In the aftermath of the 2016 Censusfail debacle, what the Australian Bureau of Statistics (ABS) did next paved the way for how federal agencies managed the associated cyber security risks of dealing with data in digital ways.

Six years ago, the ABS decided it was time to get the Census — a fundamentally confidential data-collecting undertaking — online. The agency was acutely aware that trust was a major principle in successfully delivering an online Census experience and it assumed everything was in place for a hopefully seamless digital launch.

Like many case studies about the transition from clunky paper-based government programs to a ‘digital first’ model, it’s safe to say hiccups may have been expected along the way. But nobody in the implementation team had prepared for a series of service denial attacks on Census night.

According to ABS deputy statistician Teresa Dickinson, nobody in the agency knew what was happening or how to respond. For the longest 40 hours, the Census website was down.

During that time officials scrambled to establish whether a data breach had occurred, and once it was clear that had not happened, whether the system was safe from attack or another possible breach once it went live again.

“It would be fair to say that this is the first public cyber event for government,” Dickinson told an audience in Canberra this week.

“The ABS, of course, was the focus for it and received a very large amount of adverse publicity. The #Censusfail moniker carried us right through to [the next Census in] 2021.

“The PM at the time, Malcolm Turnbull, made some very early and forceful pronouncements about his perceptions of the event, and that took a little while to get through as well,” she said.

It ranks among one of the early embarrassing belly-up stories about public servants trying to get an institutional program online.

A string of forensic reviews followed: one led by special advisor on cybersecurity to the PM Alastair MacGibbon; an inquiry by the Senate Economics References Committee; and an analysis of the Census data by an independent assurance panel.

“Ultimately, the Census was successful in that the response rate was good and the data quality, which was verified through external assurance processes, were seen to be of high quality,” Dickinson said.

Beyond the public relations nightmare, the potential risk of the periodic exercise to count Australians and profile the nation’s demographics being the target of a catastrophic data breach was a big lesson for all involved and others still to move on digitising or transitioning services online.

Dickinson shared the ABS’ experience with the Australian government data forum on Wednesday.

The deputy statistician said that among the key lessons agency staff had seared into their minds for future online Censuses was the need to manage risk in a more robust fashion than merely taking a compliance approach.

“Keep up with what’s going on in the environment, it is very rapidly evolving — what you think you’re building for a couple of years before a major event might not be suitable when the time comes.”

The reviews also told the ABS it needed to manage outsourced contracts carefully, and improve incident management and communication plans.

“You can’t outsource risks. You have to undertake the assurance to know that your vendors, your contractors, are doing what they should be,” Dickinson said.

“There were 29 recommendations coming out of those reviews, only six of them were specific to cyber-related matters. Quite a number of them were to do with broader system issues to do with communications and handling crises.”

By the time the next Census rolled around, in 2021, the ABS had adopted a ‘security and privacy by design’ approach across all aspects of design, build and implementation. At each stage, internal and external specialists were tasked with testing whether the components were aligned with cyber security best practices, and privacy protection.

“We brought technology to bear, encryption became very important to us — the data was fully encrypted after you entered your Census details, right through until it was in our store,” Dickinson said.

The Census was subject to the biggest distributed denial-of-service (DDos) testing that had ever been conducted in Australia, consisting of two rounds, in partnership with the AWS and Cyber Security Centre (ACSC). Given the test size, it became one of the top 1% by size to be tested in the world.

That was then followed by penetration testing, code reviews, ethical hacking attempts using teams from the ASCS, and a process informed by so-called ‘quality gates’ that did not allow development to progress until the agency was assured of certain security measures.

“We did all the things that you would expect was emblematic of growing government awareness of these matters and processes [such as] IRAP security assessments, security assessments of all their systems by the ACSC,” Dickinson said, adding the partnership with the ACSC was critical to hunting down threats, implementation of the ‘essential eight’ and understanding what the threat landscape.

“We did a great deal of scenarios and issues testing, where we pretended that things went wrong in certain ways, including that there had been a breach, including that we had an obvious cyber attack — [to rehearse] what we would do.

“We also had external suppliers, both in the lead-up and on the night, who were threat finders for us. They had a worldwide network and they were, on our behalf, seeking threats before they came near the system,” she said.

The night of the 2021 Census saw 1 billion attempted attacks on the system thwarted, and the ACSC was alerted to 160,000 identified malicious IP addresses. For the two months that the Census was operating, there were no interruptions.

“Even the APS, which has very large complex data systems has trouble with essential eight, because we have so much legacy. But for us, it’s very much top of mind to keep pursuing the requirements of the essential eight,” Dickinson advised on the importance of following cyber security rules.

“Know your enemy, be aware of the threat landscape and the threat briefings that come out from ACSC.

“Take a cradle to grave approach — all steps in the data cycle, and all steps in major projects [should have] ‘privacy and security by design’.

“Minimise threat by minimising data — and I think this is something where the APS is probably playing catch up a bit.

“Cyber is a team sport. Play with others in the field to help you have real cyber posture.

“And remember that [strong cyber security assurance] it’s personal, as well as global,” she said, emphasising the need for individual staff members to have a robust sense of digital security as well as the organisation.

Dickinson added that testing and preparation were now part of how the government worked in a hyper-connected environment, meaning cyber security was a constant consideration in business planning and structures.

“Test, test, test, and finally, of course, prior preparation prevents poor performance,” she said.

READ MORE:

Budget 2023: Chalmers champions sustainable funding of government services