The Australian Bureau of Statistics (ABS) suffered a humiliating failure of its systems last August, which was largely attributed to its inability to manage security and operational risk of a key business system.
Shortly after the event, we were told by prime minister Malcolm Turnbull that heads would roll, lessons would be learnt and changes would be made. But after extensive investigations by the government and the Senate, did heads actually roll? Is there any evidence of positive changes?
ABS’ long term CIO/CISO Patrick Hadley, who has been with the organisation for 5 years, retires on March 6. He’s had a long career with many agencies and commercial organisations prior to joining the public service.
His departure creates an opportunity to review the role he performed with the ABS and indeed address any structural weaknesses, which may result from the now dated practice of having the CIO also fulfil the CISO role. This is very much a practice from the early 2000s and not consistent with good governance practice and current trends.
The new ABS CIO/CISO position has appeared on the APSJOBs website recently and disappointingly does not suggest the ABS has learnt anything about segregation of duties nor does it appear to be willing to improve CISO access to the ABS CEO, the Australian statistician.
Once again, the role of CIO and CISO is combined and the job largely appears to be about system delivery and is located two levels down in the organisation. Maybe this is not a problem? Maybe the ABS is different and does not need to follow current practices and trends in technology governance?
Let’s examine if the combined roles of CIO/CISO were at all critical in the failure of the Census system?
Below is an extract from the report prepared by Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security.
A procurement plan prepared in June 2014 proposed approaching only IBM citing the same reasons for a single source approach as in September 2008: dependency on IBM and time pressure. The procurement plan was approved by Patrick Hadley, Chief Information Officer, on 20 June 2014.
In September 2014, the ABS again engaged IBM through limited tender, a similar approach as direct sourcing which involved no market testing, this time for the supply of the 2016 eCensus and Data Capture. On 23 September 2014, Patrick Hadley, Chief Information Officer, approved the spending proposal for the 2016 eCensus solution.
On 20 June 2014, the ABS CIO approved the procurement plan for a limited tender to be issued to IBM for an e-Census solution (online electronic form). Once IBM was given responsibility for delivery, the key architectural decision to host the 2016 Census online form in a fully dedicated facility followed.
Other alternatives were considered and rejected as part of that architectural decision, including the alternative of primarily using cloud infrastructure. Still burdened with the characteristics and cultural traits that it is now working hard to change - insular, not forward-looking, deficient risk management – the ABS locked itself in with a trusted partner.
Together the ABS and IBM were now committed to basing the 2016 online Census form on a solution that had its origins in 2006. The ABS had, in effect, denied itself the opportunity to leverage conditions and capabilities that were changing rapidly over the decade.
As can be seen from above, MacGibbon believed key decisions by the CIO/CISO were critical to the e-Census outcome experienced by ABS. It also appears that key decisions around issues related to security and project delivery were not given sufficient critical thought in the early procurement phases of the project.
During a presentation on December 13 last year to the Institute of Public Administration, Australian Statistician, David W Kalisch, said the ABS had a “misplaced sense of confidence, indeed complacency about the about the e-Census, its security.”
“We worried about the element that we knew would change: the increase in the number of users. We didn’t adequately test and review the things that we thought would not change – particularly the DDoS security.
“A more thorough, independent, review of the DDoS defences would have identified key weakness in the architecture – a reliance on a single layer of protection called ‘Island Australia,” Kalish said.
Kalish continued: “On the surface, we had a regime for risk management in place – the risk of DDOS was identified, the impact of a successful attack was assessed as extreme and we considered an attack to be likely.
“A set of risk mitigations was documented and the Census board was given a report indicating that the residual risk was acceptable. However, the mitigations were not adequate.
“More independent assurance was needed but we also need to foster a culture that sees active risk management as an integral and valuable component of our approach, beyond the form filling and administrative compliance.”
Again, it appears that the lack of segregation offered by the combined CIO/CISO role had a big impact on e-Census cyber security outcomes.
Interestingly the senate committee report ‘2016 Census: issues of trust’ recommended the ABS take a more proactive role in validating the resilience of the e-Census application for the 2021 Census.
During his presentation, Kalisch also made a simple but very clear statement: “Key lesson here: you cannot outsource risk.”
If the ABS is going to address these requirements then it cannot simply do the same thing again and keep the roles of CIO and CISO combined.
There is a trend to segregate the CIO and CISO roles. This trend is growing along with the trend to raise the level of reporting of the CISO to the CEO. It looks like the ABS believes itself to be unique and does not need to follow these trends or improve senior management’s access to technology risk assessments.
Ian Brightwell is principal consultant at DH4. He was previously director of information technology and CIO at the NSW Electoral Commission.