A “bitterly disappointed” Malcolm Turnbull has blasted IBM and the Australian Bureau of Statistics for the failure of the online Census.
Speaking to Alan Jones on Radio 2GB, the Prime Minister could not hide his anger at the failure of those involved in the Census website to repel what he called “highly-predictable” and “inevitable” denial-of-service attacks on the site.
He pointed the finger for the failures squarely at IBM and ABS and predicted “very serious consequences” for both organisations, including the likelihood that “heads will roll”.
“There are clearly very big issues for IBM, the systems provider for the Census, and for the Australian Bureau of Statistics itself,” Turnbull said.
“My prediction is that there will be some very serious consequences to this.”
Turnbull said that his immediate focus was on seeing the Census site resurrected in the hope of completing the data set.
A review – headed by the Prime Minister’s cyber security special advisor Alastair MacGibbon – “and which heads will roll where and when is something that will follow”, Turnbull said.
Turnbull was particularly critical of the readiness of IBM and ABS to ameliorate a denial-of-service attack. He believed a high-profile site like the Census form was always going to be tested in this way.
“Denial-of-service attacks are absolutely commonplace. They are highly predictable, they were inevitably going to happen to the Census website,” Turnbull said.
“A denial-of-service attack is as predictable – for a site like this – as the rain will fall one day or the sun will come up in the morning.
“The denial of service attacks … should have been repelled readily, [but] they weren’t because of failures in the system that had been put in place for ABS by IBM.
“There are issues for both IBM and ABS about that.”
Turnbull also blasted IBM and ABS for a lack of redundancy in the architecture of the system underpinning the Census.
The ABS has said in a preliminary post-incident report that it pulled the Census site offline due to a “confluence of events” around 7.30pm on Census night.
That “confluence” included a denial-of-service attack, rising legitimate traffic from people trying to lodge their forms, a router failure and a “false positive” generated by the system’s monitoring software.
“What happened at 7.45pm was that as this denial-of-service attack which had started at 7.30pm was starting to have an impact – and of course it should have been dealt with – the ABS and IBM observed some anomalous signalling traffic within the network and that caused them to be concerned, to fear that more may be happening than was, and they took the site down,” Turnbull said.
“[The denial-of-service] was compounded by some failures in hardware and inadequate redundancy.”
Politicians have consistently said the site was purposely taken down “out of an abundance of caution”.
Turnbull said he had personally directed IBM and ABS to fix the issues under the guidance of the Australian Signals Directorate.
He said the system “should” be back online sometime August 11 and encouraged Australians to re-attempt to submit their data again.
Yesterday, Turnbull – together with Treasurer Scott Morrison – were at pains to assure Australians that the “integrity” of the Census and its data protection measures remained intact, and that the Census should not be abandoned.
Turnbull called for unilateral political support for the continuation of the Census data collection, amid criticism from a wide range of vectors, including from within his own party.
The ABS and its contracted suppliers now face a range of reviews and inquiries.
In addition to the official review led by MacGibbon, Australian Privacy Commissioner Timothy Pilgrim said he would investigate whether the DoS attacks led to any data being lost or constitute a breach of privacy laws. However, he later called off the investigation, satisfied that no data had been exfiltrated.
The handling of the Census is also likely to be a key topic at the next Senate Estimates hearings in mid-October.