The government is seeking to reassure Australians their census data is secure, after an attack combined with system failures forced the Australian Bureau of Statistics (ABS) to take down the site on Tuesday night to ensure data was protected.
After several “denial of service” attacks from unidentified sources designed to stop people submitting forms, key parts of the hardware failed.
Prime Minister Malcolm Turnbull said the “unequivocal advice” from IBM, the ABS, and the Australian Signals Directorate (ASD) was that people’s “census data is safe, it has not been compromised. The site has not been hacked, it has not been interfered with.”
Those who hadn’t yet completed their forms would be able to do so with confidence that the information would be secure, he said. But the site had still not been put up again by mid-Wednesday.
Turnbull said that Australian Statistician David Kalisch had decided at about 7:45 on Tuesday night “to take the site down out of an abundance of caution to ensure that there was no risk that the data could be compromised, that the site could be further interfered with”.
The special adviser to the prime minister on cyber security, Alastair MacGibbon, likened the attack – a term that Michael McCormack, the minister responsible for the census, declined to use – “to me parking a truck across your driveway to stop vehicles coming in and out”.
Asked whether the attack had come from a state actor or a school kid on a computer, MacGibbon said the source was being investigated but attribution was always hard. These “denial of service” attacks were “commonplace” not just on government systems but those of any big organisation. He said that at the time of the major attack, most of the traffic was coming from the United States, but that was not abnormal in denial of service because there were “an awful lot of systems” in the US.
Earlier Kalisch told the ABC: “It was an attack and we believe from overseas.” He said: “There were a number [of attacks] during the day. The first three were successfully repelled and the fourth one caused the difficulty that then led us to bring the system down as a precaution.
“The scale of the attack – it was quite clear it was malicious,” he said.
The first three attacks caused only minor disruption. But the fourth, as many people were trying to submit their forms during the evening, was large-scale.
Asked what the motivation of those who made the attacks might be, MacGibbon said it was “clearly to cause frustration” – which they did.
He pointed to the controversy that had been running about the census. “One thing I would say is that there was an awful lot of conjecture about the census and its online activities. And every time there is more of that conjecture, it increases the profile of the site.”
Whenever there was talk about a breach, people tried to compromise the system that was being talked about, he said. “It’s the same with a denial of service. It’s the same with any form of IT security. The more we talk about it, the more people decide to see if they are better than we are. In this case … it almost ended up a draw.”
Kalisch did not mention the attacks that had already occurred when he gave a news conference on Tuesday afternoon. He justified this by saying these had been managed and “I didn’t think it was appropriate for me to signal that was happening”.
Turnbull said there would be a thorough review of events, headed by MacGibbon. He would be supported by the ASD, the Treasury and the ABS. The ASD is an intelligence agency that collects and analyses foreign signals intelligence and advises on communications security.
Australian Privacy Commissioner Timothy Pilgrim announced he was commencing an investigation of the ABS in relation to “these cyber attacks”.
Opposition Leader Bill Shorten said this was “the worst-run census Australia have ever seen”. It was “one of the greatest IT bungles and stuff-ups that a Commonwealth government has ever been associated with”.
Shorten asked how Australians could trust the government when it could not even explain what had gone wrong.
Senate crossbencher Nick Xenophon said he would move for a Senate inquiry into the debacle as soon as the Senate met. Earlier this week, Xenophon said he would not put his name on his census form due to privacy concerns.
Authors: Michelle Grattan, Professorial Fellow, University of Canberra