Senate to hold inquiry into Census website failure

6

news The Senate has announced it will hold an inquiry into the much-criticised failure of the Census website on 9 August.

The Australian Bureau of Statistics (ABS), which is responsible for the setting up and running of the site, said it was shut down as a “precaution” following a combination of heavy site traffic, a hardware failure and a distributed denial of service (DDoS) attack on Census night.

In the following days, Prime Minister Malcolm Turnbull blamed the IT fail on the ABS and its service provider, IBM, saying its job was to ensure that there were measures in place to repel DDoS attacks.

“The fact is that the measures put in place were inadequate. That is the fact,” the Turnbull said.

Now the Senate is to refer the affair to the Economics References Committee (ERC) for inquiry. The ERC will report back with its conclusions by 24 November 2016.

The Committee will in particular focus on the preparation, administration and management by both the ABS and the Government in the lead up to the Census, as well as the scope, collection, retention, security and use of the data obtained.

Arrangements, including contractual arrangements, in respect of the information technology aspects of the Census will also be looked at, as will the shutting down of the Census website on the evening of 9 August 2016.

The ERC will examine the factors leading to the shutdown and the reasons given, along with the support provided by government agencies, including the Australian Signals Directorate.

Privacy concerns in respect of the Census, including the use of data linking, information security and statistical linkage keys are also to be considered.

Other aspects of the inquiry will include:

  • Australia’s Census of Population and Housing generally, including purpose, scope, regularity and cost and benefits
  • The adequacy of funding and resources to the ABS
  • Ministerial oversight and responsibility.
  • Any related matters.

6 COMMENTS

  1. Why are they wasting time on further inquiry? It’s a huge stuff-up. Just cancel it and go again next year – and without any of the personal data matching that has kept me from doing it so far. Still waiting optimistically for total CensusFail.

  2. The firewall fell over because it was doing the geoblocking. IBM refused for Telstra to do it upstream. The fallover firewall had no rules setup. A DNS based “attack” made the firewall state table fill up and make it fall over.

    No need for the enquiry just blame the Liberals for their bribing outsourcing and public sector cuts.

  3. Inquiry is simple. The expected security features, such as geoblocking, either werent programmed in, or werent activated. In hindsight, geoblocking, MyGov, captchas, or some other basic protection would have done the job and there would be no inquiry.

    Its a catastrophic failure for a relatively small oversight, and really just highlights the risks of the digital age. But it isnt hard for it to happen. The ATO had a similar oversight last year with etax, where they simply forgot to flick a switch and share the serverload across all servers, so effectively DDOS’d themselves.

    As it wasnt a “do it today” event, it just effected a range of early lodgers and the significance wasnt as great, but it happened for similar reasons regardless.

  4. “The firewall fell over because it was doing the geoblocking. IBM refused for Telstra to do it upstream. The fallover firewall had no rules setup. A DNS based “attack” made the firewall state table fill up and make it fall over.”

    If that’s true Daniel, then that’s a stuff up of basic principles. Questions at this point are:

    1. Where was the failover testing?
    2. Where was the penetration testing?
    3. Where was the load testing?
    4. What load metrics were tested and how are they calculated?

    On something of this scale … I would imagine that IBM is holding the bag .. unless of course they can point to someone in government who signed off on testing when it hadn’t been done. Or test/load metrics were inadequate. An inquiry should bring this to light.

    Which of course is wonderful in hindsight, but will the lessons learned be applied in the future? I’m pretty sure we’ll see this muppet show again. It has too much political and financial benefit to be permanently fixed.

    It’s my firm belief that there will be a raft of engineers behind this holding big “I told you so” placards outside some decision maker’s office because they decided it wasn’t “economically feasible to scale that high for traffic and security events of that magnitude.”. Will that changes things? Only the key decision makers for the next decision makers to make the same mistakes against recommendations.

  5. There should also be questions around whether there were performance and outcome criteria in the contracts, whether the suppliers involved were paid all of their money and whether performance clauses have now been invoked.

    The privacy issues and feature creep also need investigation.

Comments are closed.