IBM blamed for Australian census website crash

Two inquiries into the Australian census debacle, which saw millions of Australians unable to complete their forms when the Australian Bureau of Statistics (ABS)-run website was taken off line because a distributed denial of service (DDoS) attack on census night, have put most of the blame on IBM.

Prime Minister Malcolm Turnbull said: “IBM has acknowledged responsibility, they’ve apologised, they’ve made a very substantial financial settlement with the government. There have been a lot of personnel changes at IBM as a consequence. I suppose heads have rolled there.

“And we’ll be working through the recommendations of Alastair MacGibbon’s review of the incident with the ABS and indeed with other government departments to make sure we learn the lessons from this failure.”

IBM has remained silent about the reports on the incident and its settlement with the government – in fact it has not issued a single media release in Australia since 1 September – but it has reportedly paid $30m to the government after being paid $9.6m to build the website.

The digital census platform had been expected to save the Australian government $100m, largely through a much-reduced need to find, train and pay census field workers.

While the Senate Economics References Committee’s report went into great detail about the events of August and the subsequent apportioning of blame by various participants, the report from the Prime Minister’s adviser on cyber security, Alastair MacGibbon, said it served as an important wake-up call to all agencies to improve security.

MacGibbon said cyber security was a core platform for successful digital transformation. “The 2016 eCensus was a setback,” his report said. “One of the government’s most respected agencies – the Australian Bureau of Statistics – working in collaboration with one of the world’s most experienced IT companies – IBM – could not handle a predictable problem.”

He said better cyber security was essential if the government wanted to rebuild public trust in the quality of its digital services.

MacGibbon recommended that the Australian Signals Directorate should work in collaboration with the Digital Transformation Agency to strengthen the framework to help agencies improve the security of their networks.

Meanwhile, agencies might also benefit from a careful read of the Senate report as an example of “how not to”.

It noted that ahead of census night, independent load testing had been performed based on ABS expectations that the system would need to handle 250 forms a second, or 900,000 an hour. Penetration testing was also conducted by a third party, with no issues uncovered.

Although the system withstood an initial DDoS attack and was comfortably coping with more than 7,000 census forms a minute, a second and third attack brought it down. IBM was initially unable to restore the system due to an incorrectly installed router which had not been identified before the launch.

The system was brought up again later on census night, but the ABS decided to remain offline until it was sure that data collected by the platform would be secure.

In its submission to the Senate Committee, IBM attempted to throw some of the blame on Nextgen, which had conducted the geoblocking load testing, and on Telstra, one of the internet service providers involved. Nextgen countered by saying IBM had failed to implement appropriate security measures and relied too heavily on a single avenue of geoblocking to protect itself from overseas attacks.

MacGibbon said that despite all the finger-pointing, it was clear was that neither the ABS nor the government was well served by the system deployed.

According to the Senate Committee, the long relationship between IBM and ABS had led to a measure of complacency on both sides.  

It has recommended that before the 2021 census, an open tender be issued to find the best system, and that greater scrutiny be given to both procurement and deployment.