Cyber Bootcamp for Australian Government Ministers

Alastair MacGibbon, Special Adviser to the Australian Prime Minister on Cyber Security has said senior government executives and Ministers should be set to “Cyber Bootcamp”. This is one of the recommendations in "Review of the Events Surrounding the2016 eCensus". This is a report on the successful denial of service attack on the 2016 Australian Census website, in August 2016.

The government downplayed the significance of the incident by describing it as a "truck across the driveway", just preventing access but doing no other damage. However, continuing the analogy, the truck may be filled with armed terrorists, or a very large bomb. On Wednesday, Dan Tehan MP, Minister Assisting the Prime Minister for Cyber Security outlined a scenario where a virus introduced to critical systems shuts down the electricity grid, causing widespread deaths and injury.

Summary of Recommendations

• Crisis Communications and Coordination ...

• Education: The Attorney-General’s Department should develop a “Cyber Bootcamp”

• Security Framework: The Australian Signals Directorate should strengthen the framework...

•  Embracing Adaptive Government...

• Cyber Security in a Digital First World

• The ABS should engage an independent security consultant ...

• The ABS should ensure future significant changes to personal information handling ...

• The ABS should adopt a privacy management plan ...

• The ABS should assess and enhance existing ABS privacy training for staff.

• The ABS should develop a specific strategy to remove the current state of vendor lock-in.

• Agencies should review their approach to cyber security incident response planning and coordination ...

• Agencies should ensure independent security assessments are conducted on critical ICT deliverables.

• Agencies should test security measures and monitoring systems for online government services ...

• Agencies should be conscious of updated interpretations of governing legislation ...

• The Office of the Australian Information Commissioner has recommended the government develop an APS-wide Privacy Code in collaboration with the Office. ...

ABS Tries to Blame IBM for 2016 Census Problems

In its 123 page submission to the 2016 Census Senate Inquiry, the Australian Bureau of Statistics (ABS) seeks to blame IBM for the failure of the system on Census night. Similarly, in the case of "Maguire v Sydney Organising Committee for the Olympic Games (2000)", SOCOG sought to deflect responsibility for defects in its web site to the contractor, IBM. However, this was rejected and SOCOG, not the contractor, was found responsible. In that case SOCOG was a temporary organization set up just to run the Sydney Olympics, with limited experience. In contrast, the ABS has decades of experience in statistical collection using IT systems and cannot credibly transfer responsibility to IBM. I teach IT Ethics to university students and the 2016 Census will become a useful case study on professional responsibility.

• "On the night of 9 August 2016 (Census night) the online Census, hosted by IBM, was subject to a Distributed Denial of Service (DDoS) attack that was not unusual and was anticipated, which affected the Census application system. This was not due to load from legitimate Census submissions, which at the time of the attack were running in line with ABS projections and well within the design load for the system. Around the same time, an unusual spike in outbound traffic was observed in the monitoring systems. These two events led to the closure of the online Census submission to the Australian public until the afternoon of 11 August 2016. While this caused inconvenience, protecting the information of Australians was the ABS’s highest priority and Census information was never compromised.

The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system. Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future. However, once the system had been affected, the ABS took the precaution of closing the online Census form to safeguard and to protect data already submitted, protect the system from further incidents, and minimise disruption on the Australian public by ensuring reliable service." (From Page 4).

"The online Census DDoS attack of 9 August 2016 was against an IBM system not an ABS one. See Section 9 for further details." (From Page 7)

Senate Inquiry into Attack on Census Website

The Senate Standing Committees on Economics are holding "An inquiry into the preparation, administration and management of the 2016 Census by the Australian Bureau of Statistics", including:

"d. the shutting down of the Census website on the evening of 9 August 2016, the factors leading to that shutdown and the reasons given, and the support provided by government agencies, including the Australian Signals Directorate;" From: Terms of Reference.

I suggest the Australian Computer Society (ACS) join with Internet Australia (the Australian Chapter of the Internet Society) on this and try to widen the discussion to cover Internet security more generally. ACS and IA need not agree on every aspect, buy could loosely coordinate, as was done for the Internet regulation inquiries of the 1990s, as  described by Chen (2000, p. 161).

Reference

Chen, P. J. (2000). Australia's online censorship regime: the Advocacy Coalition Framework and governance compared. Retrieved from
https://minerva-access.unimelb.edu.au/bitstream/handle/11343/38780/65881_00000240_01_AOCR.pdf?sequence=1#page=162

Australian Government Needs a Planned Response to Cyber Attack

The security of government information systems is the responsibility of government ministers, not IBM or the ABS. What should be of concern is not just that there was a successful denial of service attack on the Australian Census, but the apparent lack of a planned and practiced response from the relevant government ministers and their staff. Had this been a more serious attack, such as one on critical infrastructure threating lives, the poor performance by ministerial level of government could have been disastrous.

At the senior levels of government there need to be plans in place for who says what and when. These plans need to be tested in exercises, just as is done for natural disaster planning, which Australian state and local governments do well. Internet Australia (IA) members are discussing what form of submission to make to the likely Parliamentary inquiries into this matter. I suggest the Australian Computer Society (ACS) join with IA on this and try to widen the discussion to cover Internet security more generally. ACS and IA need not agree on every aspect, buy could loosely coordinate, as was done for the Internet regulation inquiries of the 1990s, as  described by Chen (2000, p. 161).

Reference

Chen, P. J. (2000). Australia's online censorship regime: the Advocacy Coalition Framework and governance compared. Retrieved from
https://minerva-access.unimelb.edu.au/bitstream/handle/11343/38780/65881_00000240_01_AOCR.pdf?sequence=1#page=162

Australian Population Census Computer System Problems

I had a call from ABC Radio this morning about the ABS announcing they had suffered denial of service attacks from overseas.  Perhaps the ABS staff need to go down to the foyer of their building and break the glass on the display case, with the punch card machine in it. I used a machine like that thirty years ago to write programs for the Census and it worked fine. ;-)

But seriously,  keep in mind this is not a safety critical system: no lives are endangered. People can fill it in tomorrow, or the day after, or get a paper form. But the minister needs to be asked if sufficient resources were given to the ABS and were they allowed to use their preferred method of data collection, which would be surveys, not a census.

At 9:50pm Census night I tried the ABS site at 10pm and still got:

"Thank you for participating in the Census. The system is very busy at the moment. Please wait for 15 minutes before trying again. Your patience and cooperation are appreciated. [code 9]"

The Census error message web page is 117 Kbytes, with 49 Kbytes of Javascript and 52 Kbytes of CSS, which seems a bit much just to display a few hundred characters of error message. But presumably this code is cached and reused throughout (in which case, it is not too large). The CSS uses Pure v0.5.0 . 

ps: My comments on the 2006 eCensus.

Australian eCensus 2011

The 2011 Census forms arrived with a code for the eCensus. At www.census.gov.au, there was a link to both an accessible version designed for screen reader devices and a standard version.

The e-Census was introduced at the 2006 Census, when I provided a detailed analysis of the "eCensus: Australian Bureau of Statistics Web Based Population Census Form". A quick check of the eCensus web page for 2011, shows the XHTML 1.0 Transitional code has one validation error:

Line 31, Column 142: there is no attribute "autocomplete"

…lcomeForm" method="post" autocomplete="off" onsubmit="return openKiosk(this.ta…

It took 15 minutes to fill in the on-line form (which is reasonable), with no difficulties encountered.

One question was about use of the Internet:

Question 59 Can the internet be accessed at this dwelling?

• Include any internet service regardless of whether or not paid for by the household.
• If more than one type of connection in dwelling, select the most frequently used type.
• For more information, see the Census Guide or press the Information Button for this question.

No Internet connection
Yes, broadband connection (including ADSL, Cable, Wireless and Satellite connections)
Yes, dial-up connection (including analog modem and ISDN connections)
Other (including Internet access through mobile phones, etc)

An amazing amount of effort goes into designing even such a simple looking question. I attended the 2007 ABS ICT Reference Group meeting where this question was discussed.