The Australian Bureau of Statistics has claimed it took the census website down last night after four Distributed Denial of Service (DDoS) attacks on the site in order to protect the data.
The ABS said that the 2016 online census form was “subject to four Denial of Service attacks of varying nature and severity” yesterday, and after the fourth attack, the ABS took the site offline to “protect the integrity” of the census data.
A DDoS attack is a common tool used to disrupt sites and services online by essentially getting thousands or millions of computers to team up and attempt to overwhelm a site with traffic. There are an estimated 2000 DDoS attacks per day, and they’re not very expensive to organise. According to a Trend Micro report from 2012, US$150 can buy a week-long DDoS attack.
Contrary to how this story has been — and will be — reported by many media outlets today, a DDoS attack is not a hack, because no data is breached via DDoS, but a DDoS attack can often be used as a cover for a hack.
ABS chief statistician David Kalisch told the ABC this morning that the 2 million or so census forms filed online before it all fell down were secure, but that the malicious attack had come from overseas. The Privacy Commissioner is investigating.
Several people have pointed out, however, that DDoS attack mapping tools such as Kaspersky and Norse showed no large-scale DDoS attacks targeting Australia last night.
The ABS claimed before the census that it could handle approximately 1 million census form submissions online, but questions are now being raised about whether ABS had conducted appropriate load testing and adequate resources for census night, when everyone would be logging in to fill in their form online.
Brisbane-based Revolution IT was paid close to $500,000 to perform load testing to ensure it was supposed to all go smoothly, and IBM — a frequent troublemaker for government IT — was paid $9.6 million for the design development and implementation of the online version of the census. Look for these companies being hauled before a parliamentary committee in the near future.
If it was a DDoS attack, the ABS’ boasting claims about the security and integrity of its systems has possibly goaded someone into testing the ABS’ bravado.
The fact remains that the ABS should have prepared for this. If the ABS is outsourcing the census, it can outsource it properly to cloud service providers that can handle the traffic and mitigate DDoS issues. The US census spent reportedly US$11.8 million on its online census in 2010, and planned in advance for the potential for DDoS attacks. US Census CIO Brian McGrath:
“That was a huge concern for us that in the height of the decennial activity if we were a target of a DDoS attack or the site would go down or the performance would go down that it would reflect negatively on the Census Bureau and deter citizens from participating.”
As with much of the ABS’ handling of the census in 2016, there is an issue with communication. The ABS’ census account on Twitter was telling people well after 7.30pm last night to keep trying to log onto the census site, despite ABS now saying that at 7.30pm a decision had been made to shut down the census website.
The ABS has said it expects to restore the site later this morning, and has said people have until September to fill out the census form, but Labor’s Andrew Leigh is already warning the data might now be less reliable than it otherwise would have been due to people delaying filling out the census or not filling it out at all.
Kalisch and the minister responsible, Michael McCormack, spoke to media this morning, with McCormack repeatedly claiming that it wasn’t an attack or a hack, but an attempt to frustrate the ABS.
McCormack explained that when the first few attacks happened at the start of the day, the ABS and IBM made a decision to block all international traffic to the site. This block eventually fell over, and a Telstra router failed, so the ABS made a decision to take the site offline in order to protect the data.
McCormack stressed that no data had been lost, and no data had been compromised. Approximately 2.33 million people had completed the census before the site went down.
The Prime Minister’s cybersecurity adviser, Alastair MacGibbon, said that most of the traffic originated from the United States but was subject of an investigation by Australian Signals Directorate. MacGibbon suggested that the attention drawn to security concerns around this year’s census might be to blame for people targeting the site:
“The more we talk about it, the more people decide to see if they are better than we are. In this case what I’d say, it almost ended up a draw. They managed to tip over some systems. The ABS made a decision to turn that website off in order to ensure that the data wasn’t compromised.”
What is more likely I would suggest is that as Aussies flood home from work with kids in tow, dinner to cook and eat, then relax with a drink and they all go online after our favourite spiv around 7.30-8.00pm to fill out the census. If we had over 1.5 mill doing this, this would have overloaded the system and a DOS would have occurred. This would have had a cascading effect as frustration took hold and more went online. The ABS has to foot the blame whether this was the case or not and the spiv looks like he put his foot in his mouth with that ‘very easy’ tweet. OMG where are we going???.
Blaming it on a DDOS attack is a handy excuse to cover your own incompetence.
Ask them to show you on a map where this happened –
https://twitter.com/mhackling/status/763122057307525120
Thank you for this. Just another cockup for another iteration of LNP dunderheads. Nimble as ever, lurching from disaster to disaster.
The other great find from twitter was this one –
https://twitter.com/tahpot/status/762990655035486209
which revealed they spent more on indoor plant hire than load testing.
No real evidence of attacks or DDoS, etc.
Most likely ineptitude + crappy old IT.
Hence most likely it’s got a million holes & its security has probably been compromised… We’ll only know when we monitor increases in fraud & identity theft.
#JustWait
Always go for cock up before conspiracy. The thing about bureaucracies is that they don’t know what they don’t know and so don’t ask experts in time. The ABS is expert at statistics, writing questions, analysing them, etc. It is widely recognised as hosting one of the most difficult websites in Australia – though others may want to suggest their own least favorite .gov sites. My guess is that the data IS safe (they have experience in that), but the interface and the load capability is at fault – they have little experience in interacting with large numbers of people at once on line. Let’s not forget that the elected government has been cutting resources to the ABS as well as others since they see no reason to collect facts that might get in the way of a tattered ideology.