The ABS’ disastrous handling of the 2016 census should be the canary in the coalmine for government agencies attempting to move their services online, according to the Prime Minister’s special adviser on cybersecurity Alastair MacGibbon.
Along with the parliamentary committee report yesterday, the government released MacGibbon’s report, which will determine the fate of ABS staff and those involved in the CensusFail.
MacGibbon doesn’t call for anyone to get sacked, so it seems no heads will roll, but he paints a picture of an organisation woefully underprepared for what should have been entirely predictable, and ministers and senior government executives were unable to properly communicate with each other and the public about the matter due to their own lack of technical understanding.
During the day on August 9, the online census form was subject to four distributed denial-of-service (DDoS) attacks, and on the fourth attack the website went offline.
MacGibbon found that the ABS had a “library of six incident management documents” designed to prepare the ABS for any possibility but had none to address what happened on census night, meaning decisions undertaken by the ABS were ad hoc and often not sufficient for what was required.
For example, on the night of the incident, the ABS prepared a brief for the government and sent it around to several agencies at 1am, but “due to an administrative error” the Prime Minister’s Office didn’t get the brief until closer to 5am, just before a teleconference on the matter.
MacGibbon reviewed all the public statements made by ministers and politicians over the course of the next day about CensusFail and determined ministers and senior government executives should be sent to a “cyber bootcamp” to learn how to better talk about cyber security incidents to the public. Much of the confusion in the early hours stemmed from whether the incident was a “hack” — it wasn’t, but some politicians referred to it as such.
ABS and IBM had prepared for DDoS attacks, but the decision to go to what was referred to as “Island Australia” (to block all overseas traffic to the site) was not implemented properly. MacGibbon said geoblocking could have stopped the DDoS attacks, but it was not a strategy ASD recommends.
In fact, ABS and IBM did not consider what would happen when all overseas traffic was blocked from accessing the eCensus form. Some parts of the eCensus system itself, such as password resets, were themselves located offshore and thus became unusable. Vodafone customers in New South Wales and Australians using virtual private networks were also blocked from accessing the census website.
“Island Australia” was only ever meant to be applied for 10 minutes at a time, but IBM and ABS decided to keep it going all day on census day. In addition, the telecommunications providers working with ABS on the census were not included in the “Island Australia” testing, meaning for one of them — Vocus — their system was not configured properly for geoblocking, leading to many of the problems on the day.
MacGibbon said that the incident should serve as a warning for other agencies moving their services online, and recommended the digital transformation committee of cabinet develop cybersecurity shared services to provide consultation across government on cybersecurity.
After directing most of the blame at IBM, Prime Minister Malcolm Turnbull has avoided dragging it out into the courts as the Queensland government did with the Queensland Health payroll debacle and announced that a commercial-in-confidence settlement had been made.