The Australian Bureau of Statistics says it accepted assurances from IBM that measures to deal with denial of service attacks targeting the 2016 Census were adequate.
The Australian Bureau of Statistics has argued that under its contract with IBM, dealing with denial of service attacks was the responsibility of the vendor. In a submission to the Senate inquiry examining the 2016 Census debacle, the ABS has said it “sought and received various assurances from IBM about operational preparedness and resilience to DDoS attacks”.
The ABS contracted IBM to deliver the infrastructure for the online portion of the 2016 Census. Part of the contract included IBM developing a risk management plan, which included denial of service attacks as a risk that would be mitigated by the vendor, according to bureau.
The Census site was subject to a series of denial of service attacks on 9 August (Census night). Although a number of attacks were successfully mitigated, a fourth denial of service attack rendered the site inaccessible.
At the same time as the final attack was being staged, a monitoring system mistakenly identified some outbound traffic as malicious. In an effort to safeguard already submitted data the ABS asked IBM to pull the site offline, according to an account of the fiasco prepared by Alastair MacGibbon, the Prime Minister’s Special Advisor on Cyber Security, for the Senate inquiry.
The risk management plan developed by IBM was updated over an 18-month period, including nine workshops that involved ABS and IBM staff.
“As part of the risk management planning process various discussions on security issues were held with the Australian Signals Directorate (ASD) commencing in December 2014,” the ABS submission stated.
The final version of the risk management plan was released in July 2016 and included “Loss of system availability through a Distributed Denial of Service Attack”.
“This risk had pre-mitigated exposure rating of ‘high’ and a residual exposure of ‘medium’,” the ABS said.
IBM was given responsibility for mitigating the risk, with a key measure being geoblocking — dropping network traffic from overseas IP addresses. The geoblocking system failed during the fourth denial of service attack on Census night.
“In July 2016 the ABS arranged for a meeting with ASD and IBM to receive briefings from ASD on cyber threats and incident response support,” the submission states.
“The potential for DDoS attacks was discussed, as were general mitigations for a range of threats. ABS does not believe that any new areas of concern were raised, nor were there any suggestions of potential mitigations or additional preparations that were not pursued.”
IBM successfully conducted live testing of its geoblocking technology on 5 August, according to the ABS.
ABS said it undertook a range measures to test the Census system independently of IBM. Those included:
• Engaging UXC Saltbush to undertake a code review and penetration testing;
• Engaging Revolution IT to undertake load and performance testing;
• Engaging Vision Australia to undertake accessibility testing;
• ASD reviewing the cryptographic architecture;
• Providing the proposed Solution Architecture to ASD for review;
• Compliance assessment of the IBM Baulkham Hills Data Centre against Protective Security Policy Framework Zone 4 requirements;
• Conducting a public test of the online Census across 35,000 randomly selected households; and
• Undertaking in-house ABS testing.
However, the ABS said it “did not independently test the DDoS protections that IBM was contracted to put in place, as it considered that it had received reasonable assurances from IBM.”
“At no time was the ABS offered or advised of additional DDoS protections that could be put into place. Additionally, no suggestion was made to the ABS that the DDoS protections that were planned were inadequate.”