The Australian Bureau of Statistics (ABS) has pointed the finger firmly at IBM over the outage of the 2016 online Census form following four distributed denial of service (DDoS) attacks in early August.
In its submission to the parliamentary committee undertaking an inquiry into the management and execution of the 2016 Census, the ABS suggested that IBM, which was appointed as a contractor for the Census in late 2014, had fallen short in meeting the risks associated with a DDoS attack.
“The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system,” the ABS stated in its submission.
“Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM, and the ABS will be more comprehensive in its management of risk in the future.”
The ABS added that the DDoS attack was “not unusual” and had been anticipated.
The Bureau’s submission echoes comments by Prime Minister, Malcolm Turnbull, during a keynote address at the Australia-US Cyber Security Dialogue held in the United States on 22 September.
“Although it [the DDoS attack] was nationally significant, it was technically predictable and not a unique situation for business and governments,” he said.
Earlier in the month, Turnbull told 2GB radio that IBM had “not put in place sufficient measures to deal with an entirely predictable circumstance – denial of service attacks”.
For its part, IBM has expressed regret over the incident, while stressing that no data was compromised as a result of the attack and the subsequent outage.
“Continuing to maintain the privacy and security of personal information is paramount,” the company said in a statement.
“The Australian Signals Directorate has confirmed no data was compromised. Our cyber-security experts are partnering with national intelligence agencies to ensure the ongoing integrity of the site.”
However, media reports since the outage indicate that IBM has seen at least two senior staff “resign with immediate effect”.
According to The Australian, the company has seen a head of global technology services and a project director leave its ranks over the incident.
In its submission, the ABS said that IBM outlined measures to ensure that it would be “highly resilient to web application security attacks,” including DDoS attacks, in its tender response documents.
“In September 2014 the IBM tender was determined as being value for money, and later that month the ABS engaged IBM for the supply of the 2016 online Census,” the submission stated.
IBM had not responded to ARN’s inquiries at the time of writing.