IBM Australia has launched legal action in the NSW Supreme Court against Nextgen Networks and Vocus Communications over the companies’ respective roles in the troubled 2016 eCensus portal project.
In a legal action filed with the NSW Supreme Court late last year, IBM Australia alleges that Nextgen Networks and Vocus Communications were negligent and in breach of contract in relation to their work associated with the 2016 eCensus portal.
The court documents also reveal that IBM wants Nextgen Networks to pay for the settlement it reached with Australian Government over the Census troubles, alleging that Nextgen Networks is liable for the claim brought against IBM by the ABS.
While the value of the settlement has not been disclosed, it is understood to be worth millions.
IBM also wants Nextgen Networks, one of its suppliers for the eCensus project, to pay damages for its alleged breach of contract, and alleged negligence in relation to the Census project.
For its part, Nextgen alleges that Telstra, another supplier to IBM for the Census project, should be held responsible for IBM’s losses relating to the Census incident.
The legal action comes just as the dust from the fallout of the 2016 Census debacle seemed to start settling.
The incident on which case hinges occurred in early August last year, when the 2016 Census online portal failed to withstand a series of distributed denial of service (DDoD) attacks that hit on Census night, 9 August 2016.
Following the attacks, the website was shut down for 40 hours, stymying attempts by Australians to submit their 2016 Census information online.
IBM, which had been contracted by the ABS to develop, implement, and host the eCensus platform for the 2016 Census, subsequently faced intense scrutiny by the public and the government alike, with representatives of the company fronting up to a Parliamentary inquiry into the incident last year.
In October last year, IBM took aim at its upstream internet service providers (ISPs) for the Census project, including Nextgen Networks and Vocus Communications, over their roles in the incident.
IBM had developed a DDoS mitigation strategy, dubbed “Island Australia”, which involved the implementation of a geo-blocking system aimed at preventing internet traffic from international sources overwhelming the site.
“The geo-blocking arrangement involves blocking or diverting international traffic intended for the eCensus site before it reaches the site, while leaving the system free to continue to process domestic traffic,” IBM said in a submission to the government committee investigating the incident.
In its submission, IBM said that with its “Island Australia” approach, it had anticipated and planned for the risk DDoS attacks to the site, but that the geo-blocking mechanisms it had arranged were to be implemented by its upstream internet and networking service providers, which included Nextgen, Vocus and Telstra.
According to IBM, under its arrangement with the ISPs, if a DDoS attack on the eCensus site was attempted and was severe enough to warrant the implementation of the geo-blocking arrangement, IBM would direct Nextgen and Telstra to put “Island Australia” into place.
It was subsequently revealed that the DDoS attack which ultimately overwhelmed the infrastructure put in place by IBM was routed through a Singapore-based router understood to have been under the management of Nextgen Networks and Vocus.
It also emerged at the time that a failure in the configuration in one of two routers IBM was using to channel data traffic to the Census site from its two ISP partners ultimately led to a failed reboot after it was shut down following a data surge caused by the fourth DDoS attack, leaving the router inoperable for more than an hour.
During the inquiry into the incident, Nextgen Networks claimed that it had supplied IBM with a “standard internet service, and met all of its service levels on that product” and that it had, in fact, offered IBM an alternative DDoS protection option that was initially turned down.
“Although Nextgen strongly recommended to IBM to take up an internet DDoS protection option for the purposes of the 2016 census, it was declined by IBM,” the Nextgen networks said in its own submission to the inquiry.
IBM later questioned its own dealings with Nextgen and Vocus, with IBM engineer, Michael Shallcross, suggesting that the company’s efforts to instruct the two ISPs in the implementation of its geo-blocking DDoS prevention plan in the lead up to Census day, had failed.
“It’s apparent from the submissions brought by Nextgen and Vocus that perhaps the internal communications had not conveyed adequately the intent and instructions of and surrounding the implementation of Island Australia,” Shallcross told the senate committee investigating the incident.
Now, IBM Australia is alleging that Nextgen Networks did not meet its contractual obligations under the agreements it had struck with IBM in relation to the DDoS prevention strategy for the Census project, thus allegedly breaching its contract with IBM.
“Nextgen confirmed to IBM that Nextgen had the ability to execute the Island Australia protocol, and that its “upstream provider” (being Vocus) would be able to implement the Island Australia protocol,” the court documents stated.