As we pass 36 hours since the census site was taken down, Prime Minister Malcolm Turnbull is looking to shift the blame onto the ABS and IBM, the technology giant responsible for the census’ online platform.
Despite little evidence — from services that monitor distributed denial of service (DDoS) attacks globally — that attacks were taking place at the time of the census on Tuesday night, Turnbull has reiterated that the ABS’ decision to take down the site at 7.30pm was after a series of DDoS attacks on the census website during the course of the day. But he told new talkback bestie Alan Jones that DDoS attacks were “highly predictable” and “extremely common” and the ABS and IBM should have been adequately prepared:
“Measures that ought to have been in place to prevent these denial of service attacks interfering with access to the website were not put in place. That was a failure. That was compounded by some hardware failures, and inadequate redundancy … There are clearly very big issues, very big issues for IBM, the systems provider for the census and for the Australian Bureau of Statistics.”
The Prime Minister warned of “very serious consequences” to follow from the failure of the census site and said his cybersecurity adviser, Alastair MacGibbon, would be leading a review into the debacle, predicting “heads will roll” when the review is completed.
The ABS will also have questions to answer. IBM was only awarded the contract at the end of 2014, after the ABS failed to develop its own census platform in-house for the past two years. IBM has reportedly pulled all media advertising until the controversy subsides. The company has also gone to ground, not responding to phone calls and emails from media, including Crikey.
While in damage-control mode publicly, the ABS is also having to manage the fallout from the census debacle internally. According to an ABS insider speaking to Crikey, Chief Statistician David Kalisch held an all-staff session today, in which he went over much of the same detail that was released publicly yesterday. After several DDoS attacks, the attempt for an “Island Australia” approach of blocking all traffic coming outside Australia failed, and management were concerned this failure could lead to a data breach. As a result, ABS management made the decision to pull the plug on the website until it could be secured.
Kalisch told staff the whole incident was “unfortunate” and reiterated public comments that the controversy over the ABS’ decision to retain names and addresses for four years instead of 18 months and the associated privacy concerns had made the ABS a target. He told staff the ABS aimed to be as transparent as possible about the whole disaster. The site will only be restored once given the all-clear by Australian Signals Directorate, IBM and ABS management.
In an email to staff, deputy Australian statistician Trevor Sutton offered ABS staff counselling over the fallout, and said they should be prepared for it to impact on their personal lives:
“As you engage with our stakeholders, providers, users and community members in the coming days, no doubt these challenges will be mentioned and some people may be disappointed, annoyed, frustrated and even angry. Others, of course, will be more considerate.”