IBM, Vocus and Vocus subsidiary Nextgen have settled a lawsuit relating to the high-profile failure of the Australian Census website in 2016.
IBM sued Nextgen Networks and Vocus in late 2016 seeking to recover the cost of a compensation deal reached with the Australian government following the meltdown of the Census website (Nextgen was acquired by Vocus in 2016 and had also employed the telco as its upstream supplier.)
On Census night — 9 August — the online service delivered by IBM under a $9.6 million contract with the Australian Bureau of Statistics (ABS) suffered a series of outages in the wake of multiple distributed denial of service (DDoS) attacks.
Following a false alarm indicating that Census data was at risk of exfiltration, the ABS directed the website be temporarily pulled offline. In total, the Census site was unavailable for close to 43 hours.
Although, as expected, for the first time a majority of Census participants used the online service instead of paper forms, the number of online responses didn’t match ABS projections.
A government-commissioned review of the Census concluded that the DDoS-related outages were “preventable” and had resulted from the failure of geoblocking-based mitigation strategy employed by IBM.
The ABS and IBM opted for a strategy to protect the Census dubbed ‘Island Australia’ that would block traffic from overseas IP addresses.
The first of a series of four DDoS attacks on 9 August 2016 rendered the Census site inaccessible for around five minutes. A second attack about an hour-and-a-half later also temporarily took down the site.
Following the second attack, geoblocking was switched on, successfully mitigating a third attack. However, a fourth DDoS attempt again took down the site. The government review, authored by Alastair MacGibbon, concluded that, in the case of the final attack, geoblocking had proved an inadequate mitigation strategy.
IBM in a submission to a Senate inquiry scrutinising the events blamed Nextgen for failing to properly implement Island Australia, although it acknowledged that a problem with an IBM-operated router on a Telstra network link also contributed to Census downtime.
MacGibbon’s report concluded that “NextGen’s upstream provider, Vocus, did not have properly-configured geoblocking in place, a failure which allowed international traffic to reach the eCensus”.
NextGen “did not have its DDoS attack mitigation service enabled for IBM’s data centre,” the report said. However, it added: “It is probable that IBM had not requested activation of that service. NextGen utilise the services of a security vendor to provide attack mitigation and detection services, but they had only enabled the detection service on this occasion.”
The government in November 2016 said it had “reached a commercial-in-confidence settlement with IBM” in relation to the Census debacle. The settlement followed forceful criticism of the tech giant by the then prime minister, Malcolm Turnbull.
ARN in April 2017 revealed details of the IBM lawsuit against Nextgen, with court documents alleging that IBM “suffered damage to its reputation, damage to its goodwill and loss of business” as a result of a failure by Nextgen to adequately implement Island Australia.
In its response to IBM’s claims, Nextgen noted that IBM had declined its offer of DDoS protection services and “relied on a method of DDoS protection that could not protect the eCensus site from domestic DDoS sources or all international DDoS sources.”
“IBM did not design its system for use in connection with the eCensus site with adequate capacity to withstand a relatively minor DDoS attack,” a court filing by Nextgen stated.
The terms of the settlement reached by IBM and Vocus earlier this month are confidential. Consent orders made in the Supreme Court on 4 October saw the case dismissed with no order as to costs.
Vocus and IBM declined to comment on the settlement.
The ABS revealed earlier this year that the online component of the 2021 Census will be hosted on Amazon Web Services’ cloud.