Contracts key to #Censusfail


Contracts. They’re not glamourous, they’re rarely interesting, but when it comes to something as major as the Census website shuddering to a monumental and nationally embarrassing halt we all want to know what’s in them.

Who was responsible for what and why it happened in the first place is still being ascertained after the Australian Bureau of Statistic’s (ABS) website, contracted to IBM for almost $10 million, crumbled under multiple Distributed Denial of Service (DDoS) attacks on the evening of August 9, as thousands of Australians tried to log in and complete their Census forms online.

Prime Minister Malcolm Turnbull called it a “failure of service provision” and accused IBM of not putting enough safeguards in place to deal with “an entirely predictable circumstance.”

Stinging words of rebuke. Indeed, the government has refused to rule out seeking compensation from the tech giant, a legal dispute the company will be desperate to avoid.

There are early signs the intelligence agency investigating the collapse of the Census website, the Australian Signals Directorate (ASD), will lay at least some of the blame at IBM’s door but the buck will most likely stop with the ABS.

It appears likely that there was no back-up when the system was battered by DDoS attacks on Census night and no upstream provider to keep the site up for the public to access.

Close attention will be paid to the content of IBM’s contract with the ABS. There will be questions raised over what kind of disaster response plan there was, technologically but also what plans there were about how to communicate with the public should trouble strike.

Scrutiny will also fall on to what extent IBM failed to anticipate and prepare for the worst.

Alex Gelman, National Head of Technology Advisory Solutions at advisory firm Grant Thornton, said governments across Australia should take heed and check their contracts did not lean too heavily on process at the expense of outcomes.

“A lot of contracts fail to include any sort of performance outcomes measures,” Gelman said. “They typically deal with the process of implementing the technology.

“In general terms, it seems to be difficult for government agencies to define outcomes and deliverables with vendors and service providers and vendors don’t want to commit to these outcomes so as a result everyone leans back.”

Gelman said it was clear that there was not a business continuation plan in place when the website went down because it took until after 6am the next morning for the ABS to issue its first press release giving the public advice on what to do.

“It was obvious that there would be some form of DDoS or some other hacking because it was such a big public event,” he said.

“Who was responsible for the router? We don’t know, but ultimately the ABS is responsible. It’s their program. Who they get to do the work for them is totally up to them.”

He said it was important to structure contracts in the right way. A project governance layer, perhaps supplied by a third party, an independent oversight, was useful because it lent a fresh pair of eyes, as were in-house standards and rigour.

Schedules delineating what should be done by when and who bore ultimate responsibility were essential.

Gelman said: “My only hope is that any future contracts are outcomes based and they learn from challenges that have occurred.”

The failure of the ABS website will have scored palpable hits to the Bureau’s reputation and the public’s trust in the agency – although the online completion rate for Census forms has miraculously lifted of late and is ahead of target – and will have done no favours for IBM’s reputation.

The company currently handles around $2.4 billion of business for federal government departments and has its eye on future lucrative government contracts, such as the upcoming $1 billion contract to overhaul the federal government’s ailing welfare computer system.

But many people have not forgotten one of IBM’s most spectacular disasters: the $1.25 billion payroll failure in Queensland 2013, which was plagued by long delays and budget blowouts and resulted in thousands of health workers being paid the wrong amount or not being paid at all.

The Queensland government lost its 2.5 year bid to sue its one-time IT partner in April this year and now faces a hefty legal bill. IBM challenged the lawsuit – and won – on the basis it had signed a 2010 agreement releasing it from paying damages.

The inquiry into the payroll stuff up declared it one of the worst failures of public administration in Australian history, also landing blame on public servants who had failed to manage the project properly. Contracts: boring but important.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

2 thoughts on “Contracts key to #Censusfail

  1. There was no SSL ( TLS ) on the census entry page.

    There was no “https://” in front of any URLs we were told to type in.

    The entry page had no HSTS mitigation against MitM attacks.

    It is impossible to “step up” to any kind of security, when you did not start with a secure connection, so every claim we are being told about our census being secure or our data being private is a complete lie. I told them, many time, during the census, and after, and nobody fixed it.

    They did not protect us. They did not act on public reports of security mistakes. They continue to deny they even made this mistake, even in the face of being shown the evidence, they still deny it.

Leave a comment:

Your email address will not be published. All fields are required