dubbed "Island Australia," or geoblocking. The plan involved shutting off data traffic coming from outside Australia in the event of attacks, despite many Australians having come to rely on domain name system resolvers outside their country.
The first attack measured 1.5 Gpbs, which security experts say is a fairly small attack. Geoblocking was implemented shortly after a second one. But one ISP in a chain of network providers, Vocus, failed to block a traffic route from Singapore.
After a fourth DDoS attack, IBM then saw severe technical problems. A performance monitoring system indicated that data might be leaving the census systems, which prompted organizers to shut down the website.
Subsequently, a firewall became overloaded, which required a router to be rebooted. A second router failed after IBM restricted access to the census to people who were already logged in to the system (see IBM Blamed for Australian Census Debacle).
Suspicions that data might have been stolen turned out to be wrong, according to testimony delivered by an IBM official to a Senate committee. IBM had configured its performance monitoring systems to report traffic volumes hitting the website every minute. Although the data traffic was being continuously monitored, the minute-long gap between readings gave the impression that something was awry.
"This resulted in an incorrect graphic creating the impression that there had been a spike of outbound traffic that could be data egress," the Senate's report says.
The technical failures of the census added to what was already a public relations nightmare for the ABS. The agency had implemented changes to the length of time it retains census data and new ways it plans to use the data, which infuriated privacy activists (see Australia in Privacy Furor Over Census).
Although the changes were put to a public consultation, the criticism intensified as the census day drew closer, putting the ABS on the defensive.
The Senate committee found that the ABS didn't act beyond its powers - laid out by law - in terms of changes to how it handles data. But the committee recommended that private assessments evaluating the impact of policy changes be made public at least a year before any future census is conducted.
MacGibbon's report was also particularly critical of the ABS's public outreach and media relations efforts. Beyond having no cyber incident response plan in place for potential crises, he also criticizes ABS for failing to adapt to the public relations storm over privacy and security that had been building up in the weeks prior to Aug. 9.
"Instead, ABS rigidly stuck to its plans, forgoing crucial opportunities to influence and drive the conversation around the census," MacGibbon writes.