The Australian Bureau of Statistics shut down the website last night after what it described on Twitter as a series of denial-of-service attacks “of varying nature & severity”.
Earlier this morning, chief statistician David Kalisch told ABC radio: “It was an attack … it was quite clear it was malicious”.
We apologise for the inconvenience. The 2016 online Census form was subject to four Denial of Service attacks of varying nature & severity.
— Census Australia (@ABSCensus) August 9, 2016
However, at a press conference in Canberra later, the minister responsible for the census, Michael McCormack, attempted to downplay the incident.
“This was not an attack, nor was it a hack but rather, it was an attempt to frustrate the collection of Bureau of Statistics census data,” he said.
McCormack said the ABS decided to shut down the census form to safeguard and protect data already submitted.
There was a large-scale denial-of-service attack on the website, which is when the site is flooded with requests for information and the servers are overwhelmed – as if a huge crowd of people tried to get through a doorway all at the same time.
“Following, and because of this, there was a hardware failure,” McCormack said, adding that the ABS took a very cautious approach in shutting down the site.
University of Melbourne cyber security expert Suelette Dreyfus said it was “very confusing to say it’s not an attack but then to say it’s a DDOS [distributed denial of service] attack”.
“Which is it?” Dreyfus said.
“It’s not a hack attack where someone necessarily breaks into the system. Rather it’s an attack that makes it difficult to use the system.
“It’s a different sort of attack but it’s still an attack.”
About 2.33 million census forms were successfully submitted and stored before the site was shut down at 7.45pm yesterday.
The Government insists no data was lost or compromised, however Privacy Commissioner Timothy Pilgrim will investigate the attacks.
Kalisch insisted the ABS adopted a precautionary and conservative approach.
“The integrity of the census has not been compromised,” he said.
“The online system will be operating as soon as we are assured it is robust and secure.”
Concerns about possible privacy breaches with the census and the decision to keep individual data for four years, as opposed to 18 months, had sparked outrage from privacy groups and some politicians ahead of census night.
South Australian senator Nick Xenophon, who had refused to include his name in the census form, questioned how the public could trust the ABS.
While accepting there was no suggestion people’s personal data had been hacked, he said it was still a “major security failure”.
Senator Xenophon wants a parliamentary inquiry into the census when sittings resume in Canberra on August 30.
SA Greens Senator Sarah Hanson-Young, who had also said she would risk a $180-a-day fine by withholding her name and address from the census, tweeted last night:
If Govt fines everyone who can't do Census (with or without name) because site has crashed, maybe they'll achieve "budget repair" #MyCensus
— Sarah Hanson-Young (@sarahinthesen8) August 9, 2016
Labor wants Minister McCormack to resign and believes a census re-run is not out of the question.
Shadow assistant treasurer Andrew Leigh is furious the Government failed to properly explain its decision to take the national survey online, telling ABC radio this morning: “If you can’t get the census right how can you govern the country.”
He also criticised the Coalition for leaving the position of chief statistician vacant for a year, saying he feared it would now blame the bureaucrats for the site failure.
“What I’m concerned about is that the Government is going to pass the buck,” he said.
The shadow minister warned the quality of the data would be compromised, given many Australians were unable to fill out their forms and will have to do it on another day.
“People will, when they go back to fill it in again, have that sense of anger and frustration and maybe they won’t be as careful and methodical filling out their census for the second time.”
The ABS has said Australians will still have “plenty of time” to complete the census well into September, and tweeted this morning that fines would not be imposed for completing the form after census night.
The census site intrusions will put a spotlight on the Federal Government’s cyber security strategy and the security of government resources online.
The Coalition this year earmarked $230 million in funds to set up cyber threat and intelligence sharing centres and appoint a Cyber Ambassador to lobby for internet security on the international stage.
The Australian Signals Directorate gathers annual data on cyber incidents and deals with thousands each year. In 2013 there were 2100 events record buy the agency admitted many more likely went unreported.
What went wrong with the census:
- 1008 (AEST) Tuesday – ABS detects significant increase in traffic for 11 minutes causing a system outage of approximately five minutes.
- 1019 – Traffic subsides without action from ABS or software contractor IBM.
- 1146 – Another increase in traffic consistent with a second denial of service.
- 1150 – ABS and IBM activate denial-of-service mitigation response plan. Short system outage experienced. ABS decides to maintain a block on all international traffic until midnight.
- 1155 – Incident reported to the Australian Signals Directorate for advice on preventing further incidents and intelligence related threat.
- 1658 – “Modest” increase in traffic defended by ABS network firewalls.
- 1815 – Small-scale denial-of-service attempted but stopped by standard protections.
- 1930 – “Significant” denial-of-service – taking a different form than previous ones – detected. At the same stage a large increase in traffic to the website occurred with thousands of Australians logging on to complete census.
- 1945 – ABS shuts down online form to protect system from further incidents.
- 2010 – Census Minister Michael McCormack’s office notified of outage. He requests briefing from ABS, which is provided within minutes.
- 2032 – Prime Minister Malcolm Turnbull notified, followed by Treasurer Scott Morrison.
- 2038 – ABS tweets that its websites, including the census, are “experiencing an outage” and it is working to restore the service.
- 2050 – Online form system restored but overload protocols activated to prevent connections until system integrity can be assessed.
- 2259 – System restored but not brought online “as a precaution”. ABS tweets the census website won’t be restored on Tuesday night. It reassures people they won’t be fined for not completing the form that night.
Local News Matters
Media diversity is under threat in Australia – nowhere more so than in South Australia. The state needs more than one voice to guide it forward and you can help with a donation of any size to InDaily. Your contribution goes directly to helping our journalists uncover the facts. Please click below to contribute to InDaily.