Australia's Bureau of Statistics has heavily criticised IBM for the security it applied to the nation's failed online census, which was taken offline after a distributed denial of service (DDoS) attack that battered a curiously flimsy defensive shield.
The Bureau also admits it could have done better in a submission (PDF) to a Senate Inquiry into the census, but it is also very unkind to Big Blue.
Here's a sample of its commentary:
The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system. Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future.
Section 8 of the 123-page document deals with planning and preparation for the census and notes that IBM won the tender to host the event under a contract that required it to provide DDoS protection.
A July 2016 Risk Management Plan specified that IBM would be responsible for DDoS protection, “with ISP measures of Island Australia (geoblocking international traffic) a key measure.” Or in other words, traffic from offshore would be blocked.
The ABS later “received various assurances from IBM about operational preparedness and resilience to DDoS attacks”. The Bureau also conducted meetings with signals intelligence agency, the Australian Signals Directorate (ASD), to assess the risks the census faced, including DDoS. It came away from that meeting feeling that no “... new areas of concern were raised, nor were there any suggestions of potential mitigations or additional preparations that were not pursued.”
The ASD also signed off on the design for the census and the Bureau conducted live tests, had load balancing put in place and hired penetration testers.
But the Bureau “did not independently test the DDoS protections that IBM was contracted to put in place, as it considered that it had received reasonable assurances from IBM.”
“At no time was the ABS offered or advised of additional DDoS protections that could be put into place. Additionally, no suggestion was made to the ABS that the DDoS protections that were planned were inadequate.”
The Bureau also had a risk assessment done for the census. The section of that document covering DDoS and other threats said, “For this risk, the inherent risk rating was ‘extreme’, the control effectiveness rating was ‘good’ and the residual risk rating was ‘moderate’.”
Section 9 analyses census night and the incidents that brought the census down and confirms that the site was taken down in response to a DDoS. By 9:15PM the ABS and IBM were both aware that geoblocking had failed, and why.
The document goes on to say “ Investigations subsequently identified that IBM failed to properly implement geoblocking.”
But the document also contradicts itself, as its analysis of the wash-up said the Bureau of Statics was told by the Signals Directorate that it “was of the view that IBM had taken all steps that could reasonably be taken in the time available to mitigate denial of service attacks similar to those that occurred on 9 August.”
It just looks like IBM didn't execute correctly.
Reports in Australian media yesterday suggested IBM has fired at least two senior staff associated with the failed census. The Register asked IBM if those reports were correct, but has not received a response from IBM at the time of writing.
The ABS submission is far from the end of the matter. The Senate Inquiry will report in November. The Department of Prime Minister and Cabinet is also conducting an inquiry into the census. ®