Remember the #censusfail incident last year when millions of Australians were unable to fill out the mandatory Census online because the website was slammed by a distributed denial-of-service (DDoS) attack? It appears the ABS was overconfident about the website's ability to fend of a DDoS attack.
Three months before Census 2016, the Australian Bureau of Statistics (ABS) was questioned about how resistant the Census website would be against distributed denial-of-service (DDoS) attacks. The ABS seems confident that the website could withstand DDoS attacks. In a heavily redacted document obtained by the ABC, the ABS said this:
At high level our architecture resists DDoS attacks via use of multiple layers of security.
… In general terms our experience is that most external DDoS attacks are stopped at the [REDACTED] or, increasingly, in front of it as cloud services are more widely utilised. The 2016 Online Census uses [REDACTED] for key web-facing elements such as content and email delivery.
As we know now, the Census online site was brought to its knees by what was considered a puny DDoS attack and was down for several days. The 2016 Census was already a controversial one due to privacy concerns; it didn't need any more bad publicity.
In the weeks following #CensusFail everybody involved passed the buck: There was a Senate enquiry into the matter; the ABS blamed its IT provider IBM. IBM blamed the ISP NextGen Networks. NextGen blamed IBM. You get the idea.
In the end, IBM had to cough up $30 million in compensation to the ABS.
The ABS had to shoulder some responsibility for the Census 2016 debacle as well. The Prime Minister's cyber security advisor Alastair MacGibbon criticised the ABS for placing too much faith in IBM.
"IBM's assurances were taken at face value: if IBM said in an email that DDoS protections worked, the ABS took comfort," MacGibbon said in a report on #CensusFail.
The Government still deemed Census 2016 a success. According Small Business Minister Michael McCormack, who is responsible for overseeing the ABS:
"More than 96 per cent of Australian households completed their census, which is on par with the 2011 census. A record 58 per cent of Australians completed their census online."
We can all agree that this year's Census has been a colossal snafu. The Australian Bureau of Statistics (ABS) shutdown the website after it was supposedly hit by a number of distributed denial-of-service (DDoS) attacks. This was after the Census website had been stress tested. So what can organisations learn from this incident? Let's find out.