Some thoughts about the recent failed attempt by the Australian Bureau of Statistics to operate the 2016 census online.
Are our collective expectations of government sometimes too high? I think not.
When the Australian Census was held last Tuesday night, millions of Australians logged-on to the Census website to fulfil their civic duty and complete the national survey only to discover that the site would not load.
After many hours of frustration (and the threat of fines), most gave up and awoke to the news that the site had been the subject of a series of distributed denial-of-service attacks from overseas.
Leading up to the census, there had been widespread concern about privacy following the Australian Bureau of Statistics’ decision to retain name and address details for four years instead of the customary 18 months. With the swift move away from pen-and-paper to online data collection, many people were seriously concerned about the possibility of a hack. Government MP Christopher Pyne labelled this “tinfoil hat” politics.
Perhaps most unhelpful was the response of the Minister responsible for the Australian Bureau of Statistics (ABS), who skited:
The ABS has never had a privacy breach with Census data showing, and they have assured me as the minister responsible, they’ve assured the government, that they have every protocol in place, every process in place to ensure that there isn’t a breach this time.Michael McCormack, 3 August 2016
When I heard these comments, I winced. Like others, I believed that this was a honeypot in the making and it turns out that my gut instincts were correct. The ABS Census website was subjected to multiple denial-of-service attacks. Not that we were told anything about it until long after it had happened.
Perhaps most significantly, the people responsible couldn’t even agree on whether it was a hack, an attack or something else:
It was an attack and we believe from overseas….The Australian signals directorates are investigating those issues but they did note that it was very difficult to source the attack.David Kalisch, Australia’s Chief Statistician
This was not an attack, nor was it a hack. Rather, it was an attempt to frustrate the collection of Bureau of Statistics Census data. ABS Census security was not compromised. I repeat, not compromised and no data was lost.Michael McCormack, Minister for Small Business
This was an attack, not a hack.Alastair MacGibbon, Prime Minister’s Special Adviser on Cyber Security
David Kalisch had even tried blaming Telstra for a failed router that wasn’t theirs whilst others have questioned whether there was even a denial-of-service attack at all including RMIT’s Dr. Mark Gregory, an internet security expert:
It could have been (an overwhelming of the ABS computer), we don’t have any facts at this stage as to where it’s come from or how…. I think that the ABS have been totally unprepared from the beginning.Dr. Mark Gregory, RMIT Internet Security Expert
Either way, the handling of this matter was an absolute shambles. This whole saga reflects badly on the Australian Bureau of Statistics and the government. Today, Prime Minister Malcolm Turnbull has hinted that heads will roll in due course, but the question has to be asked; whose?
I too am very angry about this (and) I am bitterly disappointed about this. This has clearly been a failure on the part of the ABS, absolutely…. I mean a denial of service attack is as predictable as the rain will fall one day or the sun will come up.Malcolm Turnbull, Prime Minister
The Prime Minister has a point.
Should we blame the ABS for their lack of preparation, or contractor IBM who built the system? Should the Minister take a fall for his cavalier remarks before #CensusFail and his stupid denials afterwards? Perhaps the buck stops with the Prime Minister who is ultimately responsible?
After all, the ABS suffered a $68 million cut in the 2014 budget and the government even considered cancelling the census to save money (a decision which was overturned after howls of protest).
Investigations are now underway into the causes of the website crash and whether any data was stolen.
Whatever the cause may be, I believe that Australians are entitled to expect better from government. I just hope that lessons are learnt, not just about website management but about public administration and the impacts of government funding on the ability of the public service to deliver.
Ongoing Access Problems
I access the internet via a VPN and have noticed that the Census website is blocked to me (I had to disable my VPN in order to log on). There is also evidence that the ABS is blocking Google DNS.
Clearly the ABS have decided to block classes of users from accessing the census. This will make it very difficult for significant numbers of people to complete their census. Blocking IPs is a very clumsy means by which the census can be protected from further attack and will likely irritate more people in the days to come.