The conduct of the 2016 census
The reference date for the 2016 census was 9 August. On this date,
millions of Australian households paused to complete their census forms.
Unfortunately, for many people, the evening was one of frustration as the
website and phone systems put in place failed.
This chapter begins with a summary timeline of key events between
9 and 11 August 2016, before going on to discuss the failure of
the eCensus website, problems with the telephone service, and the subsequent
actions and conduct of census field officers.
Failure of the eCensus
This section provides a timeline of the events surrounding the failure
of the eCensus website, and then considers the causes and response to this
During the morning of 9 August, the ABS experienced two Distributed Denial
of Service (DDoS) attacks resulting in very short outages. During the second attack
the 'Island Australia' protocol—IBM's chosen DDoS defence—was enabled. This
measure successfully stopped the attack and 'the ABS was of the understanding
that the online form would now be protected from any further attacks'. A third attack
in the afternoon was repelled without any loss of service.
At approximately 7.00 pm, the eCensus website had already successfully
processed over 1.8 million household forms and was running at 7 167 forms per
minute, with demand growing in accordance with ABS modelling. Commencing at 7.28 pm a
fourth DDoS attack occurred resulting in the website being unavailable from
At the time of the attack, the ABS and IBM observed a spike in outbound
traffic in the IBM monitoring systems, prompting concerns that the system may
have been compromised and experiencing data leakage. IBM reported:
[The] 7.27 pm DDoS attack also caused one of the mechanisms
used by IBM to monitor the performance of the eCensus site to miscarry. As a
result, some IBM employees who were observing the monitor mistakenly formed the
view that there was a risk that data was being exfiltrated from the website and
that the risk needed to be further investigated. Out of an abundance of
caution, IBM shut down access to the site and assessed the situation.
IBM attempted to reboot its system at 7.43 pm but was unable to restore
The committee heard that IBM had incorrectly configured at least one of the two
routers it had in place.
When the routers were restarted the link to the Telstra network did not load
its previous configuration; this left only the third party provider, Nextgen's
link in place, and that link was consumed by DDoS traffic.
At the request of the ABS, IBM enabled 'overload' controls at 8.09 pm
which prevented Australian households from commencing new census forms.
The Minister for Small Business, the Hon. Michael McCormack MP, was
provided an initial briefing by the Australian Statistician at 8.26 pm. At 8:38pm the
ABS published a message through social media channels informing people that the
census website was experiencing an outage, and at 8.50 pm, the ABS requested
Dentsu Mitchell—a consultancy providing advertising for the census—cease
all social and digital advertising.
The ABS was informed that advertising would cease by approximately 9. 40pm.
IBM was able to successfully restore the online census system at 10.26 pm.
At this point the ABS stated that it would have been possible to make the
eCensus available to the public again. However, the ABS elected to keep the
eCensus system closed until: it had understood the unanticipated spike in
outbound traffic earlier in the evening; was sure it could defend against
future DDoS attacks; and was sure that the infrastructure was robust including
the routers which had experienced issues.
At 10.59 pm, the ABS posted updates to social media stating that the
eCensus service would be unavailable for the remainder of the evening, and that
an update would be posted in the morning.
It was reported to the committee that in the early hours of the morning,
'the ABS and IBM conclusively determined that both the outage was caused by an
overseas-based DDoS attack and that no data was lost'.
The ABS published a statement on 10 August explaining what had occurred
the previous day:
The 2016 online Census form was subject to four Denial of
Service attacks yesterday of varying nature and severity.
The first three caused minor disruption but more than 2
[million] forms were successfully submitted and safely stored.
After the fourth attack, just after 7.30 pm, the ABS took the
precaution of closing down the system to ensure the integrity of the data.
On the morning of 11 August, the Australian Privacy Commissioner
announced that he was 'satisfied that personal information was not
inappropriately accessed, lost or mishandled'.
At 1.16 pm, the Australian Signals Directorate (ASD) notified the ABS
that IBM 'had taken all steps that could reasonably be taken in the time
available to mitigate denial of service attacks similar to those that occurred
on 9 August'.
At 2.29 pm on 11 August, the system was reopened to the public.
What was the
cause of the outage
The cause of the suspension of the eCensus website on 9 August was the
ABS taking the deliberate decision to prevent households from logging
onto the website. This decision was precipitated by a DDoS attack that was not
adequately protected against, and was of such a small size that it should have
easily been handled effectively. As explained by the Special Adviser to the
Prime Minister on Cyber Security, Mr Alastair MacGibbon:
There were indeed attacks, they should have been expected,
they were expected, protection against them was contracted for—and these were
definitely small attacks and they should not have degraded the ABS system. But
it was not the denial-of-service attacks that actually eventually took the ABS
e-census website offline. That was a decision made by the ABS, and there were
two other critical components in there. The denial-of-service attacks that
degraded the system, the attempts by IBM in turning the routers off to
re-communicate with their data centre—finding that they had misconfigured the
router at the Telstra end of the link—and then, in a sense, the final straw
that broke the camel's back was the misinterpretation of data on a
load-monitoring system, which was interpreted at first as possibly the
exfiltration of data—or, an actual hack, as opposed to an attack.
The influx of traffic to the IBM routers appear to have caused a
malfunction within the internal monitoring of the IBM system:
During the fourth attack, a system monitoring dashboard,
which included a graph of inbound and outbound [Internet Service Provider]
traffic to the eCensus site, showed what appeared to be a spike in outbound
traffic. This caused some IBM employees to, it is now accepted mistakenly, form
the view that there was a risk of data egress from the eCensus site. In fact
there was no data egress and the spike was a 'false positive'.
Due to fear that a recorded spike in outbound data traffic from the
eCensus system represented a potential data leak, the ABS decided to
temporarily close access to the website.
What is a DDoS
IBM provided the committee with an explanation of how DDoS attacks
A denial of service attack is a malicious attempt to make a
system unavailable to its intended audience by overloading servers with
requests to render it unavailable or causing it to shut down.
A denial of service attack is typically accomplished by
flooding the targeted machine or resource with superfluous requests in an
attempt to overload systems and prevent some or all legitimate requests from
A 'distributed' denial of service or DDoS attack occurs where
the attack source has multiple unique IP addresses or 'nodes'. It is typically
achieved by using a 'botnet', being a group of internet-connected devices on
which malware has been installed so as to enable the devices to be controlled
from a remote location without the knowledge of the devices’ owners. A DDoS
attack may be regarded as analogous to a group of people crowding the entry
door to a business and not allowing legitimate customers to enter, thus
disrupting the business’ normal operations.
The effects of denial of service attacks include slower
network performance (opening files or accessing websites), or the
unavailability of a particular website, or an inability to access any website.
Denial of service attacks are therefore directed towards the performance or
availability of a website.
DDoS attacks are neither new nor unusual. The committee heard that it is
commonplace for government websites to regularly experience denial of service
attacks which are routinely managed without interruption to services.
It is unclear if the eCensus website experienced further DDoS attack
attempts following restoration of the system. IBM informed the committee that
there were further DDoS attacks which were successfully defended. In contrast,
the ABS claimed to be unaware of any further attacks. The perpetrators of the
DDoS attack remain unknown.
What plans were put in place to
The ABS was aware of the threats posed by a prospective DDoS and had
contracted for measures to be put in place to mitigate them. The committee
heard that DDoS events are routine occurrences, and are also routinely managed
Denial-of-service attacks, or distributed denial of service
attacks, are eminently predictable and should be expected. In fact, the
Australian Bureau of Statistics did call for denial-of-service protection in
its tender process with IBM, and IBM responded to say that they would put in
place denial-of-service protection. So yes, it is expected, and it should be
There were indeed attacks, they should have been expected,
they were expected, protection against them was contracted for—and these were
definitely small attacks and they should not have degraded the ABS system.
The risks of DDoS attacks were included in the risk management plan for
the 2016 census, with the ABS reporting:
In the final risk management plan (July 2016), one of the
risks was 'Loss of system availability through a Distributed Denial of Service
Attack'. This risk had pre-mitigated exposure rating of 'high' and a residual
exposure of 'medium'. Under the plan, IBM was responsible for mitigating this
risk, with ISP measures of Island Australia (geoblocking international traffic)
a key measure.
