#CensusFail a shocking balls-up
David Kalisch: Had a tough night at the office this week, no doubt
The fallout from the census debacle would be amusing to watch if it was not so serious. We have politicians making fools of themselves, bureaucrats with substantial amounts of egg on their faces, and all sorts of people saying “I told you so.” It’s all very unedifying, and so predictable.
But it is not funny. It is a disaster. The Australian Bureau of Statistics is a great Australian institution, probably the best of its kind in the world.
But the general public only ever see it at census time. Now its name is besmirched in the public mind, and ‘census’ is a dirty word.
The damage is done and cannot easily be undone. Reputations can be trashed easily, and they take years to repair. This year’s census is irredeemably broken – many people will treat its results with caution and for years to come the 2016 census will be a byword for bungling.
What a shame. And the greater shame is that it was all avoidable. We have witnessed a combination of hubris and ineptitude that has led to the trashing of a great organisation’s reputation and a tragedy for Australia.
The finger pointing has already started. Success has a thousand fathers, as they say, but failure is an orphan. Nobody will admit to responsibility, but everybody is laying blame.
Already, like the sickening debate over the NBN, it is becoming difficult to separate fact from opinion. So let us look at what we know, before the passage of time muddies the waters even more.
Fact: The ABS went out of its way to assure us that the system would be able to cope with the load. It could not. Distributed Denial of Service (DDoS) attacks are not abnormal events – they are part of everyday life in cyber world.
Alistair MacGibbon, Malcolm Turnbull’s special advisor on cyber security, said as much after the attack.
“It’s not abnormal for Australian Government services to be subject to denial of service attempts,” he said at the hastily arranged press conference the Government called on Wednesday.
“This is just the normal course of business for governments. The attack was no more significant than the types of attack we see all the time against Australian Government systems.”
In fact, it is likely that the very strength of the ABS’s assurances increased the likelihood of an attack. There is nothing a hacker likes more than a challenge.
You would think the ABS would have anticipated a DDoS attack and would have factored it in.
Fact: The census had already become a political football before Tuesday night’s meltdown. Concerns over privacy, from politicians and civil libertarians and ratbags, had already made this the most controversial census ever.
The ABS and the Government both made blithe and bland assurances that all would be fine, and that data would never be compromised.
The fact that its promise that the system could handle the load proved a nonsense hardly fills one with confidence that the privacy concerns have been properly addressed. Now they will never go away.
Fact: The ABS admitted to an attack, while the Government said there was none. We are used to politicians saying silly things, particularly when it comes to technology. George Brandis is exhibit A. But the comments of junior minister Michael McCormack are just as bad.
“This was not an attack, nor was it a hack. It was an attempt to frustrate the collection of data,” he said at the same press conference, directly contradicting both the head of the ABS David Kalisch and the Prime Minister’s cyber security man.
This is sophistry of the first order. In Mr McCormack’s little world, DDoS attacks are not attacks, because they do not steal data. His words have, justifiably, led to him being widely ridiculed.
He is hopelessly out of his depth, which again hardly fills one with confidence that the Government knows what it is doing.
Fact: The attack (if that is what it was) did not cause the census website to shut down – the ABS took it offline deliberately to ensure the hackers could not compromise the census data.
Mr Kalisch and Mr Turnbull both made a big deal of this data integrity issue. “The integrity of the census has not been compromised,” said Mr Kalisch. “The online system will be operating as soon as we are assured it is robust and secure.”
Fully 24 hours later, the census website was still not back up. One leading security expert InnovationAus.com spoke to said the site should never have been taken down, because this made it impossible to trace the source of the attacks.
“The ABS made matters worse by deciding to take the site offline, in the middle of the evening peak, rather than throttling it back. By voluntarily putting it in blackout mode they forfeited any chance of detecting who it was that launched the attack,” said Peter Tran, senior director of security company RSA’s worldwide advanced cyber defence practice.
Our final undeniable fact is that the whole thing is a shemozzle, a balls-up, a snafu of the first order. The 2016 Australian Census is a disaster.
As is always the case in such monumental stuff-ups, few if any heads will roll (any that do will likely be the wrong ones) and the whole thing will pass in a mist of obfuscation and denial of responsibility.
The attacks were foreseeable and preventable. The aftermath is typical. The damage is irreparable.
What an absolute bloody disgrace.