The Prime Minister’s cybersecurity adviser Alastair MacGibbon has turned the slow-motion disaster that was this year’s Census into an opportunity to push for major positive change in the federal bureaucracy, while everyone is paying attention.
He astutely identifies what is at stake — “trust and confidence in the government’s digital transformation agenda, where ‘digital first’ is the overwhelming preference for Australians, underpinned by tangible security and adherence to privacy” — and warns:
“This set-back will have wide-ranging consequences for government. Selling the idea that we are ready for a new digital era just got a lot harder.”
His report notes that the cost, scale and complexity of the Australian Bureau of Statistics’ task in providing an eCensus form was fairly minor in the scheme of government IT projects, and the Census overall:
“In perspective, at around $9.6m – a fraction of the $471m overall spend on the Census – the payment to IBM to deliver the eCensus capability was small. Certainly the sum was small to IBM: between 1 January 2013 and 19 August 2016 IBM was awarded 777 contracts across the Commonwealth Government with a total value of $1.55 billion ($13.7m of which was with the ABS).
“But cost isn’t the only issue. Nor the most important one. Australia now knows that cyber security is not just about national security. Cyber security is about availability of services and confidence in government in a digital age. And the public’s confidence in the ability of government to deliver took a serious blow, more so than any previous IT failure.”
In the circumstances, the ABS was “justified” in shutting down the system in response to the “predictable and defeatable” denial of service attacks, MacGibbon writes. He notes the incident itself “could have been worse” — no data was lost — but says there’s a much more important question here than how to respond to a DOS attack.
Working out “how the Census got to the point where the cyber security arrangements brought into question the trust and confidence in a fundamental government service” will be crucial for government as a whole:
“The public’s lack of confidence will linger. The integrity of the collection and its data are of critical value to Australia.”
MacGibbon says crisis management protocols for the eCensus were not good enough, and underestimated the serious implications of such a high-profile project going wrong:
“While the ABS and IBM had a library of incident management documents to guide them through the events of 9 August, they were impractical, poorly tested and none outlined a comprehensive cyber incident response or communications plan that could be effectively implemented.”
The incident shows whole-of government arrangements for responding to cyber incidents are ineffective as well, in MacGibbon’s view.
He concludes the roots of the eCensus failure are in “decisions about partnership, procurement and project governance” taken by the agency well before Census night, and adds that “organisational culture and skills also played a part”.
MacGibbon reports the security architecture was inadequate and finds this was closely linked to the procurement process that saw the ABS partner with IBM. The data was safe, but not enough attention was paid to the type of security that could have kept the portal online.
Likewise, he finds the ABS had a decent communications strategy but says it was focused on the wrong thing — awareness of the Census instead of what was new about this year’s approach and the associated concerns over security and privacy that threatened the whole project:
“The ABS failed to adapt its media and communications in response to the public relations storm that built up in the weeks prior to the Census regarding privacy and security in both mainstream and social media. Instead, ABS rigidly stuck to its plans, forgoing crucial opportunities to influence and drive the conversation around the Census. Processes for approval of campaigns, and changes to them, may need to be changed to promote agility.”
On the actual night, the ABS was barely part of the conversation about what was going wrong, which led to an information vacuum that filled quickly with speculation on social media and this continued for days, MacGibbon adds.
“Procurement practices fell short,” according to the report, with the main issues being “vendor lock-in” and “a particularly close and trusting relationship between the ABS and its long-term supplier IBM” which meant that the ABS just trusted the company too much.
Organisational culture, as always, is fingered as one of the main culprits:
“Culture matters. And the culture of the ABS identified by the Australian Public Service Commission (APSC) Capability Review in 2013 — insular, inward looking, reactive — affected decisions and performance as the ABS planned and carried out the 2016 Census. Moreover, its reliance on past patterns to guide future strategies doesn’t work.”
MacGibbon says he can see consequences of that culture in decisions made by the ABS all the way back to June, 2012 — almost all of which were “compliant with established government practice”, he adds.
Going along “ticking the boxes, but not appreciating the challenges change presents” made ABS look like the archetypal government agency, he reports:
“The ABS’s actions since [August 9] only underscores the importance of culture: it has steadfastly refused to own the issue and acknowledge responsibility for the factors leading to the events and shortcomings in the handling of events on the night.”
The fallout from the disaster, MacGibbon points out, is very low trust in the quality and accuracy of the Census data, despite “encouraging signs” from the bureau’s point of view.
MacGibbon then looks to the future, and considers how government agencies in general will continue clambering into the digital era. Secure cloud computing services might be part of the answer, he suggests, as well as a wholesale increase in general “digital awareness” across government.
“Small agencies such as the ABS are probably ill-equipped to deliver technology outcomes of scale,” he writes.
The fallout from the disaster is low trust in the quality an accuracy of the data, despite “encouraging signs” from the bureau’s point of view. MacGibbon suspects the ABS is not alone in the various deficiencies he identifies, and calls on all agencies to heed the lessons of the #Censusfail.
Top of MacGibbon’s list is a stronger protocol for cybersecurity crisis management from the Department of the Prime Minister and Cabinet that is “widely circulated, well understood and regularly exercised” throughout the Australian Public Service.
MacGibbon’s report suggests “crisis incident notification and coordination arrangements” could be improved among the agencies that make up the Australian Cyber Security Centre, as well as between the ACSC, PM&C and the Crisis Coordination Centre within the Attorney-General’s Department.
The government needs to be ready with new communications strategies and key talking points for a range of potential cybersecurity incidents, and develop a consistent “whole-of-government cybersecurity lexicon” so that everyone is clear on what is officially an “attack” and what is not, he advises.
