The government has questioned the close relationship between the Australian Bureau of Statistics (ABS) and IBM over the failure of the 2016 Census portal to withstand a series of distributed denial of service (DDoS) attacks in early August.
In a new report, the Parliamentary committee overseeing an inquiry into the 2016 Census debacle has pointed to perceived complacency over the project, largely stemming from IBM’s long history of managing pervious Census projects for the ABS.
The inquiry into the Census 2016, which has focused heavily on the August event in which the ABS site shut down for 40 hours after being hit by at least three of DDoS attacks, found that mistakes were made in the preparation and execution of the DDoS defences put in place by IBM, which was the lead IT partner for the project.
The committee has also taken issue with the ABS’ failure to independently test the systems implemented by IBM to defend against a potential DDoS attack.
“Criticisms made with the benefit of hindsight must necessarily be tempered, but there appears to have been significant and obvious oversights in the preparation of the eCensus,” the report, which was published on 24 November, stated.
“IBM's failure to have tested a router restart, or have a backup synchronised and in place, appears to have been significant contributing factors to the failure of the eCensus on 9 August,” it said.
Much of the criticism aimed at the ABS and its IT partner by the committee appears to be grounded in the close relationship IBM and the Bureau had built up over several years of working together on previous Census projects.
While IBM won the contract through an open tender process, there had been some question during the inquiry as to whether the technology company had some kind of advanced standing in the process, given its history with the ABS.
IBM had previously worked with the ABS in 2006 and 2011 to provide online census systems. However, over the course of the inquiry, IBM reported that, during both the 2006 and 2011 censuses, it delivered 100 per cent availability throughout the busiest periods.
“This assumed familiarity may have contributed to a level of complacency in project management on the part of the ABS, and in the priority which IBM gave the project,” the committee said in its report.
“The ABS could have been more proactive in ensuring DDoS protection was in place. Whereas the ABS contracted third parties to undertake load testing and code reviews, IBM was left to test their own DDoS prevention solution,” the report stated.
Prime Minister, Malcolm Turnbull, echoed this sentiment, telling 3AW Radio on 25 November that, "“ABS put too much faith in IBM". He added that IBM has made a "very substantial financial settlement" with the government in relation to the estimated $30 million price tag that has resulted from the fallout 2016 Census debacle.
The decision of the government to go with a limited tender process to source an IT partner to lead the 2016 Census project due to constraints was also highlighted by the committee as a potentially contributing factor to the handling of the project.
In response, the committee recommended that, from now on, the ABS should conduct open tendering processes for future census solutions requiring the participation of the private sector.
While the committee conceded it is not in a position to determine the relative truth of where any fault lies between IBM and its contractors, it made particular mention of IBM’s “Island Australia” geo-blocking DDoS defence system, which ran into problems during the attacks.
“The appropriateness of Island Australia must also be questioned given that some components of the eCensus—such as password resets—required access to international servers.
“Although it is impossible to say with certainty and hindsight what would have been had the ABS made different decisions, allowing IBM to undertake their own testing and the failure to complete an IRAP [Information Security Registered Assessment Program] assessment appear to be significant oversights in project management,” it said.
The committee also laid much of the blame over the 2016 Census issues on lack of adequate funding by the government, which is partially to blame for the short lead-time of the project, with the government previously considering scrapping the Census project and then subsequently deciding to continue with it.
As a result, the committee recommended that the government commit the necessary funding for the 2021 census in the 2017–18 Budget. The committee recommends that the Australian Government provide portfolio stability for the ABS.
The committee also recommended that the ABS take a more proactive role in validating the resilience of the eCensus application for the 2021 census.
It also advised the Department of Finance to review its ICT Investment Approval Process to ensure that projects such as the 2016 Census are covered by the cabinet “two-pass process”.