‘Ethical hackers’ have tested Australia’s new online census system

In the lead-up to tomorrow’s census, cybersecurity specialists have been bombarding the Australian Bureau of Statistics’ online systems to see if they can be broken.

The head of the ABS, Australian Statistician David Gruen, says everyone involved in preparations for this exhaustive national headcount is intensely aware of the damage done by the distributed denial of service (DDoS) attacks that hit the online system in 2016. A DDoS attack is designed to disrupt or degrade an online service by flooding the system with traffic, consuming and diverting resources needed to support normal operations.

A significant range of people might be keen to attack a census, Gruen said. ‘We know we have to be ready for the full gamut, from kids who think it would be smart and a feather in their cap to have the census fail, through to state actors. We are collecting sensitive data which needs very strong protection.

‘We are confident, but there is an irreducible level of risk that you just can’t eliminate.’

The ABS has offered an online option since 2006, but the 2016 census was the first intended to be primarily digital.

At 10.10 am on 9 August 2016, the eCensus system experienced the first of four DDoS attacks. It was regarded as a small attack and the public lost access for just five minutes.

The ABS and IBM, the company contracted to build and run the eCensus, decided to implement a measure known as geoblocking to deal with any future attacks. This ‘island Australia’ step was intended to block all non-Australian IP addresses.

At 11.45 am, a second attack occurred and the island Australia geoblocking process was implemented. A third attack, at 4.12 pm, was thwarted by the geoblocking and failed to shut down the system.

The fourth and most complex attack came at 7.28 pm. This time the geoblocking didn’t function as intended and the eCensus system was degraded faster than in the first three attacks.

In responding to the fourth DDoS attack, IBM discovered that it couldn’t log on to the routers at the IBM end of the links with the internet service providers. When the routers were rebooted, one of them couldn’t be reloaded because settings were incorrect. IBM had to load it manually.

Then an IBM network performance monitoring system indicated that there was outbound traffic from the census system and the company couldn’t decide whether it was malicious or benign.

As the situation escalated and became rapidly more uncertain, the ABS opted at 8.09 pm to close the eCensus because it feared confidential information might be downloaded under cover of the DDoS attacks.

It was later determined that there was no unusual outbound traffic from the system—no information had been lost.

The system stayed down for nearly two days. The episode, and the confused messaging that surrounded it, shook public confidence in online systems generally and raised concerns about the government’s ability to store information securely.

In October 2016, the prime minister’s special adviser on cyber security, Alastair MacGibbon, produced a report on what was known by then as the #CensusFail incident.

MacGibbon concluded that the outages were preventable and resulted from a failure on the part of IBM to deliver on its contractual DDoS obligations. In addition, he said, the DDoS attacks on the ABS were small. Another government website was subjected to attacks many times more intense without suffering an outage.

MacGibbon noted that a DDoS attack isn’t a hack, a breach or a compromise where data is removed or altered. But such attacks can be used as a cover to divert attention while data is taken.

And he said the outages weren’t caused by Australians filling out the census online. In fact, the loads on the system were tracking according to predictions and were well within its capacity.

Those responsible for the DDoS attacks weren’t identified.

Gruen said that on census night in 2016, the ABS decided to shut the system down because it was critical that information not be lost from it. ‘As it turned out, no data was taken out of the system.’

Those events have been thoroughly investigated and all recommendations of various investigations have been implemented by the ABS.

‘It’s critical that we have involved the Australian Cyber Security Centre (ACSC) which is a part of the Australian Signals Directorate,’ Gruen said.

The centre was closely involved in the development of the new census digital service. ‘They were involved in the tender process, and they’ve overseen testing of our system in a range of ways.’

That included ‘ethical hacking’ by skilled private-sector practitioners testing the system for vulnerabilities with DDoS attacks of their own.

‘We have worked very closely with the ACSC to be sure that everything we’re doing makes sense from their point of view.’

Gruen said the risk of cyberattack couldn’t be eliminated. ‘Cyber criminals have also got more sophisticated, but everyone involved in the 2021 census is well aware of what happened last time.

‘There’s enormous determination that we safeguard the system as well as we can.

‘I don’t want to claim nothing can go wrong, but we have certainly done a huge amount to ensure the system has been tested at well above the levels of traffic we anticipate on the day.’