IBM states that it met its requirement to provide DDoS protection
through the 'Island Australia' policy.
IBM explained how this mitigation strategy would work:
The protocol was an ISP-based DDoS attack mitigation strategy
which required the ISPs who provide access to the eCensus site to block or
divert all international traffic to the site at the direction of IBM. Such
blocking is known as 'geo-blocking'. The protocol was to be deployed in the
event that a DDoS attack occurred.
The Island Australia protocol, while not a form of protection
that is appropriate for websites with users who are widely distributed, was well-adapted
to the 2016 eCensus because it took advantage of the fact that the Census form
was required to be completed (during the Census period) only by persons who, on
the Census Day, were physically present in Australia. Accordingly, with some
exceptions, legitimate traffic to the eCensus site could be expected to be
domestic to Australia.
IBM tested the Island Australia protocol on 5 August 2016 and reported
to the ABS that it had 'worked exactly as expected'. IBM reported that the
success of this test gave them a high level of confidence that appropriate DDoS
mitigation measures were in place:
IBM considers that, following the testing on 5 August 2016,
it had every reason to think that Island Australia would provide effective
protection against DDoS attacks if needed.
While preparing for the eCensus, IBM 'considered other possible options
for the defence of DDoS attacks'.
IBM examined other products offered for DDoS protection yet concluded that
these services would not be suitable for the 2016 eCensus 'because of the
unique traffic profile it was expected to generate'.
In July 2016, the ABS and IBM received a briefing from ASD on cyber
threats and incident response support. The ABS recalls:
The potential for DDoS attacks was discussed, as were general
mitigations for a range of threats. ABS does not believe that any new areas of
concern were raised, nor were there any suggestions of potential mitigations or
additional preparations that were not pursued.
The failure of
IBM anticipated, and assured the ABS, that Island Australia would
prevent international traffic from reaching the eCensus website, thereby
ensuring that international traffic could not be used for a DDoS attack.
The internet is a network of networks, and in order to allow public
access to a webpage, a company like IBM must pair with internet service
providers (ISPs) to link the IBM network to the rest of the internet. Public
access to the eCensus site was provided via two ISP links, one provided by
Telstra Limited (Telstra) and the other by Nextgen Networks Pty Ltd (Nextgen). If a serious
DDoS attack occurred during the census collection period, IBM would direct
Nextgen and Telstra to put in place Island Australia. These ISPs would prevent
the malicious traffic from reaching the IBM network processing the census data.
When a household attempted to fill in the eCensus the message needs to
move from their home to the final destination; which in this case is IBM. In
order for this to be possible, there needs to be a path along the networks of
the internet from an origin and the destination. Suppose Alice wants to
complete her eCensus. Alice's personal computer (A) would speak to her router
(B), which would send a message to a router (C) operated by her internet
service provider. That router (C) would try and pass the message to a router
(D) owned by—in this case—either Telstra or Nextgen which have a direct link to
the destination—IBM. If no such router can be found, it (C) would pass the
message onto another network's router (E) which would attempt to pass the
message onto a router (D) on the desired network. Once the message finds the
correct network, the message will be delivered to IBM.
Under the Island Australia protocol, if any of the routers belonging to
Telstra or Nextgen received a message that was addressed to the eCensus and sent
from an international router (ISP), that message would not be processed.
Commencing at 7.28 pm, a DDoS attack began eroding the capacity of the
system. The size of the attack was estimated to be around 1.5 gigabits per
The attack reportedly had the effect of commencing new sessions which quickly
exhausted the memory capacity of the IBM's router facing the Nextgen link. Mr MacGibbon
noted that this attack was a '...weapon but a small one and one that we should
have had protections against, absolutely' and '[it] certainly should not have
caused the damage that it did'.
IBM alleges in its submission that Nextgen failed to properly implement
the Island Australia protocol which allowed traffic to flood the IBM system:
IBM was informed–later that day after the attack had
passed–that a Singapore link operated by one of Nextgen's upstream suppliers
(Vocus Communications or Vocus) had not been closed off and this was the route
through which the attack traffic had entered the Nextgen link to the eCensus site.
