Labor has wasted little time in lashing out at the government for the failure of Census 2016 to withstand a claimed DDoS attack, with Shadow Assistant Treasurer Andrew Leigh saying the Census has been botched.
“This has been the worst-run Census in Australian history. One of the worst IT debacles Australia has ever seen,” Leigh said on Wednesday.
“The government should have been preparing for this. It’s not like the Census comes out of the blue and catches you unawares. But they’re complaining that because the election took place they couldn’t properly plan for the Census. That’s frankly not good enough.”
Leigh squarely placed blame on the startup mentality promoted by Prime Minister Turnbull.
“Malcolm Turnbull two years ago said the real problem with public servants is they don’t get over their ‘fear of failure’. He said public servants need to have less of a fear of failure.”
“We can see where that startup mentality has taken Australia last night. This Census was an utter debacle for many millions of Australians.”
“They’ve failed to adequately manage the risks; bringing to Government a sort of startup culture rather than a careful, methodical approach which would have seen Australians be able to fill in their Census last night.”
Later in the day, Opposition Leader Bill Shorten called on the government to reconsider storing name and address data for four years, and return the 18 month window the Australian Bureau of Statistics (ABS) used in the 2011 Census.
“We think that the Senate needs to inquire into how this has happened and how can we make sure this doesn’t happen again,” Shorten said.
“It has taken us 100 years to build confidence in the Census. It has taken Malcolm Turnbull one Tuesday night to see this bungle undermine confidence in government institutions.
“Unarguably, there’s questions to answer about hardware, about protocols, so I hope that this Government is not so weak and pathetic that they just blame some public servant who’s not able to defend themselves.”
Earlier today, the ABS said it was under denial of service attack throughout yesterday, before a hardware router failure sparked a series of events that resulted in the Census site being pulled down last night.
Minister for Small Business Michael McCormack said three events occurred in rapid succession, which led to the ABS deciding to pull the Census site down.
“Had these events occurred in isolation, the online system would have been maintained,” the minister said. “There was a large scale denial of service attempt to the Census website and online form … following, and because of this, there was a hardware failure.
“A router became overloaded. After this, what is known as a false positive occurred. This is essentially a false alarm in some of the system monitoring information. As a result the ABS employed a cautious strategy which was to shut down the online Census form to ensure the integrity of the data already submitted was protected.”
Nick Morgan, Managing Director of Triskele Labs said the Census site should have been able to withstand the traffic assault.
“If this was a DDoS attack … with the current tools available to even laymen users, these types of attacks need to be expected,” he said. “The Census website should have been adequately load tested to withstand a significant amount of load.”
Morgan said denial of service mitigation tools that can identify illegitimate traffic and route it elsewhere should have been used.
“This mitigation has been available for a significant amount of time and is inexpensive. Unfortunately, as with most security it is seen as unnecessary as it is difficult to prove the Return on Investment until an attack happens which by then is too late,” Morgan added.
“If this turns out to be a more sinister attack, then it is a bit more difficult to protect against, but still could have been achieved.
“[For organisations unprepared] to handle large volumes of data through DDoS mitigation techniques, the full force of these issues will be found and web applications rendered unusable, as we have seen in the past with Sony, international government agencies, and now the Australian Bureau of Statistics.”
Member of the Macquarie Group, Macquarie Government, said it deals denial of service attacks against its government customers daily.
“These can be small and short, or big and sustained like the ABS attack, but all rely on poor security awareness among other people, allowing their computers to be weaponised,” said Aidan Tudehope, managing director of Macquarie Government.
“Corporate networks are particularly attractive targets because they can have huge capacity and many connections to the internet.”
“They are like the cyber equivalent of an aircraft carrier.”
Speaking on Sky News, Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon said a better job could have been done, but the situation could have been worse had an exfiltration of Census data occurred.
“A denial of service attack, by its very nature, is designed to prevent you and I, as good customers from engaging with a service, that was successfully done,” he said.
“The benefit of hindsight, I’m sure, is going to say to the ABS, and IBM, and probably to a range of others, that there are lessons to be learnt here about more redundancy and a few other things.”
Melbourne-based Revolution IT was awarded over AU$580,000 in contracts to conduct load testing for Census 2016, while global client IBM picked up almost AU$10 million to run the online Census.