Census debacle: Govt and IBM reach confidential settlement

The government has said that it has “reached a commercial-in-confidence settlement with IBM” in relation to the Census debacle earlier this year that saw the website pulled offline.

IBM was the lead contractor engaged by the Australian Bureau of Statistics (ABS) to deliver the online portion of the Census.

A series of four relatively small distributed denial of service (DDoS) attacks combined with technical missteps and a questionable approach to DDoS mitigation led to a very public failure for the Census website on the night of 9 August.

The statement released yesterday by small business minister Michael McCormack offered no further details of the nature of the settlement but noted that IBM “has apologised to the Government and the Australian public for the outage on Census night”.

The ABS has estimated that the Census fiasco could cost it up to $30 million.

The revelation by McCormack that the government had reached a settlement with IBM came as two major reports into the Census were released.

The first, commissioned by the government, was the product of a review conducted by the Prime Minister’s Special Advisor on Cyber Security, Alastair MacGibbon. MacGibbon has previously released an outline of the how the Census meltdown unfolded based on the review.

The second report was released by the Senate Economics References Committee.

MacGibbon’s review echoes his previous public statements that there will be an ongoing impact on public trust in government digital services from the Census problems.

The DDoS attacks that targeted the Census were “defeatable” and DDoS protections employed to protect the website — a geoblocking strategy dubbed Island Australia intended to block network traffic from coming from outside of the country — were inadequate, MacGibbon’s report states. It adds that “more robust security planning would have led to a different outcome”.

“Controls were not considered within a comprehensive security framework; risk assessments underestimated the consequences of security incidents, leading to insufficient focus on mitigations; and there was poor independent assessment or verification of security arrangements,” it states.

The ABS’s communications strategy was also flawed, including failing to adequately address concerns about privacy relating to the retention of individuals’ names and inadequate crisis communications.

The ABS had “no clearly identified and tested cyber security incident response processes,” the report states. “The result was ad hoc decision making.”

The review found that the government's Cyber Incident Management Arrangements policy was inadequate for dealing with the Census incident.

Island Australia

IBM has criticised Nextgen and its upstream provider Vocus for the failure of the Island Australia strategy. Nextgen, along with Telstra, provided the network links for public access to the Census website.

“Had Nextgen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent [the fourth] DDoS attack and the effects it had on the eCensus site,” IBM argued in a submission to the Census inquiry.

The MacGibbon report notes that international traffic was able to reach the Census site because Vocus did not have “properly-configured geoblocking in place”.

Nextgen has said that IBM declined its offer of DDoS mitigation services. In addition, Nextgen has indicated that IBM told it that testing of Island Australia had been successful.

The report states that Island Australia was only tested four days before Census night. Testing consisted of Island Australia being activated for 10 minutes and IBM monitoring for overseas traffic while it tried to access the site from outside Australia.

Not only was Island Australia an “unusual” strategy but it provided no protection from any in-country DDoS attempts, the report notes.

The document describing the final solution architecture used states that “ISP based DDoS prevention services are not viable as these would be likely to trigger on the normal census traffic profile given its single event peak and lack of build-up period”. The argument could charitably be described as contestable.

Furthermore, as the Senate report notes, “the appropriateness of Island Australia must also be questioned given that some components of the eCensus—such as password resets—required access to international servers”.

Procurement

Both the MacGibbon report and the report of the Senate inquiry raised concerns about how the contract to deliver the Census was awarded to IBM, with ABS conducting only a limited tender process.

If the value of all the contracts related to the digital portion of the Census were taken into account, the total would hit the $10 million threshold that would have made it subject to the Department of Finance’s two-pass ICT Investment Approval Process (IIAP).

The Senate committee recommended that the process be reviewed “to ensure that projects such as the 2016 Census are covered by the cabinet two-pass process”.

Context

The Senate review argues that a narrow focus on the August events “risks treating the symptoms and ignoring the disease”.

“The confirmation that the census would proceed, the delayed development of an eCensus solution, the use of a limited tender and the erosion of internal capacity to adequately oversee the development of the eCensus are all serious concerns that may contributed to the events of 9 August 2016,” the report says.

Its recommendations include that the government earmark funding for the 2021 census in the 2017–18 budget. It also calls on the government to “provide sufficient funding for the ABS to undertake its legislated functions to a continued high standard”.

The state of the ABS’s IT systems have been cause for concern for a significant period.

“The ABS' funding has been eroded over a number of years while the demands and expectations placed on the organisation have increased,” the Senate committee’s report stated.