The prime minister’s cybersecurity adviser, Alastair MacGibbon, has sounded off on the “cosy relationship” between the Australian Bureau of Statistics and its key contractor, IBM, in the lead-up to the Census failure.
The Census website was taken offline on the night of 9 August after suffering from four separate DDoS attacks, leaving millions of Australians unable to complete the survey.
In his review into the much-derided online Census collapse in August, MacGibbon was highly critical of the ABS’ failure to seek proper assurances from IBM that the Census website was up to snuff on a cyber security front.
He said that the ABS had developed a strong trust in IBM following the IT provider’s involvement in the online components of the 2006 and 2011 Census.
“As a result, the ABS became reliant and dependent on IBM. The ABS did not have an effective means of monitoring and assessing IBM as an outsourced service provider and therefore did not measure, monitor, and control the enterprise risks, including cyber security risks, represented by the contracting arrangement,” the review said.
He said that cost may have been a factor in the decision to stay with IBM, noting that IBM’s contract accounted for $9.6 million out of the eCensus’ total cost of $471 million.
“IBM’s assurances were taken at face value: if IBM said in an email that DDoS protections worked, the ABS took comfort.
“The ABS provided minimal challenging or inspection, and did not use third parties to test and verify that DDoS protections were actually in place or effective."
As a result, MacGibbon’s recommendation was that the ABS “develop a specific strategy to remove the current state of vendor lock-in” in an attempt to split the two organisations.
He also suggested ways the government should overhaul its ICT procurement methods, such as introduced a “staged-gate” approach where suppliers would be paid in increments for reaching certain milestones.
“At a macro level, current business case, funding, procurement and contracting frameworks all inhibit leaner, agile processes. Business cases must be modernised to accommodate digital programmes characterised by smaller, cheaper, incremental outcomes that are faster to deliver.”
He also levelled criticism in particular at the ABS’s procurement team for failing to understand the risks associated with its closed tender approach to the eCensus.
“The role played by the ABS’s procurement team in the IBM outsource was that of a facilitator and did not display any understanding of key risks associated with a single tender action or more generally those associated with outsourcing. The success of all other changes in the ICT procurement sphere is ultimately dependent on the expertise of the procurement professionals tasked with their implementation.”
The senate handed down its own review on Thursday, reinforcing MacGibbon’s criticisms of the ABS’ complacency in testing, and IBM’s failure to prevent the attacks.
The senators gave a number of recommendations, such as:
- Update guidelines that consultation requires active engagement by non-government and private sectors
- The ABS must publicly commit to reporting any breach of Census data within one week
- The ABS commit to an open tender process for future engagements regarding the Census
- Make information about fines for Australian’s that don’t participate less vague
- The ABS take a more proactive role in validating the resilience of the eCensus website
- Continue funding the ABS for the Census in 2021