Australian 2016 census sabotage puts a question mark on private cloud

Industry experts question why the Australian Bureau of Statistics’ website for the 2016 census, which recently underwent a DDoS attack, was not run on public cloud

The Australian Bureau of Statistics’ (ABS’) website was taken offline following a distributed denial of service (DDoS) attack during census night on 9 August 2016.

As Computer Weekly previously reported, the ABS triggered a privacy debate after it emerged that the citizen data it collects will be held for four years, with the ABS saying this would enable it to build a clearer statistical picture of the country.

According to an interview on ABC News, reported in The Guardian, the site sustained a malicious attack from overseas.

“The data is secure and we expect to be in a situation soon to inform the public when the site will be ready again,” David Kalisch, ABS chief statistician, told the ABC news radio site.

Australians can choose between filling out their census online using a 12-digit identification number or calling a phone hotline to get a paper form, but privacy campaigners have warned that the data collected enables the government to create a profile of Australian citizens.

Veteran Australian privacy advocate Roger Clarke warned on his website that data from the census and other ABS surveys would be linked and that “additional data will be expropriated from other sources and added to each person’s record”.

Revolution IT, which was responsible for the performance testing of the website, said its model of peak load on census night was based on 250 submissions per second and allowed for an average sustained peak of up to 350 submissions per second (with a peak of 400 users per second) to ensure that there was sufficient capacity.

The census site stress tests did not take into account denial of service attacks. The company said: “DDoS attempts were not part of the performance testing and would have been a security testing consideration, which was not part of Revolution IT’s mandate.”

Read more about DDoS attacks

ABS said the site was taken offline as a security precaution and so did not crash or fail because of the number of users.

A sustained attack can put systems under extreme stress, and best practice dictates taking the systems offline during such attacks to avoid any long-term damage.

IBM, which was the lead IT contractor for the Australian census project, was attacked directly by Australia prime minister, Malcolm Turnbull, for the failure.

In a statement, IBM said: “IBM’s priority over the past two days was to work with the ABS to restore the census site. We are committed to our role in the delivery of this project.”

However, industry commentators have questioned why the site, which is believed to be built on IBM WebSphere, was run on the IBM SoftLayer cloud, rather than the public cloud, such as Amazon Web Services.

Read more on Privacy and data protection