The botched 2016 Census has eroded public trust in the government’s digital agenda, claims a review by the Prime Minister’s Cyber Security Advisor Alastair MacGibbon.
In his review of the Census, Mr MacGibbon said the Census meltdown, which trended globally as #CensusFail, had dealt “a serious blow to public confidence” in the government’s ability to deliver digital services.
He said: “The 2016 eCensus was a setback. One of the government’s most respected agencies – the Australian Bureau of Statistics (the ABS) – working in collaboration with one of the technical world’s most experienced companies – IBM – couldn’t handle a predictable problem.
“While the eCensus delivery was a single technical project, it was also a step toward the government’s future digital services agenda. And the setback the Census suffered must lead to a significant mindset shift that all agencies will need to make: digital disruption of their own service delivery.”
The Census website was taken down for 42 hours after several Denial of Distributed Service attacks meant millions of Australians could not complete their eCensus on August 9.
Two investigations into the incident since then – a senate inquiry and Mr MacGibbon’s review – make for grim reading, both for the Bureau and for IBM.
ABS culture insular and complacent
The ICT supremo made clear that the debacle was years in the making and not confined to technical problems and cyber security.
He cited poor project management, communication, procurement and partnership working and took aim at the organisation’s culture.
Mr MacGibbon echoed the findings of a 2013 Australian Public Services Commission (APSC) review, which found ABS culture was “insular, inward-looking, reactive”.
A picture emerges in his report of an agency with deep expertise and boundless confidence, where staff tend to stick around but an agency whose professional pride has led it to cling to past practice and lean heavily towards working in isolation.
Despite this, he acknowledges that the ABS has “aggressively” tried to address the cultural issues raised in the APSC review in recent years.
“No one decision or action in isolation stands out as the primary case of the 2016 Census incident,” Mr MacGibbon’s review said. “But it would be a mistake to conclude that ABS’ established patterns of behaviour – its culture – had no part to play in Census preparations, the outage and the management of the incident.”
He said the prevailing culture had influenced four years of decisions leading up to the troubles with the 2016 Census.
“Many seem innocuous and almost all are compliant with established government practice: ticking the boxes, but not appreciating the challenges that change presents.”
A 2016 CapDa report on the organisation’s Census ICT capability also revealed shortcomings in the Bureau’s culture, including: insufficiently rigorous project management; late consideration of ICT security, performance and accessibility; lack of clarity over the chain of command for decision making and responsibilities and inadequate performance monitoring.
How a flawed culture led to flawed decisions
In a detailed look at how key decisions contributed to the August 9 shutdown, Mr MacGibbon found that ABS culture had a lot to answer for.
- The Bureau spent a lot of time trying to build and test its own online platform for the 2016 Census, using the solution it currentl, wy used from the Netherlands (Blaise) before discovering this could not be scaled up to meet its requirements.
Verdict: ABS was overly confident of its own abilities and looked inward for a solution.
- The ABS chose IBM as its partner in the 2016 eCensus, as it had done for the previous two Censuses and did not go out to open tender.
Verdict: The Bureau relied on a fall-back position with a trusted partner based around a 2006 solution and did not explore other options, e.g. using cloud infrastructure, leading to an element of vendor lock-in.
- Communications to the public concentrated on raising awareness of the Census
Verdict: sticking to the same campaign message from previous years failed to address Australian’s escalating concerns about data privacy and security, amplified through social media.
Mr MacGibbon said: “Raising awareness of the Census was not the problem in 2016. But that is where the ABS put its efforts, leaving a vacuum in the public debate and itself flatfooted when, in the final weeks before the Census, privacy concerns began to create a negative aura around the Census.”
He added that the agency failed to communicate to people that they did not need to complete the Census on August 9 but in fact had 61 days to do so. August 9 was the reference date.
- The Bureau’s behaviour sinc #CensusFail
Although the ABS has apologised repeatedly since the massive outage, Mr MacGibbon said: “it has steadfastly refused to own the issue and acknowledge responsibility for the factors leading to the events and shortcomings of events on the night.”
He accused the Bureau of downplaying the seriousness of the Census night outage, ignoring public opinion on social media and trying to blame IBM in their submission to the Senate inquiry, without accepting its share of the blame.
A series of recommendations came out of his review affecting a number of government agencies and departments including the Australian Signals Directorate, Finance, the Digital Transformation Agency and the Department of Premier and Cabinet.
One recommendation was that senior government executives and ministers be sent on a “cyber bootcamp” to help them understand the fundamentals of cyber security and communicate accurately to the public when things went wrong.
Mr MacGibbon has also asked the ABS to report monthly on its progress against his recommendations, effectively putting its Chief Statistician David Kalisch on report.
He recommended the ABS:
- Engage a security consultant to look at its collection and storage of Census information
- Conduct an independent privacy impact assessment and broader public consultation about any future changes to data retention
- Privacy training for staff
- Produce a strategy to address current vendor lock-in
- Improve the way outsourced contracts are performance managed to ensure better performance monitoring and accountability
- Learn from Census mistakes to drive further cultural change
- Develop a targeted communications strategy to address public perception of Census data quality
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter