IBM has pointed to government agencies and at least two internet service providers over the failure of the Australian Bureau of Statistics’ (ABS) Census website to withstand a series of distributed denial of service (DDoS) attacks in early August.
The technology giant, which was contracted by the ABS to develop, implement, and host the eCensus platform for the 2016 Census, said in its submission to the government committee investigating the 2016 Census project that it had anticipated and planned for the risk DDoS attacks to the site.
“The main defence mechanism utilised was a form of protection known as geo-blocking (known internally at IBM as ‘Island Australia’),” the company said in its submission.
“In short, the geo-blocking arrangement involves blocking or diverting international traffic intended for the eCensus site before it reaches the site, while leaving the system free to continue to process domestic traffic.
“This method was chosen because the primary risk of DDoS attacks of sufficient size to disrupt site availability was considered to be from foreign sources,” it said.
Additionally, IBM claims that the ABS and the Australian Signals Directorate (ASD) were aware that the technology company intended to use geo-blocking.
At the time, according to IBM, the ABS’ IT security personnel considered geo-blocking to be an “extremely effective control”.
“IBM understands that the ASD was asked by the ABS to review the security arrangements for the 2016 eCensus site, but the ASD declined to undertake a detailed review,” it said.
Big Blue said that it met with the ABS and the ASD on 21 July 2016 to seek the ASD’s input on security threats for the project.
During the course of the discussion, IBM asked the ASD if it was aware of any intelligence relating to planned denial of service attack risk - the ASD said it was not.
The vendor also claims that the geo-blocking arrangements were implemented by the internet service providers engaged to provide public access to the eCensus site – in this case, Nextgen Networks and Telstra.
However, Nextgen said its offer of DDoS protection was flatly rejected by the vendor.
“In accordance with IBM’s order, Nextgen supplied IBM with a standard internet service, and met all of its service levels on that product,” according to Nextgen’s submission to the committee.
“Although Nextgen strongly recommended to IBM to take up an internet DDoS protection option for the purposes of the 2016 census, it was declined by IBM,” the company said.
Nextgen said its commercial proposal to IBM dated 12 January 2015, with the company claiming email confirmation of rejection of its DDoS protection plan came through on 24 May 2016 from IBM.
“This additional feature offered by Nextgen is designed to effectively detect and defend against DDoS attacks,” Nextgen added.
According to IBM, under its arrangement with the ISPs, if a DDoS attack was attempted, and was severe enough to warrant the implementation of the geo-blocking arrangement, IBM would direct Nextgen and Telstra to put ‘Island Australia’ into place.
While Nextgen provided IBM with its commercial proposal on 12 January 2015, however, the ISP said it was “not privy” to the IBM 'Island Australia' strategy until 20 July 2016, just six days before the eCensus site went live.
“Nextgen provided all possible assistance to IBM (which is well beyond what is provided for a standard internet service) to put in place 'Island Australia',” Nextgen’s submission stated.
“Nextgen complied with the IBM 'Island Australia' framework requirements provided by IBM, which was activated for testing on 5 August 2016 by IBM.