How should the people in charge of the 2016 census, eager to move Australians online to conduct the vast, compulsory survey, deal with the denial of service attacks that were expected against its IT infrastructure? Such attacks, after all, are the lot of many companies and government agencies, large and small, and a high-profile event like the census — already coping with massive traffic as Australians filled out their forms — would surely attract them.
“Island Australia” — a redundant, faintly silly name — was the solution agreed between the Australian Bureau of Statistics and its contractor, IBM, which hadn’t even had to go through the rigours of an open tender process to get the multimillion-dollar contract. That is, in response to a denial of service attack on the census site, they would simply shut off any traffic from outside Australia — otherwise known as geoblocking.
As we learnt yesterday in a hearing of the Senate Economics Committee’s inquiry into the debacle, it was a stupendously dumb idea. The Special Adviser to the Prime Minister on Cyber Security, Alastair MacGibbon, noted that ABS failed to properly interrogate the plan: if it had done so, it might have spotted that a key part of the site IBM had built, relating to password resets, was itself hosted offshore. Institute “Island Australia” and the site wouldn’t be able to function properly — anyone needing to reset their password would have been unable to.
Then again, MacGibbon — who in the aftermath of the August 9 debacle looked like the only adult in a roomful of frantic infants — suggested the ABS displayed a surprising lack of curiosity about what IBM was providing for the census; “vendor lock-in,” he called it. He also repeatedly noted that the DOS attacks on the ABS site that did eventuate were small enough that they should have been easily handled by the site.
What the committee failed to pursue, however, was why “Island Australia” — basically, geoblocking — was considered at all appropriate in 2016 for Australians accessing a “service” — such as it was — from their government. Having compelled citizens, with the threat of large fines, to engage in what is planned as a lifelong, compulsory longitudinal study of every Australian, people wishing to do the basics of IT self-protection by using a VPN to disguise their IP address were to be blocked from filling out the census as a core strategy of the ABS and IBM in response to expected attacks. This is no trivial problem: up to 20% of Australian households use VPNs to encrypt their traffic and hide their locations. They are not second-class online citizens that should be chucked overboard at the first sign of trouble, especially when the denial of service attacks were of such a trivial scale as to barely register.
Or perhaps the ABS would prefer to be able to retain the IP address of Australians as part of its permanent information collection about every individual. After all, the bureau is open about retaining and using your IP address and trying to find out as much about your online activity as possible. Maybe there was more than just stupidity behind “Island Australia”.