Cyber adversaries around the world will be targeting this year’s census, which is certain to come under attack again, cyber security experts say.
It’s just a matter of how well the lessons of 2016 have been learnt and whether measures taken by the ABS to protect against a repeat performance will prove to be effective.
Australia made global headlines for all the wrong reasons in 2016 when the census website was taken offline for two days after a failure of multiple IT controls.
Director of the RMIT University Centre for Cyber Security, Professor Matt Warren, says the 2016 disaster was the result of a number of factors including a series of distributed denial of service (DDoS) attacks, hardware problems and outsourcing failures.
“The census was hit by a number of denial of service attacks, which is when an attacker directs vast amounts of network traffic against a server,” he told Government News.
“The other problem was a hardware issue because they hadn’t tested to see what would happen if millions of people tried to access the system at once.
“Then the ABS suspected a serious cyber incident and they took it offline for 40 hours to try to determine what was going on.”
The problems also reflected shortcomings in the service agreement with the provider, IBM, which meant the system wasn’t properly tested, Professor Warren says.
Senior analyst with the Australian Strategic Policy Institute and author of an ASPI guide on building government services for peak demand, Tom Uren, says he’d be surprised if the census wasn’t targeted.
“It’s very likely that, like last time, the census will be targeted by garden variety denial of service attacks that try to overwhelm it,” he told Government News.
“I’d be positively surprised if they weren’t targeted”.
System rebuilt and tested, ABS says
The ABS denies that the system was overloaded but says an attempt to restore it during the fourth and last DDoS attack led to the failure of one of IBM’s routers.
It also says no personal information was inappropriately accessed, lost or mishandled.
This year the ABS has awarded the $7 million contract to deliver the census digital services to consultants PwC and the system has been completely rebuilt since 2016, the ABS says.
“Since the DDoS incident which affected the 2016 census, the ABS has implemented DDoS protections and conducted regular DDoS testing to verify its protections,” a spokeswoman told Government News.
“The Census Digital Service has been architected and designed to handle large loads and defend against large scale sophisticated DDoS attacks.
“The Census Digital Service has undergone extensive security testing including a number of rounds of very large DDoS tests.”
A different environment
But Professor Warren says the 2021 census is facing a different cyber security environment from five years ago.
From a geopolitical perspective, Australia has become the victim of more sustained threats and cyber attacks, including attacks by criminal gangs and ransomeware, he says.
Adversaries will be drawn to the census for a number of reasons, including to embarrass the government or erode public confidence in the ability of the ABS to carry it off.
“The census is a very high profile online event for Australia which cyber adversaries around the world woud be focused on,” he says.
“Certainly there are going to be attacks because of the nature of the system being online.”
Mr Uren remains optimistic about the ability of the census to withstand attacks.
“I’m sure that the security and resilience of the Census has been thought about a lot more seriously and there are a lot more protections,” he says.
“This doesn’t guarantee it’ll go off without a hitch, however, but I’m optimistic that it will work well.”
Professor Warren says while the ABS will have built more security and resilience into the system to reduce the impact of denial of service attempts, the real test will come next week.
“Certainly the government has prepared for it, but Tuesday’s going to be the date where we find out if this has been successful.”
A report by Australian National Audit Office released last November concluded that planning for the 2021 census had been only partly effective and that “the ABS had not fully implemented all the lessons from the 2016 census”.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at email@example.com.
Sign up to the Government News newsletter