Statistics Bureau turns blame on to provider
THE Australian Bureau of Statistics insists it received “various assurances” from the computer company running the online Census about the system’s resilience to denial of service attacks.
But despite the risk management plan listing DDoS attacks as a potential disruption, the online system crashed on Census night after a fourth attack – preventing millions of Australians filling out the form.
In a submission to a parliamentary inquiry into the 2016 Census, the ABS maintains it was part of IBM’s contract to mitigate that risk.
“During 2016, the ABS had sought and received various assurances from IBM about operational preparedness and resilience to DDoS attacks,” the submission says.
It says investigations subsequently identified IBM had failed to properly implement geoblocking under a protec- tion dubbed Island Australia. The ABS said it did not independently test the protections because it considered “it had received reasonable assurances from IBM”.
“At no time was the ABS offered or advised of additional DDoS protections that could be put into place,” it said.
The risk management plan was updated over an 18-month period, including nine risk workshops with both ABS and IBM staff, the submission said.
The ABS details the four overseas DDoS attacks, with the final one interrupting the website about 7.30pm on August 9.
The ABS kept the system offline for about 40 hours to ensure Census data was protected from overseas attackers.
The government-funded body’s submission also addressed the change of protocol to retain names and addresses for four years, instead of 18 months.