ake78 (3D & photo) - Fotolia
The collapse of the Australian Bureau of Statistics’s website in August left millions of people unable to complete the form on census night – and proved an embarrassment for IBM.
Results of the investigation into the collapse, ordered by Australian prime minister Malcom Turnbull, are not available at time of writing. The review is being conducted by the Australian Signals Directorate and the prime minister’s special advisor on cyber security, Alastair MacGibbon.
Whatever they uncover, the site was clearly overloaded on the night, either through the sheer weight of numbers trying to fill out the online census form or an organised distributed denial of service (DDoS) attack.
Whatever the root cause, security analysts said it should have been anticipated by the ABS and IBM, which was paid more than $9m to build the site.
They also noted that the security “guarantees” given by the ABS’s chief statistician, David Kalisch, in the lead up to the online census date were unwise and could have served as a challenge to hackers.
According to FireEye regional director Richard Metcalfe, the ABS and IBM should have anticipated a problem and had better controls in place, adding: “If they had not, it leads you to ask the question what other risks have not yet been contemplated.”
The Australian Centre for Cyber Security (ACCS) said the census failure meanwhile highlighted the need for a closer look at, and greater investment in, national information security.
ACCS director Jill Slay said: “If the DDoS attack on the ABS census system is confirmed, this is an important reminder to Australians of the serious threat environment in cyber space.”
Straight after the census collapse, the ABS said it had shut down the website after four separate hacks which it claimed had been launched from overseas. But independent network monitors later said they had not seen any unusual internet activity from overseas.
Whatever the cause of the failure, Richard Metcalfe said it had “put the DDoS issue into every Australian’s understanding. Organisations need to understand their risk profile because a DDos attack – if not inevitable – is certainly very likely.”
Read more about Australian census
- The Australian census triggers a privacy debate after it emerged that the citizen data it collects will be held for years.
- Industry experts question why the Australian Bureau of Statistics’ website for the 2016 census, which recently underwent a DDoS attack, was not run on public cloud.
Metcalfe said, whatever the root cause of the shutdown, there was more traffic than had been anticipated, and the net effect of either a system overload or a deliberate attack was the same. However, he added that it was still important to understand exactly what happened.
“Attribution can be quite a heated topic, but it is important in the way it relates to the organisation. If the attack came from a low level by inexperienced people, then the perspective is that the ABS didn’t prepare well. If it was a highly sophisticated attack by a nation state, then our perspective of the ABS should be slightly different,” he said.
The cause was of less concern than the cost, according to Matt Barrie, CEO of Freelancer.com, who took to social media to describe the census failure as a “colossal waste of money by the government”.
“It exemplifies Australian government technology blunders – overpay by orders of magnitude for a substandard piece of cr*p. Next time, get a startup to do a better job for a tenth (or less) of the price,” said Barrie.