Although the government’s review of the problems surrounding the online 2016 Census is yet to be released, the person leading the review, Alastair MacGibbon, has provided a new, concise rundown of the events of Census night.
MacGibbon, the Prime Minister’s Special Advisor on Cyber Security, was commissioned in August to conduct a review of the Census.
His review team includes members of the Department of the Prime Minister and Cabinet, the Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner, the Department of Finance, the Treasury, the Digital Transformation Office and the Attorney-General’s Department. In addition, it includes a liaison officer from the Australian Bureau of Statistics.
In a submission to a Senate inquiry into the Census, MacGibbon said that he has not finalised his findings and recommendations. However, the PM's cyber advisor provided the Senate Economics References Committee with an outline of the events of 9 August.
MacGibbon writes that the Census website “was neither hacked nor was it shut down by malicious actors” and that it wasn’t overwhelmed by people filling in Census forms.
“There was a series of events, starting with three denial of service attacks earlier in the day,” MacGibbon writes. “A fourth denial of service attack commenced around 7.30pm at which point there was a failure in the geoblocking service, which is one of the main defences which can be used against denial of service attacks.”
(Risky Business’ Patrick Gray has reported that the ABS and contractor IBM were offered DDoS mitigation services by their upstream provider but declined.)
“This fourth attack rendered the eCensus unavailable to the Australian public,” MacGibbon said.
“Simultaneous to the fourth attack, a monitoring system indicated that there was outbound traffic from the eCensus system, and the fear was it was potentially malicious,” the submission states.
“As a result of the unusual traffic patterns being observed within the network, the ABS asked IBM to enable ‘overload’ control which prevented any new eCensus forms being started. This was to remove any doubt about the security of Australians' data. The ABS later determined that the unusual traffic patterns were not of security concern – it was a ‘false positive’ of data leaving the network. Data collected up to that time was secure and the integrity was not compromised.”
MacGibbon has previously indicated that he expects an ongoing impact on trust in government digital services in the wake of the Census debacle.