Over 130,000 attackers targeted the online Census 2021 over the course of Australia’s national survey but none managed to disrupt it – but it is only now, weeks after the 10 August survey, that the system’s architects have revealed how they avoided another catastrophe.
Prime contractor PwC, it turns out, worked closely with Amazon Web Services (AWS) to rebuild the entire Census infrastructure on the AWS cloud – which lets applications quickly create new copies of application servers when demand increases, then shut them down when traffic settles down.
This architecture suits online applications like the Census, which at its 8:06pm AEST peak was handling 142 online forms per second and processing up to 249 logins every second.
Months of preparation had seen the technical teams pushing the core Census Digital Service (CDS) to breaking point, with the system tested at more than 500,000 logins per second – ensuring it was, AWS director of Technology and Transformation in Oceania, Simon Elisha, explained, “easily able to manage the 2.5 million people who submitted their forms on 2021 Census day.”
To spread traffic more evenly, the Australian Bureau of Statistics (ABS) kept the Census portal open for a 9-week period on either side of Census Night, with CDS ultimately managing more than 8 million forms.
The developers also set up an automated contact centre running on AWS, which allowed 394,000 Australians to order a paper copy of the Census form without involving a single Census employee.
Yet scaling the Census wasn’t the only issue facing developers of the 2021 Census platform – which was designed from day one to avoid a repeat of the 2016 disaster, when a poorly-designed security infrastructure allowed the system to be overwhelmed by distributed denial of service (DDoS) attacks and ultimately forced the ABS to pull it offline during the busiest hours of Census night.
Anticipating a repeat of the 2016 DDoS storm, the system’s architects also pummelled it with simulated DDoS attacks more intense than 99 per cent of the attacks that AWS sees over its network every day.
ABS and Australian Government security experts torture-tested the new platform, which was evaluated against the stringent Information Security Manual (ISM) controls and a formal Information Security Registered Assessors (IRAP) evaluation that certified the AWS infrastructure for carrying data up to the PROTECTED classification level.
Governing from the cloud
For AWS, the Census project was more than just an opportunity to salvage the ABS’s tattered reputation: having delivered the 2017 Marriage Law Postal Survey and 2019 Australian Electoral Commission election website without a hitch, the 2021 Census success has reinforced AWS’s prime position as the Australian government marches into the cloud.
It’s a major shift for governments that traditionally managed their own applications within data centres they could control – but increasingly capable cloud providers have rapidly changed this.
“AWS understands the demands of delivering essential government services online,” Elisha wrote, “and has deep expertise in helping customers scale.”
AWS has secured an increasingly diverse array of high-end projects, including its recent deal with RMIT University to build a cloud-based supercomputer that will exploit AWS’ scalability for researchers.
Yet its increasing role as the de facto cloud platform for Australian government – enshrined by a 2019 whole-of-government agreement – means government bodies’ consolidation into the cloud is only just beginning.
“The centralisation of Government networks seeks to reduce opportunities for malicious actors to target agencies that have less secure ICT systems and drive greater efficiencies in the Australian Government’s cyber security investment,” the Australian National Auditor’s Office (ANAO) noted during a recent audit of government application hosting strategies.
Buoyed by a shakeup of Australian government cloud policies and the recent mandate that government data only be stored in ‘certified assured’ or ‘certified strategic’ data centres, AWS has expanded its regional investment, with a Melbourne cloud region – which will complement the Sydney region where all Census data was stored – currently in the works.
AWS also recently announced plans to spend $7.5 billion ($US5.3b) on a New Zealand region that will open in 2024, giving that country’s businesses and government bodies a domestic cloud platform to support their own digital transformation.
“A level of digital sovereignty is required for securing and developing Australia’s national interests,” Monash University professor Andrew Mitchell noted in a recent Australian Strategic Policy Institute (ASPI) analysis.
“The challenge once faced by Australian governments was completing their digital transformations; now, it’s about figuring out how to adequately protect government systems that are hosted in the cloud.”