The AGD should take charge of education, MacGibbon suggests, by setting up a “boot camp” for both mandarins and ministers to learn the fundamentals of cuybersecurity and how to talk about it, in line with what CSIRO’s Data61 unit is teaching company directors through another program.
MacGibbon recommends the Australian Signals Directorate update the APS Information Security Manual to explain more about protecting online services like the eCensus form. And he proposes the spy agency get together with the Digital Transformation Agency to run a “sprint” event for public servants to quickly learn about responding to DOS attacks, with a view to holding similar events in future to practice other cybersecurity skills.
Of course, most experts and the Senate committee that separately picked over the incident and also reported yesterday, do not accept a DOS attack is a reasonable excuse for what occurred. As MacGibbon describes it:
“One of the government’s most respected agencies – the Australian Bureau of Statistics (the ABS) – working in collaboration with one of the technical world’s most experienced companies – IBM – couldn’t handle a predictable problem.
“As a result, a key national event trended online globally as #CensusFail – a serious blow to public confidence in the government’s ability to deliver on public expectations.”
To complement the special security framework for high-risk agencies, the PM’s cyber adviser proposes ASD put in place a similar arrangement for a list of high-risk special events and essential online services. MacGibbon will also work with government and ASD to “review its model for prioritisation and proactive engagement with agencies to provide cyber security support and develop a service catalogue of offerings to ensure clear understanding of capabilities”.
The Department of Finance gets the task of leading the whole APS to a “positive risk culture” around cyber security — which it is already doing in a more general sense through its ongoing implementation of the Public Governance, Performance and Accountability Act — with a particular need “to improve agency understanding and uptake of secure cloud services”.
MacGibbon suggests PM&C should embrace Peter Shergold’s “adaptive government” and look on the procurement process around the eCensus apparatus as “a case study on the barriers and opportunities to delivering better ICT outcomes”:
“This should include developing a more agile approach to market testing and contracting options, ICT procurement skills and outsourcing oversight arrangements.”
Another recommendation involves DTA establishing, with advice from ASD and Finance, a new “cyber security shared services” consulting unit to advise other agencies:
“This would ensure security is integral to all new online service delivery proposals and facilitate partnering between agencies to draw on cyber security expertise in larger agencies with more mature capabilities.”
MacGibbon recommends Finance, ASD and DTA to jointly “consider how to strengthen central governance and assurance” as well, and suggests “this ownership may no longer logically sit with ASD, given their broader portfolio of responsibilities”.
“Capable agencies” should be accredited to deliver shared cyber services for “citizen-facing projects where, for higher risk online delivery programs, smaller agencies must partner with (or source their ICT project management from) an identified lead agency or through a core service such as GovCMS”, he adds.
Not so fast, ABS
All that’s before MacGibbon even gets to the ABS, which also received a lot of criticism in the report of the much wider-ranging and more politicised Senate inquiry.
Firstly, the PM’s cyber adviser thinks the ABS would benefit from bringing on an independent security consultant to pick through “all aspects of their information collection and storage relating to Census data – from web application through to infrastructure and policies and procedures”.
He adds that Privacy Impact Assessments should be independent if the ABS plans any more “significant changes to personal information handling practices” in future, as well as an entirely new overarching privacy management plan, and better training for staff.
And as for the procurement issues:
“The ABS should develop a specific strategy to remove the current state of vendor lock-in.
“The ABS should strengthen its approach to outsourced ICT supplier performance management to ensure greater oversight and accountability.”
MacGibbon advises the embattled agency to make sure the hard lessons of the eCensus failure are heeded internally and spoken of openly among staff, by using them to “guide and to advocate for the cultural change path it is following”.
He supports the bureau’s decision to convene an independent quality assurance panel to assess this year’s data and urges the agency to make its report public, while running a campaign to inform the public about the data quality.
MacGibbon thinks the ABS should be required to report monthly to the relevant minister on its progress against his recommendations, but his report doesn’t stop there. On the basis that there’s no opportunity like a good crisis, he also provides a set of better practice guidelines for all agencies:
- Agencies should review their approach to cyber security incident response planning and coordination and exercising of those plans with stakeholders.
- Agencies should ensure independent security assessments are conducted on critical ICT deliverables.
- Agencies should test security measures and monitoring systems for online government services under foreseeable adverse conditions, including under attack conditions.
- Agencies should be conscious of updated interpretations of governing legislation to addressing the changing technological environment. Agencies should review their oversight and assurance arrangements for outsourced cyber security services.
The Office of the Australian Information Commissioner wants to work with government to develop a new APS-wide Privacy Code.
Broadly, MacGibbon thinks it should require all agencies to appoint dedicated privacy contact officers and separate “privacy champions”, have up-to-date privacy management plans, undertake written Privacy Impact Assessments “where relevant” and take steps to “enhance internal privacy capability”.
Senate report goes much further
One thing the ABS needs is “portfolio stability” to do its job properly, according to the Senate committee that examined the ignominious conduct of the 2016 eCensus, as well as the wider privacy debate and calls for a boycott.
The committee’s report notes there were a few issues that hampered preparations for this year’s population count. To begin with, the inquiry confirmed that around February 2015, the ABS was indeed proposing not going ahead with the Census at all, as news reports later claimed.
The ABS told IBM “in or about February 2015” that it was advising the government to abandon the Census, then confirmed it was going ahead in May 2015, the committee heard. The report notes:
“The ABS’ lengthy and otherwise comprehensive submission to this inquiry makes no mention of these events.”
Then there was the departure of former Australian Statistician Brian Pink in January 2014 and the fact it took the government a year to confirm his permanent successor, David Kalisch. Between September 2013 and August 2016, the ABS answered to four different ministers, the committee observed.