The 2016 omnishambles Saturday, 15 October 2016

News article written by Corbett Communications. The statements made or opinions expressed do not necessarily reflect the views of Engineers Australia.

While the epic fail on 9 August of the 2016 Census occurred due to a not-so-funny comedy of errors, the mainstream media only reported on the Australian Bureau of Statistics’ (ABS) submission to the Senate Inquiry. The ABS’ submission confirmed a Distributed Denial of Service (DDoS) attack occurred “that was not unusual and was anticipated, which affected the Census application system … Around the same time, an unusual spike in outbound traffic was observed in the monitoring systems”. The ABS said the two events led to the closure of the online census submissions for two days, causing “inconvenience” to the Australian public.

However, a submission to the Senate Inquiry by Dr Robert Merkel, a lecturer in software engineering at Monash University whose research areas include fault analysis, random testing, software testing, and testing of embedded systems, labelled the widely-acknowledged and insufficient DDoS protection “inexcusable”. He said the ABS as the customer should have insisted upon it and IBM as the contractor, should also have insisted upon it, and the two organisations should have sought an independent third-party assessment to ensure the DDoS protection was adequate.

Merkel also questioned whether sufficient system testing was conducted by IBM and acceptance testing (full system testing) on behalf of the ABS was done.

“The ABS’s competence as a purchaser of software is clearly open to question … [and] the primary contractor’s competence and practices are also worthy of examination,” he said.

IBM’s contracting division has been responsible for many Australian public sector IT projects but as

Monitor reported in the August issue, and Merkel stated that it is “associated with arguably the largest government sector IT failure in Australian history, the debacle of the Queensland Health payroll system”.

This begs the question why IBM was contracted to manage such an important software-based event.

“Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future,” the ABS said.

In its submission to the Inquiry the ABS said the DDoS attack should not have been able to disrupt the system and fobbed off the blame onto IBM.

Media reports alleged the company had not synced the ruleset when it rebooted the firewall so the backup router did not work as it wasn’t configured the same as the original router, rendering the first device, a single point of failure, causing one of the outages.

But the final outage was a result of a deliberate decision to shut down the ABS’ Census site. This happened “after routine status messages were misidentified by an automated monitoring system as an attempt to exfiltrate – that is, smuggle illicitly accessed data out of the system”, according to Merkel. 

“Once the system had been affected, the ABS took the precaution of closing the online Census form to safeguard and to protect data already submitted, protect the system from further incidents, and minimise disruption on the Australian public by ensuring reliable service,” the ABS said. 

Merkel believes if a full test of the whole system - including security monitoring systems that provided alerts - had been done prior to the Census night, the false alarms caused by the status messages should have occurred in testing. He suggested to the Senate Inquiry that further information should be sought about the acceptance testing performed for the ABS.

Author: Desi Corbett

Image: ABS chief statistician David Kalisch in the wake of the 2016 Census. Source: ABC News