How not to run an eCensus
Report into Australian census hit by cyber attacks criticises incident management and procurement; warns of serious blow to public confidence in “government’s ability to deliver on public expectations”
Alastair MacGibbon, cyber security czar for Australian Prime Minister Malcom Turnbull, has strongly criticised the incident management planning in place for the controversial failures of the online Australian Census service in August.
In a damning report, MacGibbon said the nature of the eCensus event, its national implications and the breadth of consequences of something going wrong had clearly been underestimated in crisis planning.
“While the ABS and IBM had a library of incident management documents to guide them through the events of August 9, they were impractical, poorly tested and none outlined a comprehensive cyber incident response or communications plan that could be effectively implemented,” MacGibbon’s report said.
The report details that Census outages prevented Australians from filling in forms online for almost 43 hours. “This not only precluded online responses during the outages, but also likely reduced online responses over subsequent days due to confusion about security and the status of the eCensus. Considerable catch up then followed and many more Australians than planned turned to paper forms,” said the findings.
The report says that at 8.09pm on August 9, the Australian Bureau of Statistics (ABS) closed the 2016 Australian Census of Population and Housing (eCensus) form to new submissions because it feared data exfiltration was occurring. The ABS judged that the inconvenience of temporarily preventing new submissions was preferably to the risk or perception that that data had been exfiltrated or compromised.”
The report concluded that the Australian government’s response to the eCensus events provides an opportunity to change the conversation about cyber security: to one of trust and confidence in the government’s digital transformation agenda, where ‘digital first’ is the overwhelming preference for Australians, underpinned by tangible security and adherence to privacy.
It said, “The 2016 eCensus tells us that more of the same is not enough: there is a new imperative to embrace cyber security as a core platform for digital transformation. And when we make the necessary changes we will increase the chance to deliver on the promise of Australia’s Cyber Security Strategy, to strengthen trust online and better realise Australia’s digital potential.
“Much of the Government’s dealings with Australians now takes place online, and this trend will only accelerate. But because this world is new, some disruption is bound to occur as culture shifts. And setbacks are inevitable.”
It described the 2016 eCensus as a setback.
“One of the government’s most respected agencies – the Australian Bureau of Statistics (the ABS) – working in collaboration with one of the technical world’s most experienced companies – IBM – couldn’t handle a predictable problem.
“As a result, a key national event trended online globally as #CensusFail – a serious blow to public confidence in the government’s ability to deliver on public expectations.”
MacGibbon’s report warned that the Census IT failure had ‘more than any previous IT failure”, dented the Australian public’s confidence in the ability of its government to deliver.
The report said, “The ABS often cites “Australia’s largest peacetime logistical operation” and its proud history of 100 years of conducting censuses for Australians. The scale of the Census is immense and it touches the lives of all Australians. And in 2016, it worked hard to get more Australians to participate online. But this part of the Census represented significant risk.
“In perspective, at around $9.6m – a fraction of the $471m overall spend on the Census – the payment to IBM to deliver the eCensus capability was small. Certainly the sum was small to IBM: between January 1, 2013, and August 19, 2016, IBM was awarded 777 contracts across the Commonwealth Government with a total value of $1.55bn ($13.7m of which was with the ABS).”
It went on, ”But cost isn’t the only issue. Nor the most important one. Australia now knows that cyber security is not just about national security. Cyber security is about availability of services and confidence in government in a digital age. And the public’s confidence in the ability of government to deliver took a serious blow, more so than any previous IT failure.”
It went on, “Even though the denial of service attacks on the night were predictable and defeatable, the decision to close off the eCensus was justified and no data were lost. The outcome could have been worse.
“But crucially important is the need to understand how the Census got to the point where the cyber security arrangements brought into question the trust and confidence in a fundamental government service. The public’s lack of confidence will linger. The integrity of the collection and its data are of critical value to Australia.”
It said looking at the issue and its impact through the cyber security lens, the lessons are clear about managing risk, about security in a digital age and about Australia’s digital future.
Describing security as a “risky business”, the report says problems on the night of August 9 stemmed from decisions taken well before then: decisions about partnership, procurement and project governance. It suggested that organisational culture and skills also played a part.
Discussing procurement, contracting and governance, the report suggested that procurement practices fell short. Vendor lock-in, coupled with a particularly close and trusting relationship between the ABS and its long-term supplier IBM, meant that the ABS did not seek sufficient independent verification and oversight of critical aspects of the eCensus.
Documentation suggests that there was compliance – risk matrices completed, committee meetings held, minutes taken – but the security culture was not resilient and adaptable.
“The ABS and IBM had delivered eCensus services for the 2006 and 2011 Censuses as well, the latter with a third of the population utilising the online form. Why should 2016 be any different?
“The risk appetite of the ABS was not clearly defined: harm and consequence assessment appeared underestimated – particularly associated with security risks to the eCensus – leading to unsatisfactory risk mitigation strategies.”
Among its recommendations, the report suggested that the Attorney-General’s Department should develop a “Cyber Bootcamp” for senior government executives and ministers as part of the Cyber Security Strategy Awareness programme.
On crisis communications and co-ordination, it said the department of the Prime Minister and Cabinet should strengthen cyber security incident management arrangements across government and ensure the policy is widely circulated, well understood and regularly exercised.
It also recommended that the recently formed Digital Transformation Agency together with the Australian Signals Directorate and the Department of Finance, should develop a proposal for consideration by the Digital Transformation Committee of Cabinet to create a “cyber security shared services” digital security consulting organisation within the Digital Transformation Agency.
It said, “This would ensure security is integral to all new online service delivery proposals and facilitate partnering between agencies to draw on cyber security expertise in larger agencies with more mature capabilities.”