The Australian Bureau of Statistics has claimed it took the census website down last night after four Distributed Denial of Service (DDoS) attacks on the site in order to protect the data.
The ABS said that the 2016 online census form was “subject to four Denial of Service attacks of varying nature and severity” yesterday, and after the fourth attack, the ABS took the site offline to “protect the integrity” of the census data.
A DDoS attack is a common tool used to disrupt sites and services online by essentially getting thousands or millions of computers to team up and attempt to overwhelm a site with traffic. There are an estimated 2000 DDoS attacks per day, and they’re not very expensive to organise. According to a Trend Micro report from 2012, US$150 can buy a week-long DDoS attack.
Contrary to how this story has been — and will be — reported by many media outlets today, a DDoS attack is not a hack, because no data is breached via DDoS, but a DDoS attack can often be used as a cover for a hack.
ABS chief statistician David Kalisch told the ABC this morning that the 2 million or so census forms filed online before it all fell down were secure, but that the malicious attack had come from overseas. The Privacy Commissioner is investigating.
Several people have pointed out, however, that DDoS attack mapping tools such as Kaspersky and Norse showed no large-scale DDoS attacks targeting Australia last night.
The ABS claimed before the census that it could handle approximately 1 million census form submissions online, but questions are now being raised about whether ABS had conducted appropriate load testing and adequate resources for census night, when everyone would be logging in to fill in their form online.
Brisbane-based Revolution IT was paid close to $500,000 to perform load testing to ensure it was supposed to all go smoothly, and IBM — a frequent troublemaker for government IT — was paid $9.6 million for the design development and implementation of the online version of the census. Look for these companies being hauled before a parliamentary committee in the near future.
If it was a DDoS attack, the ABS’ boasting claims about the security and integrity of its systems has possibly goaded someone into testing the ABS’ bravado.
The fact remains that the ABS should have prepared for this. If the ABS is outsourcing the census, it can outsource it properly to cloud service providers that can handle the traffic and mitigate DDoS issues. The US census spent reportedly US$11.8 million on its online census in 2010, and planned in advance for the potential for DDoS attacks. US Census CIO Brian McGrath:
“That was a huge concern for us that in the height of the decennial activity if we were a target of a DDoS attack or the site would go down or the performance would go down that it would reflect negatively on the Census Bureau and deter citizens from participating.”
As with much of the ABS’ handling of the census in 2016, there is an issue with communication. The ABS’ census account on Twitter was telling people well after 7.30pm last night to keep trying to log onto the census site, despite ABS now saying that at 7.30pm a decision had been made to shut down the census website.
The ABS has said it expects to restore the site later this morning, and has said people have until September to fill out the census form, but Labor’s Andrew Leigh is already warning the data might now be less reliable than it otherwise would have been due to people delaying filling out the census or not filling it out at all.
Kalisch and the minister responsible, Michael McCormack, spoke to media this morning, with McCormack repeatedly claiming that it wasn’t an attack or a hack, but an attempt to frustrate the ABS.
McCormack explained that when the first few attacks happened at the start of the day, the ABS and IBM made a decision to block all international traffic to the site. This block eventually fell over, and a Telstra router failed, so the ABS made a decision to take the site offline in order to protect the data.
McCormack stressed that no data had been lost, and no data had been compromised. Approximately 2.33 million people had completed the census before the site went down.
The Prime Minister’s cybersecurity adviser, Alastair MacGibbon, said that most of the traffic originated from the United States but was subject of an investigation by Australian Signals Directorate. MacGibbon suggested that the attention drawn to security concerns around this year’s census might be to blame for people targeting the site: