Poor planning and communication, and an overdependence on outsourcer IBM, contributed to a disastrous eCensus that was exacerbated by the lack of a comprehensive security framework and independent validation, a scathing enquiry into the August online debacle has concluded.
The Review of the Events Surrounding the 2016 eCensus report – authored by special advisor to the prime minister on cyber security Alistair MacGibbon – and a simultaneously-released Senate Economics Committee report both excoriated the Australian Bureau of Statistics (ABS), technology provider IBM and poor government oversight for contributing to the DDoS attack that caused “a serious blow to public confidence in the Government’s ability to deliver on public expectations.”
The 9 August cyberattacks prevented most Australians from accessing the site during what was meant to be a showpiece of the government’s digital transformation efforts, forcing the 40,000 employees involved in its single largest logistical exercise to function in backup mode as investigators scrambled to understand just what had gone wrong.
IBM had been contracted for $9.6m worth of work for the eCensus, just a fraction of its $471m total cost – and prime minister Malcolm Turnbull suggested in a recent interview that the government’s settlement with the company would “absolutely cover” the nearly $30m in estimated costs from the outage.
Poor preparation for the cybersecurity aspect of the operation was flagged as a chronic problem, with incident management documents held to be manifestly inadequate. “They were impractical, poorly tested, and none outlined a comprehensive cyber incident response or communications plan that could be effectively implemented,” the report noted.
Poor links between the ABS and its support mechanisms, the Minister’s office and the public were also flagged, with unclear escalation thresholds, obligations, and cross-agency co-ordination mechanisms.
This was compounded by poor real-world planning for DDoS events, which were specified as “a foreseeable threat” in the contract with IBM but poorly delineated in actual execution. “Controls were not considered within a comprehensive security framework,” the report concluded. “Risk assessments underestimated the consequences of security incidents, leading to insufficient focus on mitigations; and there was poor independent assessment or verification of security arrangements.”
Shutting down the eCensus after the DDoS attacks were detected was the right thing to do and helped preserve the integrity of the data collected to that point, the report found, noting that “the outcome could have been worse”. But the detailed analysis holds many lessons for other government and private-sector agencies around the proper way to ensure cybersecurity arrangements, particularly when third parties are involved.
Ensuring smooth handoff of technical issues is a common issue in situations where cybersecurity responsibilities are being spread amongst parties, CyberArk Labs director of cyber innovation Andrey Dulkin told CSO Australia in the wake of the CyberArk Global Advanced Threat Landscape Survey 2016, which found public-sector agencies to be “dragging themselves behind” best practice.
Although awareness of security issues had increased – two-thirds of respondents said their CEO or board were providing “sound” cybersecurity leadership, up from 57 percent in 2015 – execution remained particularly poor, with an “excessive focus on perimeter controls” and overreliance on external contractors causing similar issues to those that marred the relationship between ABS and IBM.
“Government agencies rely on much longer term relationships with certain parties, and perhaps consider them to be part of their own teams,” Dulkin said. “So the level of trust there is higher but it’s not really warranted. As we’ve seen in the Target breach and other cases, third parties are usually far less secure than the organisation itself – and an organisation should not rely on controls that are not under the control of the organisation’s security.”
Although 49 percent of organisations allowed third-party vendors to access their internal networks, public-sector organisations had the fewest third-party vendor access controls in place of any industry in the CyberArk survey – with 21 percent not securing and 33 percent not monitoring that activity.
And while 95 percent of organisations have cybersecurity emergency response plans, only 45 percent said they communicate and regularly test their plans with all IT staff. This echoes the findings of the eCensus report, which found that poor technical controls were compounded by a failure to respond to concerns about security and privacy in the leadup to the eCensus.
The ABS had a ”well formed and prepared communications strategy and awareness campaign,” the report found, “but it was focused on the wrong things. The impacts of cyber security events are not well understood. There is not a shared understanding across government, and a well-defined lexicon does not exist.
Compounding the technological issues were greater concerns about the long-term impact on public confidence in government: post-Census surveys, cited in the report, suggested that 42 percent of Australians agree that the 2016 Census was a failure and that one-third of respondents believe the data collected in the Census are unreliable.
Given that data’s core importance in government planning and resource allocation over the next five years, that lack of confidence is an even more important indicator of the impact that cybersecurity incidents can have.
“Australia now knows that cyber security is not just about national security,” the report notes, warning that the incident had caused more damage to the public’s confidence in online government than any previous IT failure. “Cyber security is about availability of services in confidence in government in a digital age.”
“A whole of government approach to resilience is required, and regular exercising of crisis arrangements will be critical.... There is more the ABS can do to improve its practices, from external scrutiny to enhanced public engagement on privacy issues. All agencies can learn from the ABS’s experience.”