Home Sector Federal Census botch: Heads will roll … but whose?

Census botch: Heads will roll … but whose?

Census botch: Heads will roll … but whose?

 

 

Prime Minister Malcolm Turnbull promised he would decide “which heads will roll and when” in the aftermath of the Census fiasco and a recent public hearing into what went wrong provides interesting clues as to whose blood could be spilt on the government’s guillotine.

The Prime Minister was given the report examining the Census night imbroglio by his special advisor on Cyber Security Alastair MacGibbon on October 14 and the Senate Economics References Committee is due to release its report on what happened on November 24.

Government News takes a look at who could be in the firing line following Mr MacGibbon’s excoriating evidence delivered at the Senate Committee inquiry on Tuesday this week, which implicated both the ABS and IBM in the embarrassing meltdown of the eCensus and the 40-hour delay getting it back up online.

In his evidence to the inquiry Mr MacGibbon concluded: “In strict terms of service delivery the contract was not delivered upon but the ABS could have done more to ensure it was”, adding that the four small denial-of-service (DDoS) attacks should not have brought the system to its knees.

 

IBM

IBM has come in for a fair bit of criticism so far during the parliamentary inquiry, particularly around the geo-blocking system the company put in place.

The global tech giant failed to spot the serious flaws inherent in the Bureau’s so-called “Island Australia” back-up plan, which was supposed to protect the system during a DDoS attack.

Island Australia was supposed to block an international attack but this affected IBM’s ability to reset passwords for Australians completing the Census because its password reset facility was hosted offshore.

In addition, IBM had not properly coded a router connecting to Telstra, which meant that the coding “fell out” when it was turned off, turning it into a “dumb unit” that had to be recoded. This meant the system could not be restarted for hours.

A senior engineer from IBM Michael Shallcross revealed during the inquiry that turning the router off and on again could have detected the problem earlier thus avoiding the 40-hour shutdown.

But while the company has accepted some responsibility for what went down on Census night, IBM has also sought to shift some of the blame onto its subcontractors, NextGen Networks and Vocus Communications, claiming they had not properly followed geo-blocking protocols.

Both companies have strongly denied the allegations, laying the blame at IBM’s feet and accusing it of failing to follow their advice to take extra precautions against DDoS.

While the global IT giant “unreservedly apologised” for the stuff ups and IBM Australia director Kerry Purcell said he took full responsibility, he admitted that nobody from IBM had been sacked – or even disciplined – over the debacle.

 

kerry4_opt

IBM’s Australia boss Kerry Purcell. Pic: IBM

 

The eCensus failure is estimated to have cost the government $30 million – more than three times the value of IBM’s eCensus $9.7 million contract  – but IBM has also said that it sustained extra costs.

Mr Purcell made it clear that IBM will seek compensation, saying: “We have reached out to the Australian government to seek to resolve the additional costs incurred as part of the Census.”

The company is understood to be in negotiations with Treasury secretary John Fraser to strike a commercial agreement.

What Mr MacGibbon said

Damningly, Mr MacGibbon said that the four DDoS attacks which helped trigger the 40-hour shutdown were “eminently predictable” and should have been expected.

The attacks were small, at around three gigabits per second, compared with those routinely faced by corporations and government, at around 100 gigabits per second, he said.

“The ABS did call for DDoS protections in its contract, in its tender process with IBM and IBM responded to say that they would put in place DDoS protection,” Mr MacGibbon said. “It’s expected and it should be dealt with. These were eminently small attacks and they should not have degraded the ABS system.”

He said there were better and more logical alternatives to the Island Australia geo-blocking approach, especially when some Australians with Australian-based ISPs may also route in from overseas and passwords might need resetting.

Mr MacGibbon said that DDoS attacks did not themselves take the system offline.

Instead, it was a combination of IBM’s attempts to recommunicate with their data centre (after discovering they had misconfigured the router at the Telstra end) and the misinterpretation of data on a load monitoring system, which was originally interpreted by the ABS as a possible hack.

Verdict: It is hard to believe that everybody from IBM will emerge unscathed from the parliamentary inquiry and Mr MacGibbon’s report.

 

The ABS

ABS Chief Statistician David Kalisch admitted the Bureau had made some poor judgements and vowed to correct its mistakes before the next Census in 2021, including identifying and mitigating risks and improving communications with the public, particularly around changes to the Census and how long people have to complete their forms.

“We had the capability and we had the capacity for people to complete the Census on the night and the DDoS event just shouldn’t have occurred,” Mr Kalisch told the inquiry earlier this week.

 

david-kalisch
ABS Chief Statistician David Kalisch. Pic: ParlView.

 

What Mr MacGibbon said

He criticised the ABS for not keeping a closer watch on IBM and said the Bureau could have done more to find out what protections the company had actually put in place and what action would be taken if the attacks occurred.

The Bureau’s contract with IBM also came under scrutiny.

Mr MacGibbon said, “I believe that there was an element of vendor lock-in. There could have been other paths that the ABS had taken but chose not to. I’ve come to some conclusions and recommendations around that.

“They [the ABS} could’ve gone and had more third party testing done. They may have asked more questions of IBM, proof of what they were delivering, the services they were contracted to do, absolutely. The ABS could have done more. Clearly mistakes were made.”

In his written submission to the senate inquiry, Mr MacGibbon said the ABS asked IBM to pull down the site after misinterpreting data which showed unusual traffic patterns, concluding that it could be a “potentially malicious” attack. He said the Bureau later realised the spike in traffic was not a security concern.

However, he told the committee that he agreed with the Bureau’s decision to wait almost two days before reinstating the system.

“The only one thing worse after four DDoS was to get the site back up and have it knocked down again. Quite rightly there was extreme concern about making sure when the site went back up it was robust enough to cope with whatever the internet would throw at it.”

Verdict: Perhaps the Bureau’s show of contrition may be enough for ABS staff to keep their heads. Instead there could be a tightening of rules around procurement, system testing and contract monitoring, possibly using a third party.

 

Minister Michael McCormack

The Opposition is particularly keen that if anybody is going to get decapitated it should be Small Business Minister Michael McCormack, the minister responsible for the Census.

 

michael-mccormack

Michael McCormack

 

Shadow Assistant Treasurer Andrew Leigh has blamed a succession of Ministers in the job for failing to scrutinise what was going on at ABS and not engaging with the public about their concerns. He also criticised the government for slashing funding to the ABS and leaving the position of Chief Statistician vacant for nearly a year.

“A strong government would have stepped up and taken responsibility because that’s the tradition of ministerial responsibility in this country,” Mr Leigh said.

“When public servants do good work behind the scenes, Ministers are entitled to stand up and claim credit – whether it is for a trade deal or for a Budget but when things go wrong Ministers also have to accept responsibility under the Westminster system yet what we have seen from the Turnbull Government is less personal responsibility than Donald Trump.”

He said the government was attempting to blame corporations and public servants for their botching of the 2016 Census, “Let’s be clear: you can’t outsource that responsibility.”

Verdict: Unlikely to go. Mr Kalisch has repeatedly stated that responsibility for what happened lies with the ABS, not the Minister.

Like this news?

Leave a Reply

Your email address will not be published.