The attack on the Census last night (August 9) is likely to have been masterminded by hacktivists, not overseas governments, says a cyber security expert.
There were three denial of service attacks on the Census website on Tuesday night but it was the fourth, at about 7.30pm AEST, which caused serious problems and led to the Australian Bureau of Statistics (ABS) shutting down the website to protect data.
Professor Greg Austin, from the Australian Centre for Cyber Security at UNSW, said although it was too early to pinpoint the identity and location of the cyber attackers it was more likely to be hacktivists, not other governments.
“My first instinct was that it was hacktivists,” Prof Austin said. “It’s hard to imagine that there’s a government out there who would risk anything to embarrass the Australian government for its five-year Census.
“I think hacktivists would want to embarrass the government for its ‘continued collection of citizens’ private information’.”
The ABS has ordered the Australian Signals Directorate to investigate the breach amid rumours that Chinese hackers may have been to blame.
Prof Austin said that the Directorate would be on high alert to track down the source as fast as possible.
“At the end of the day, these sources are traceable and attribution has come a long way in the last five years. The government will be absolutely determined to establish whether it was a state sponsored attack.”
Meanwhile, cyber security academics have asserted that privacy fears around data collection are real this time around and they have called on the government to have a national conversation about privacy, not just on the government’s own terms.
In particular, there is a great deal of concern about the changes to data retention in the 2016 Census. Data will be kept for four years, rather than 18 months, with the possibility of it being linked to other data sets such as medical records.
Graham Greenleaf, Professor of Law and Information Systems at UNSW and co-founder of the Cyberspace Law and Policy Centre, told ABC’s PM Radio last night that massive data spills happened in many situations, often with dire consequences for individuals.
“[The] extraordinary expansion of what the ABS is now proposing to do with the data it is collecting, which in effect changes their activity from one of the generation of statistics to one of ongoing surveillance of the whole Australian population – in particular matching of Census data with other data on an ongoing basis – presents great security dangers as well.
“Governments, not just in Australia and not only on one side of politics, but governments everywhere have quite a desire to be able to constantly match and monitor the populations they govern for supposedly well-meaning purposes but with considerable dangers built in.”
Prof Greenleaf said that the government had taken for granted a degree of public trust in its gathering and retention of information that was “simply not justified by our knowledge of the threat out there.”
He said a national conversation was needed about privacy.
Richard Buckland, Associate Professor in Computer Security, Cybercrime, and Cyberterror at UNSW told RN Drive, ABC Radio yesterday that data about individuals was sought after, both by governments and criminals.
Professor Buckland said past Census data had provided a good snapshot of the country but recent changes made the information more attractive.
“The ABS can now get richer information but that’s a potential privacy compromise for Australian and speaking concretely, it’s a very tempting target for cyber criminals and nation states who are interested in identity fraud or finding out data on individual people.
“To have all this data in one spot, it’s just a honeypot. It’s just so attractive to criminals.”
He said the public were now more aware of identity theft and privacy breaches after many highly publicised data breaches globally.
He agreed that a national debate should take place to weigh up the risks and rewards of adding names and addresses and keeping them for the Census.
“That’s a big additional risk [and] it’s not clear what the benefits are from that. I think we need to have a really good discussion looking at risk and reward.”
Professor Austin said the government and the Bureau should acknowledge that no data was completely inviolable and admit this to the public.
“That’s part of the conversation that the government has to have with the Australian people,” Prof Austin said. “We have to say that total security of any data in a government system is not possible, whether that’s an insider working for the National Security Agency, like Edward Snowden, or a foreign government.
“The threats are enormous. If a US government department can be hacked at the rate that they’re being hacked … then it’s very difficult for government departments which have low national security to marshal the resources for high levels of security.”
Last night’s cyber attack on the Census website will not just damage the Bureau’s reputation, it also has huge potential to harm the government’s broader digital agenda, from MyGov and My Health Record to electronic voting.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter