15 August 2016

Census debacle – drastic consequence

| John Hargreaves
Join the conversation
10
data-breach-istock

A cursory look at the fallout from last Tuesday’s #censusfail and at the issues confronting the ABS will point to some pretty scary consequences for this country.

We all know that the conservative governments have this commitment to privatisation in their DNA even though many will tell them that they should tread carefully.

Privatisation is not the panacea for all public sector evils.

As an aside I remember when in the public service and in charge of a car pool, we were told that the whole system would be centralised with economies to flow. What actually happened was the whole thing was privatised once centralised and instantly cost an extra 12% which was the profit margin of the private sector.

Indeed, the officer working to me who had responsibility for the car pool in ACT Health and again in ACT Education, actually made money out of the resale of cars after certain periods of actual agency ownership. That disappeared.

Back to the ABS. Management decided to outsource the IT function of the ABS to IBM for about $10 million. The same people tried to further cut the ABS by introducing 10 year censuses instead of five year censuses. Talk about messing with death!

What happened? The integrity of the system was compromised and it had a breakdown. It had a seizure. That seizure is called a denial of service attack. It was hacked! Call the spade a bloody shovel why don’t you?

So the political response was to bring in the cops! The Australian Signals Directorate (reads spooks) comes in to see what damage to national security has occurred only to give it the green light.

But the damage has been done.

The issue, apart from the physical intervention, is really the notion of trust and risk. The commentariat has bleated on and on about breaches of privacy (even if the Privacy Commissioner doesn’t see a problem) and the trust that the ABS can keep private information private has been compromised.

This just proves the point that governments can transfer financial liability for a project to the private sector but they can’t transfer the risk. Culpability for failure will always rest with the Government of the day. This is why the PM came out so firmly and so threateningly. But he can’t escape the fact that his government took the funds away, his government emasculated the ABS and now is looking for a scapegoat.

The reputation of the ABS may never be the same. Who can trust it to function properly ever again? We forget that the Australian Government and people of Australia are not the only customers of the ABS. Business relies on the accuracy and integrity of the data. Well perhaps not now.

One needs now to look at repercussions in the wider government service arena. How much confidence can we have in the Centrelink and other social service IT systems? We’ve already seen Centrelink delay pension payments because of IT glitches, so is the ABS just another symptom of a wider malaise? I think so.

As a further aside, why anyone would rely on an international company domiciled in another country for its information integrity and security is beyond me.

What about the proposal for online voting? We have electronic voting now in the ACT and there has been a movement promoting online voting as an extension. Who’s going to support this now? How can we have confidence in the respect of our privacy? We can’t.

Someone I spoke to yesterday likened this debacle to that of the Australia Card proposal which got killed in the mid-’80s. It got killed because no one could guarantee that the data collected would be safe from being hacked. The same conversation happened around the metadata retention recently.

My mate who is a tech head says this debacle has put back online voting 20 years. Perhaps he’s right.

I’ve never been a fan of privatising personal information. I have always been wary of the Big Brother attitude of the banks. I object to being canvassed by people who have accessed my personal information from so-called secure sites.

This debacle has not helped!

Join the conversation

10
All Comments
  • All Comments
  • Website Comments
LatestOldest

Outsourcing IT, doesn’t equate to privatising the APS. i.e. Outsourced IT supports the business processes of the public service, it doesn’t replace them. The ABS IT systems are critical in supporting the Census and don’t compare to running a car pool.
The Government and the APS aren’t one in the same. i.e. In this instance the ABS is accountable for the Census regardless of the Government of the day.
The ABS outsourced the Census system to IBM however the complete solution also includes other essential components such as data warehousing and ISP services and on it goes. No doubt the ASD report will explain the entire solution but we already know that the ABS is accountable for the final and complete solution.
GeoBlocking is an essential DDoS mitigation tool as it prevents overseas internet traffic from impacting the Census website. Telstra is the ISP for the ABS and although they had recommended and offered the GeoBlocking service, the ABS declined to implement that solution component.
The ABS claimed multiple DDoS attacks were to blame, however that hasn’t been confirmed to date. It’s possible, or probable, that legitimate Census traffic during peak times was the root cause. If that’s the case then service design is at fault. That’s not going to look good for the ABS if it comes out in the ASD report.
There’s a lot of speculation over system integrity however we don’t know if that occurred in this instance. That can only be confirmed if the ASD report confirms that hacking is the root cause.
If the root cause is determined to be multiple DDoS attacks and not hacking, then there may not be an issue with system integrity. Think of the Census is a department store. A DDoS attack involves crowding the store entrance with fake customers so the real customers can’t get access. The store isn’t entered and nothing is stolen however no genuine purchases are made either.
If the root cause is found to be legitimate Census traffic during peak times, then we can likely conclude that the ABS has genuinely failed to deliver the appropriate IT solution to support the Census and as they are accountable for the Census solution then the buck will stop there.
This won’t come as a surprise to me and would really highlight the underlying issue that exists across the Federal Government Sector. The Public Service isn’t best suited as an IT service provider nor should it be expected to. The APS requires efficient and effective IT services and shouldn’t be spending massive amounts of public funding to continually deliver failed IT services.
The Government has established the new Digital Transformation Office so come on DTO, stand up and take the lead on Federal Sector IT reform. We need strong leadership and genuine IT professionals and experience service providers contributing to the success of IT reform. Where’s the Secure Federal Sector Cloud? A cloud service solution that can be used by all Federal Agencies and Departments. This will simplify and standardise IT solutions, provide responsive scalability, secure data retention and standardise training just to start. Imagine a common and secure desktop solution so APS moving between organisations don’t need to be fully retrained? Currently these services are duplicated in silos all over the Federal Sector. What a massive waste of resources and funding. The infrastructure for this cloud is in place so where’s the leadership to drive the solution home?
Let’s go DTO!

John Hargreaves10:37 am 16 Aug 16

gooterz said :

“It was hacked! ” Remarks like that just lose you credibility.
It may or may not have been hacked but the only thing admitted to is that it was attacked.

A DOS attack is to a hack as a cock-block is to losing your virginity. There is a huge difference.

The biggest problem for online voting is cohesion or sale of votes at least with the current system no one is standing over your shoulder forcing you to vote a certain way. In the privacy of your house? Maybe. Votes could also be put up for sale.

Thus on these points you have failed to impress and thus I will apply the same failure to the rest of your post.

Hacked has two meanings. Hacking into websites is one and hacked (as in to death) is another. I prefer the latter. My apologies to the Grand Society of Pedants.

John Hargreaves10:35 am 16 Aug 16

Masquara said :

John Hargreaves said :

Qui le meme chose

Huh? That doesn’t mean anything in French, let alone in English!

Mine was a shorthand version of “Plus les choses changent plus elles restent les mêmes” which means “the more things change the more they stay the same”

“It was hacked! ” Remarks like that just lose you credibility.
It may or may not have been hacked but the only thing admitted to is that it was attacked.

A DOS attack is to a hack as a cock-block is to losing your virginity. There is a huge difference.

The biggest problem for online voting is cohesion or sale of votes at least with the current system no one is standing over your shoulder forcing you to vote a certain way. In the privacy of your house? Maybe. Votes could also be put up for sale.

Thus on these points you have failed to impress and thus I will apply the same failure to the rest of your post.

Great topic John! From my lounge room pulpit, I sheet the responsibility on two factors: a generation of bi-partisan efficiency dividends being imposed and a lack of courage in the leadership groups to advise Governments of the likely risk of failure.
In the bigger agencies, there is usually a way to find some spare cash that can be directed to a priority area.

In smaller agencies, not a lot. I have worked in both quite recently and seen what is going on. I expect there will be worse failures to come.

John Hargreaves said :

Qui le meme chose

Huh? That doesn’t mean anything in French, let alone in English!

creative_canberran4:01 pm 15 Aug 16

Paul Costigan said :

Dear John.

Agree. A major part of this story is the outsourcing to IBM. With that in mind, you may enjoy this piece of history.

Meaningless. IBM is the third largest cloud service provider in the world. But they only provide what they are contracted to, and for the price ABS set. Several security features were contracted to other service providers, including the DDoS protection and geoblocking, both of which failed. Testing of the security was another contractors responsibility.

IBM has powered the eCensus in both previous years (11, 06) on a smaller scale and no faults were reported.

Doesn’t mean they’re blameless but nor are the a scapegoat.

From what I’ve read, a major factor has been underfunding the ABS. Even to my internet-ignoramus ears, the figure of $9 million seemed way too low for a contract to ensure Census security. That wouldn’t even be the sum set aside for evaluation alone, in many project contexts let alone a vital one. Full marks to Kalisch: asked why he hasn’t resigned yet, he said that the time to resign would be after the issues have been raked through. Post hot-head responses.

John Hargreaves11:44 am 15 Aug 16

Qui le meme chose

Paul Costigan11:23 am 15 Aug 16

Dear John.

Agree. A major part of this story is the outsourcing to IBM. With that in mind, you may enjoy this piece of history.

In 1890 Herman Hollerith provided tabulators for the 1890 US Census that resulted in the census being completed in one year instead of the former eight for the 1880 census.

The 1890 census marked the first time that information was processed through electronic means – punch cards and electronics.

Hollerith went on to found a company, the Tabulating Machine Company, that eventually through consolidations with others in 1924 formed a new company – the International Business Machines Corporation – IBM.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.