There’s nothing like a very public and large-scale cyber-related incident involving almost every member of the Australian population to focus the mind. Michelle Price says we need to heed the lessons from the close call on Census 2016 to strengthen cybersecurity.
Despite the barrage of social and mainstream media criticism, the cyber incident against the Australian Bureau of Statistics’ (ABS) Census 2016, being referred to by the Government as a website denial of service incident, has a silver lining—it has exposed a lack of understanding in Australia around the role of sound risk management in cyberspace.
While the incident is a sore point in terms of reputation and trust, it provides a now very public opportunity for government agencies, at all levels, to take heed of the lessons the ABS will be learning in the hardest possible way. They are lessons that apply to any organisation with a website that is critical to the ability to do business. In short, this can happen to you too.
At a strategic level, these lessons are about understanding and managing the positive and negative risks of being online. Of course, denial of service attacks are but one type of cyber threat organisations need to consider. The risks posed by cyber threats against organisations will naturally vary depending on a range of factors including operational context, business strategy and structure, market behaviour and, arguably most importantly, cyber security posture.
Effectively managing risk in cyberspace reduces the cost of doing business, improves market and customer reach, enables the faster and more convenient delivery of customers services, additional opportunities to innovate, and the list goes on. However, if the infrastructure enabling your online endeavours is not appropriately secure, the positives cannot be fully realised, or indeed not realised at all. Further, if the infrastructure is not trusted, even getting out of the gates can be challenging.
Social media commentary from cyber security experts (leveraging the hashtag #censusfail) has rightly pointed out that the ABS and its contractors should have prepared for the reasonably high likelihood of a denial of service attack—and been ready to go on the front foot in the media if such an attack were to be successful.
The significant media attention around the issue of Census data privacy and, to a lesser extent security, gave the ABS a big heads-up on the possibility of something of this nature happening, malicious or otherwise. There are also the experiences of other Government agencies to draw on —moving from analogue to digital service delivery has generally attracted similar debates about privacy, trust and security, and denial of service incidents have been suffered in the past.
The announcement by the Commonwealth’s Privacy Commissioner that he will investigate the privacy implications of the incident will go some way to assuring Australians that the Government is focused on protecting the privacy of personal information. It may also help repair some of the damage done to people’s trust and confidence in online government service delivery.
But what of security and risk? The swift move by the Prime Minister to ask his Cyber Security Special Adviser to also investigate the incident will likely elicit an understanding of what happened from a technical perspective but also, and perhaps more importantly, whether government agencies cooperated sufficiently on the cybersecurity of the online Census (noting that primary responsibility lies in this case with the ABS). This will be the opportunity to identify lessons for improved cyber risk management in the future — and how agencies and other organisations can set about applying them.
Regardless of where these investigations lead, issues relating to cyber incident management, the resilience of infrastructure and ICT supply chain security will no doubt arise. All are matters of risk and risk management. To fully appreciate the outcomes of the investigations and their implications, one hopes #census2016 delivers greater collaboration between organisations on cybersecurity and compels better consideration of, and planning for, cyber risks going forward.
It should also speed up implementation of the initiatives in the Government’s Cyber Security Strategy focused on improving the cybersecurity of its agencies.
It may be wafer thin, but it’s a silver lining nonetheless, and one that will only grow in importance in line with our dependence on online service delivery.
This was not a security failure in any sense.
Initially, it was a complete lapse of judgement to outsource the project to anyone. Then there was a total failure to conduct a proper risk assessment, supervise the contractor, and finally to listen to in-house concerns – or the concerns of the Australian people.
This is textbook project management failure – and the failures are common to any project.
Then there was the actual execution and real-time mitigation of the issues arising on the 9th, which would have been trivial had either IBM or ABS planned properly in the first place. As reported, a 2Gbps DDoS, if it even existing in the first place – is a mere rounding error on a real attack.
The lack of redundancy, the lack or physical diversity, the obvious-to-anyone-thats-done-year-10-maths design rate of 250 transactions a second shows that everyone involved knew nothing about what they were doing.
Anyone with the slightest knowledge of deploying resilient online services is either laughing or crying about how ineptly this has been put together. How can the Government, with “Cyber Security Special Advisors” and $460k of testing get this so, so wrong.