Malcolm Turnbull’s special adviser on cybersecurity believes the concern and controversy about privacy and online security in the lead up to the Census made the online form more of a target, but was also a valuable public debate to have.
“One thing I would say is that there was an awful lot of conjecture about the Census and its online activities and every time there is more of that conjecture, it increases the profile of the site,” said Alastair MacGibbon (pictured) when he fronted the media yesterday morning.
To the most strident critics of the Australian Bureau of Statistics and the Census and supporters of the related boycott movement, it could have sounded like the public servant charged with reviewing the debacle shifting the blame back on to them, rather than addressing their underlying concerns.
But other comments yesterday and in recent months show MacGibbon’s position is more nuanced.
“I’ve advocated for a long time that we should be asking about how much information we give away,” he told ABC radio in one of several interviews. He also said he would never suggest such a debate should be shut down as it was one of the most important issues for society in the age of big data.
MacGibbon also confirmed denial of service attacks are very common, easy to mount and often aimed at government. “It’s not abnormal for Australian government services to be subjected to denial of service attacks,” he said. “This is just the normal course of business for government, and the vast bulk of those are handled in the normal course of business.”
MacGibbon said the fourth DDoS attack yesterday was significant because of two failures.
“The first one was the geo-blocking service fell over … and that’s one of the main defences used against denial of service … then the router failed,” he explained.
“And as a result of that, then there was information inside the system that the ABS and IBM took very cautiously — so, not knowing what that information was, [they] made a decision to take [the site] offline.”
As attention turns to how seriously the Australian Bureau of Statistics took the increasingly widespread concerns, the related boycott movement, and the possibility of a denial-of-service attack, MacGibbon is leading the main review into what went wrong. His early view is that the attack was “no more significant than the types of attacks we would see all the time against Australian government systems” — it was always a very real possibility, even before the online commotion painted a big target on the ABS.
Late to appreciate the campaign risk
When the boycott campaign started to pick up steam, the ABS appeared unconcerned, albeit cognizant of how important public trust was to the success of the project. A spokesperson told The Mandarin “underground campaigns which encourage boycotting or providing false information on Census forms do occur from time to time” and was confident that telling the public all about “the value and importance” of the Census would keep most onside.
MacGibbon says the “large public discussion” clearly made the Census more of a target for “malicious people”. In the same line of reasoning, the supreme confidence expressed by the ABS in their information security and the online form’s ability to handle a large number of users could have further invited attacks.
“We see that in every single time, whenever we talk about a breach, when we talk about a successful compromise, we see people trying to compromise the system we talk about,” said MacGibbon, who was made special adviser to the Prime Minister on cyber security in May, a year after he was plucked from the private sector to be the Children’s eSafety Commissioner.
“It’s the same with a denial of service, it’s the same with any form of IT security. The more we talk about it, the more people decide to see if they are better than we are.”
Shortly before he took on the job, MacGibbon spoke in favour of data breach notification, which is currently not mandatory for government or businesses, although many IT experts say it should be.
He said “government needs to show its vulnerability” to lead by example.