Summary:

• During the 2016 Australian eCensus, the Australian Bureau of Statistics (ABS) conflated buying controls with shifting risk to another organization.
• When a small DDoS disabled the eCensus, and IBM, the major technology partner, was unable to mitigate the attack, the ABS then doubled down and then tried to shift its responsibilities to the Australian Signals Directorate.
• Buying tools and services should never be confused with absolving you of your technology risks.

In 2016, the Australian eCensus experienced a series of relatively minor DDoS events. In response, IBM, ABS’s outsourcing partner, initiated its fortress Australia strategy and geo-blocked non-Australian web traffic. Unfortunately, a router in Singapore was overlooked and the DDoS traffic continued to flood in.

When the DDoS finally stopped on its own, IBM’s network performance monitoring system indicated outbound traffic from the census system that the company couldn’t identify. IBM and the ABS were therefore unable to confidently say whether this traffic was malicious or not. 

At 8:09pm on Census Day, with a growing sense of panic, the ABS closed the eCensus for fear that it may have lost confidential information and called in the Australian Signal Directorate (ASD) to investigate.

Technically, it was a series of unfortunate events: IBM overlooked a router in its planning, couldn’t reach key routers due to congestion, and one of its routers rebooted into a default configuration. Additionally, network monitoring was based on the unreliable simple network management protocol (SNMP), which is designed to be dropped during congestion. So, when everything eventually reconnected, monitoring showed a large jump in the cumulative packet counters, and this jump was incorrectly interpreted as data exfiltration.

However, the biggest misstep of all came from the naïve assumptions made by the ABS. After engaging IBM, the ABS essentially stopped thinking about the technical threats to the eCensus, including the possibility of DDoS attack. They had engaged a world-leading company. They no longer had to worry about technical issues. 

The ABS thought that it could pay IBM to take on its risk obligations. Instead, the ABS conflated purchasing technology controls with shifting responsibility to another entity. This mindset continued when the ABS then tried to shift its responsibilities to the ASD. Two days later, when the eCensus was eventually reinstated, the damage was done and the reputation of the ABS and public confidence in the Australian Government’s ability to deliver online services was irreparably damaged.

Investing in buying controls, mitigations, and other tools and services is a great idea, but it never absolves you of risk that is yours alone. 

For me, the lesson in the 2016 Census is that cybersecurity can be illusory. For those who find comfort in buying tools and services, no amount of outsourcing will absolve you of your ownership of these risks and the inescapable accountability that comes when it all goes wrong. It’s a much safer strategy to go back to basics on risk and then pick the best solution for the problem.