The Australian Bureau of Statistics has laid the blame of the 2016 Census website failure squarely at the feet of IBM in a damning Senate inquiry submission.
In a 128-page document (PDF), which was made available online by The Guardian, ABS chief statistician David Kalisch said the infrastructure offered by IBM did not adequately prepare for “not unusual” and “anticipated” denial of service (DDoS) attacks on Census night on 9 August, which ultimately caused the site to be taken down in the name of security concerns.
“The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system,” the report said.
“Despite extensive planning and preparation by the ABS for the 2016 Census, this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future.”
The submission indicates the lengths both agency and supplier went to in order to mitigate risk of a DDoS attack. IBM's 2014 tender response claimed the online Census would be "highly resistant to web application security attacks". IBM's service-level agreement guaranteed 98 percent uptime within the peak four-hour window, and a fault resolution time of under 30 minutes.
Over an 18-month period, IBM and the ABS held nine "risk workshops". During 2016, the ABS and IBM met with the Australian Signals Directorate (ASD) for a briefing on cyber threats, where DDoS attacks were discussed. A final risk management plan in July highlighted the potential for "loss of system availability through a distributed denial of service attack".
A number of third parties worked with the ABS and IBM to stress test the system including load testing by Revolution IT, penetration testing by UXC Saltbush, accessibility testing by Vision Australia and the ASD "reviewing the cryptographic architecture".
According to the Senate inquiry submission, "At no time was the ABS offered or advised of additional DDoS protections that could be put into place. Additionally, no suggestion was made to the ABS that the DDoS protections that were planned were inadequate".
The timeline of the DDoS attacks are also clarified, with the report showing the first of four attacks took place at 10.10am on the morning of 9 August, followed by a second attack at 11.45am and a third at 4.52pm. The most significant DDoS attack came at 7.28pm and had knocked out the website by 7.33pm. The ABS took the website offline at 8.09pm "to ensure Census data was protected".
What else went wrong?
The report outlines other factors leading to the highly contentious 2016 Census.
In the lead-up to the Census, the hashtag #censusfail began trending on Twitter after public outcry over the ABS's plan to retain names for up to four years, and the perceived privacy risks. This "often uninformed" media commentary continued despite the ABS's best attempts to respond, according to the submission.
The call centre was swamped due to public fears over fines for lack of completion, driven by "unexpected and unprompted" media reports and social media activity over the potential for fines. The ABS forecast that the call centre would receive 1.6 million calls in 2016, compared with 1.04 million received in 2011. By 8 September, some 3.2 million calls had been attempted, of which 1.1 million had been answered.
The 3000-staff agency also pointed out how budget cuts had affected its ability to do its job. "Constrained resources" have seen the ABS budget and headcount fall 14 percent over the past 15 years, while demands have increased and "become more complex".
The government is also investing $257 million from the 2015-2016 Budget into the ABS, in part to upgrade the agency's "large portfolio of aged, siloed, inflexible and increasingly fragile IT systems".
Last month, the ABS faced a storm of criticism surrounding the service’s shutdown but assured Australians their data had been protected.
Later, IBM broke its silence over the debacle it was paid $9.5 million to help prevent, saying the company “genuinely regret[s] the inconvenience that has occurred”.
The failure sent at least one Australian channel partner into crisis management mode, with ABS load testing supplier Revolution IT quick to publicly outline that security testing was not part of its contractual purview.
Despite the littany of problems, some 94.4 percent of Australian households had completed the 2016 Census, largely in line with previous years, though only 59 percent of 2016 submissions were made online.