As you may have heard, the Census website has had a bit of a technical issue. The official report from the Australian Bureau of Statistics went from "overseas hackers" to a series of DDoS attacks (with some pinpointed to the US) made possible thanks to a geo-blocking failure and finally an overworked router calling it quits — all leading to the decision to shut down the site on Census night.
This all of course raised questions about the security of the 2.3 million Census forms already completed online, prompting assurances from the ABS that the data is as safe as it would have been if the DDoS events hadn't occurred. But what is happening now? Is the site back up? Should we still be doing our Census online? And what does the PM have to say? (Hint: He's mad).
Update: At 6:03 PM, IBM Australia issued a statement.
We genuinely regret the inconvenience that has occurred. We want to thank the ABS, the Australian Signal Directorate and Alastair MacGibbon for their continued support. IBM’s priority over the last two days was to work with the ABS to restore the Census site. We are committed to our role in the delivery of this project.
Continuing to maintain the privacy and security of personal information is paramount. The Australian Signals Directorate has confirmed no data was compromised. Our cyber-security experts are partnering with national intelligence agencies to ensure the ongoing integrity of the site.
When Will The Census Be Back Online?
Update: As of 2:30pm, the site was back up. As of 10:00pm, it's back down again. The latest updates from the ABS still speak of the site being available.
"The secure online Census form was put back up at 2.30 pm, Thursday 11th August, following advice from the Australian Signals Directorate," a statement on the Census website reads.
"The ABS again apologises for the inconvenience and thanks everyone affected for their patience and helping shape Australia's future".
The Census website is now available. Thanks for your patience. We apologise for the inconvenience. https://t.co/j03F1bkPGl
— Census Australia (@ABSCensus) August 11, 2016
Last night's update stated the ABS would continue to work with Australian Signals Directorate "and our providers" to get the online Census form back up "as soon as possible." It took a total of just under 44 hours to get it back up again.
"We'd like to again apologise that the online form is still not available, and reassure the Australian public that their privacy is our highest priority," the statement read.
What Is The ABS Saying Happened?
An update from ABS at 3:15pm yesterday explained a little more as to what actually happened, calling the DDoS "attacks" an "attempt to frustrate", and reiterating that Census security was not compromised and no data was lost.
"The events varied in nature and severity," the ABS says, which led it to adopt a "very cautious approach" in relation to the 2016 Census online form, i.e. shutting thew whole thing down.
There were three DDoS "incidents" during the day, which was expected by most security experts and the ABS itself, it says.
"The ABS was expecting denial of service incidents and the protective measures in place managed the first three attempts with only very minor service disruptions," says the ABS.
Commonwealth intelligence agency Australian Signals Directorate (ASD) was notified by the ABS of the DDoS "incidents" and use of the site continued, gaining users until it was receiving 150 forms per second by 7:30pm. The site had been load tested to receive almost one million forms an hour. Ironically, we won't know the exact population of Australia until the Census is completed, but best estimates put the number of household at well above this.
Then it all went down. A fourth DDoS attack occured, as did a large increase in traffic to the website with "thousands of Australians" logging on to complete their Census, the router carcked it and a false alarm in some of the system monitoring information sounded.
"The ABS applied an abundance of caution and took the precaution of closing down the online Census form to safeguard and to protect data already submitted," says the ABS, saying it was to "protect the system from further incidents, and minimise disruption on the Australian public of an unreliable service".
The ABS says "Had these events occurred in isolation, the online system would have been maintained".
After the whole thing is over the Government's Cyber Security Adviser, Alastair MacGibbon will be holding a review into the events.
What Does The Prime Minister Say?
Prime Minister Malcolm Turnbull is not happy, Jan. He has gone full angry Dad at the ABS, saying the Census has been a failure, we all saw this coming, and the department should have been better prepared.
"I too am very angry about this, I am bitterly disappointed about this," Mr Turnbull said. "This has clearly been a failure on the part of the ABS. Absolutely a failure on the part of the ABS."
Turnball was also quick to point the finger at IBM, who were responsible hosting and managing the Census website. The firm was paid $10 million dollars for the gig.
"The denial of service attacks were completely predictable and should have been repelled readily. They weren't because of failures in the system that had been put in place for ABS by IBM," Mr Turnbull said.
"There is no doubt there were failures in the system's preparation for an entirely predictable denial of service attack. Measures that ought to have been in place to prevent these denial of service attacks were not put in place."
Turnball has promised that "heads will roll" for the debacle. "My prediction is that there will be some very serious consequences for this," he stated, which may have ABS head David Kalisch on his $700,000 salary a little concerned.
What Does The Australian Privacy Commissioner Say?
Yesterday Acting Australian Privacy Commissioner Timothy Pilgrim initiated an investigation into the Census website, and today at 2:44pm he released a statement with an update.
"My priority in doing so was to ensure that no personal information had been compromised," Pilgrim says. "My staff and I have been in regular contact with the Australian Bureau of Statistics (ABS), and I have received a briefing directly from the Australian Signals Directorate (ASD) — the Commonwealth's pre-eminent cyber-security analysts".
"ASD advised me that the incident was a denial of service attack and did not result in any unauthorised access to, or extraction of, any personal information and, on the information provided to me by ASD, I am satisfied that personal information was not inappropriately accessed, lost or mishandled," says Pilgrim.
He calls the ABS's decision to shut down the website — to avoid any prospect that the DDoS attack could include or otherwise facilitate a data breach — "a pro-privacy precaution" given the circumstances.
Pilgrim says he has discussed with Mr MacGibbon how to work together as part of the PM's review.
"My Office will also continue to work with the ABS to ensure they are continuing to take appropriate steps to protect the personal information collected through the Census," he concludes.
Any Other Theories?
Well, there's this from infosec expert Patrick Gray:
— Patrick Gray (@riskybusiness) August 11, 2016
So What Do We Do Now?
You do have to complete the Census, or you'll risk fines of up to $180 per day. That being said, there's plenty of time to get it done.
"We ask Australians to complete their forms as soon as possible" the ABS says. "Fines will not be imposed for completing the Census after Census night".
You've actually got until 23 September.
If you haven't completed your Census form you will start receiving reminders from next week. Census Field Officers will start visiting homes that haven't participated in the Census from this weekend to ensure everyone can take part.
If you haven't received your Census materials, the ABS says to wait until the end of the week and then contact the Census Inquiry Service on 1300 214 531 (the line is expected to be pretty busy, so make yourself a cuppa before you call). You can also order a paper form by calling 1300 820 275.