‘Censusfail’ hangs over Australian Bureau of Statistics as it prepares for 2021 survey


Julian Doak admits he’s probably the least popular person at the Australian Bureau of Statistics right now.

The bureau’s chief information security officer has been preparing the agency for the 2021 census and, with just a month to go to 10 August, it’s crunch time.

The long shadow cast by what was dubbed “censusfail” of 2016 hangs over everything the ABS has done since in preparation for this year’s mass information gathering exercise.

On 28 July, the online form will open, and households will begin to receive letters with a unique login ID to fill out the census. To ease the load on the day, people will be able to complete their census online as soon as their ID arrives.

Within the agency, there are stress tests under way and ethical hacking activities to replicate what might happen on the day.

“We’ve just had this ongoing program of load testing, of DDoS [distributed denial-of-service] testing, penetration testing, code review,” Doak said.

“I’m probably the least popular person in here, especially right now. Everybody understands why I do what I do, and what the team does, all of the external experts, while they’re in here and what they’re doing.”

The 2016 census – a “digital first” – was a debacle.

On 9 August 2016, at about 7.30pm, the census website was hit by distributed denial-of-service attacks. The site was flooded with traffic in an attempt to overload it and shut it down.

Along with a hardware failure, and a false report that data was at risk, there was widespread concern about the security of the census. Just after 8pm the ABS took the website offline for 40 hours.

In his memoir, A Bigger Picture, the former prime minister Malcolm Turnbull described the event as a “humiliating debacle for a government that was promoting innovation, agility and the promise of the digital era”.

Initially, the ABS and IT contractor IBM stated there had been a “massive cyberhack” and implied it had been the work of a foreign state. But as Turnbull noted, the DDoS attacks were “quite modest in scale” and a result of a failure on IBM’s part to deliver on its contractual obligations around DDoS protection.

He later said he had “egg on his face” as prime minister for the failure, which had challenged the Australian government agency cliche that “no one got fired for buying IBM”.

A Senate committee review of censusfail ultimately placed blame on IBM for not meeting its contractual obligations in keeping the site up, and the ABS for putting too much trust in IBM.

Following that review preparation for the 2021 census began in earnest. In the 2019 federal budget, the ABS received $38.3m to address issues arising out of the 2016 census in order to prepare for 2021.

“We’ve rebuilt the system from the ground up,” Doak said. The Australian Cyber Security Centre was involved from the beginning and the committee’s recommendations were incorporated in full.

Amazon Web Services is hosting the data within Australia. Once a user clicks “submit” on the form, it is encrypted, with only the ABS having the key. Once the data is collected, it is then hosted for processing by the ABS in an in-house data centre in Canberra.

Doak said where the ABS has relied on companies to provide services for the census, there were contractual requirements to prevent a repeat of 2016. The ABS had brought in the Australian Signals Directorate – the country’s surveillance intelligence agency – and other cybersecurity experts to run tests ahead of time.

There have been ethical hacks, penetration testing and ongoing code reviews, Doak said.

“I guess it’s trust but verify,” he said. “The best way to find out how secure your system is, is to get people of various skill levels and have them have a go at your system – so we’ve been doing that as we’ve been building.

“And then DDoS testing – we go through a major provider who just does this and we’ve done a lot of tests, including some quite large-scale ones.”

The Australian statistician, David Gruen, said he would sleep better after census day but the ABS had been preparing for every possibility.

“We have to be prepared for everything, including kids in their parents’ basement who would think it would be a great idea if they could get into the system. That [and] state actors,” Gruen said. “We do it as carefully as we possibly can so that we protect people’s privacy, but it is something that means that you have to have as sophisticated protections as you possibly can.”

Despite the issues with the 2016 online census, 63% of the 10m households in Australia filled out the form online, and the ABS has planned for this to increase to 75% in 2021.

For those who still wish to fill out a paper form, or who have poor internet and cannot fill it out online, there will be 400 information hubs across the country, as well as 20,000 field officers to assist people with the census. More than 2,000 people have been hired to specifically support Aboriginal and Torres Strait Islander communities, culturally and linguistically diverse communities and the homeless.

With the 2016 census, there was also controversy over the ABS decision to keep people’s names and addresses on file for four years. In 2021, the ABS has reduced the time it will retain names to 18 months. Addresses will be retained for 36 months.

Data collected in the census will be released by the ABS in three phases – in June and October 2022 and in March 2023.


Read More:‘Censusfail’ hangs over Australian Bureau of Statistics as it prepares for 2021 survey

Products You May Like