Australia's chief cybersecurity adviser Alastair MacGibbon has criticised the infrastructure put in place to prevent a distributed-denial-of-service attack which led to the Census website being taken down on 9 August.
MacGibbon was asked by Prime Minister Malcolm Turnbull to conduct a review into the Census failure, along with the Australian Bureau of Statistics, head contractor IBM and privacy commissioner Timothy Pilgrim, who all conducted separate reviews.
MacGibbon told a senate committee yesterday his report had been completed and was under consideration by the prime minister.
Between the back-and-forth finger pointing between head contractor IBM and subcontractors Nextgen and Vocus, MacGibbon said all parties involved shared some of the blame.
"I can't determine who is right and wrong, but the customer, the Commonwealth, was not served well," he said.
During the senate inquiry, IBM said the blame laid with subcontractors Nextgen and Vocus, saying the ISPs had not implemented its own solution correctly. Vocus denied the claims, and said IBM rejected Nextgen's DDoS protection solution in favour of Island Australia, IBM's geo-blocking solution.
MacGibbon said there were "better alternatives" to Island Australia for preventing DDoS attacks. He said the concept of Island Australia was to prevent traffic from coming in from overseas, however, the nature of ISPs' services meant that some Australians were routed through from overseas even though they were in Australia.
He said Island Australia would have been helpful as part of a series of protective measures, but to rely only on one measure was a "failure".
MacGibbon said the ABS also had responsibility to question whether IBM had delivered the services it was contracted for. He added that there was degree of "vendor lock-in" because of ABS's long relationship with IBM, and that competing vendors assumed IBM was already the "natural choice" over themselves. IBM has provided online services for the Census since 2006, and was paid $9.7 million to host the 2016 Census.
While security has remained at the forefront of the debacle, all parties involved have insisted Census data was not compromised.
Even though he was confident data was safe, MacGibbon supported the ABS' decision to shut down the Census website and leave it off for two days, despite IBM claiming it was ready to restore after three hours. He said if the website had been restored and knocked down again by another DDoS attack, it would have caused even more damage.