IBM contends that had Nextgen properly implemented Island Australia the
eCensus website may not have become unavailable:
Had Nextgen (and through it Vocus) properly implemented
Island Australia, it would have been effective to prevent this DDoS attack and
the effects it had on the eCensus site. As a result, the eCensus site would not
have become unavailable to the public during the peak period on
9 August 2016.
Nextgen disputed this allegation, noting that they had implemented the
same settings as IBM had successfully tested on 5 August 2016, and that their
analysis demonstrated that both the Telstra and Nextgen links showed DDoS
traffic during the fourth attack.
(Vocus) informed the committee that it recorded a peak traffic load through the
Singapore link of 563Mbps. Vocus' submission states that this 'is not
considered significant in the industry' and 'not of a size to cause the census
website to become unresponsive, had appropriate network security measures been
implemented by IBM'.
As previously discussed, IBM had two routers in place to facilitate
Australians filling in their eCensus forms. Each router alone had sufficient
capacity to transfer all of the anticipated legitimate census traffic.
Representatives of the ABS, in a foray into biology, explained:
At this point we knew we could operate with one router. We
knew the system was designed to have sufficient capacity...I would say it is a
bit like functioning on one kidney, but you do not really want to when you have
Even though IBM reports that all of the DDoS traffic was coming through
the Nextgen link, both routers appeared to be experiencing an unusually heavy
This heavy load adversely affected IBM's internal system monitoring the
flows of data in and out of the network, eventually resulting in erroneous
telemetry from automated monitoring systems that would lead to the eCensus
website being disabled. As IBM explains:
IBM’s investigations have revealed that the false positive
reading occurred because the system was programmed to measure and report the
traffic volume of the eCensus site at 60 second intervals. Once the fourth DDoS
attack was underway, the information was being reported for varying intervals
but the dashboard was treating the information as though it had applied the
standard 60 second interval. This resulted in an incorrect graphic creating the
impression that there had been a spike of outbound traffic that could be data
This spike was what led IBM and the ABS to fear census data was being
exfiltrated from the system. It has been suggested that the elevated data flow
was IBM's computer system reporting performance information and logs to an
offshore data centre.
The DDoS attack had the effect of consuming the memory of the routers
meaning they were unable to properly process requests. In order to restore the
system to functionality, IBM reset the routers. When they did this, the router
on the Telstra link did not restore its settings, meaning that the only link to
the eCensus website was the Nextgen link which was subject to the DDoS attack. Mr MacGibbon
explained the problem on IBM's Telstra router:
I think the biggest issue was that the router that was at the
Telstra link was incorrectly coded by IBM, so when it was turned off the coding
fell out, for want of a better description, from that router and it made it a
'dumb unit'. The time it then took to get it back up to scratch is where the
IBM reports that it took one hour and twenty minutes to restore the
Telstra link. Once the Telstra link was restored IBM reports closing the
Nextgen link. IBM states that at this point there was an immediate drop in
attack traffic and a resumption of normal application behaviour. IBM reports
that it was ready to restore the eCensus at 10.32 pm, approximately three hours
after the site had become unresponsive.
In summary, a DDoS attack adversely affected the operation of the
routers' reporting system. When this reporting system displayed several
minutes' of data at once—rather than the typical 60 second increment—it ignited
fears that the system had been compromised. Further, IBM were unable to
effectively reset their router to the Telstra network due to configuration
errors. These two events, precipitated by the DDoS, led the ABS to take the
decision to take the eCensus website offline. The combination of the three
events ultimately led to the eCensus being unavailable. Mr MacGibbon
Anyone of those three things not existing—if there were no
denial-of-service attacks or if they were properly mitigated—we would not have
had the other two problems. If we had had the unmitigated denial-of-service
attacks but the router had functioned properly, we would not have had the third
problem, and we would not have had the third problem if the people that were
monitoring the system properly interpreted the system, which was functioning
oddly given the nature of the stresses that it was under, based on the first
two points. So any one of those in isolation was not really sufficient to lead us
to this committee today, some months later. It was the three combined that led
The natural question this raises is was the preparation and protection
by IBM and ABS sufficient?
Were the protections put in place
by IBM sufficient?
The events of the evening of 9 August would imply that mistakes were
made in the preparation and execution of the DDoS defence. The IBM submission
argues that Island Australia was approved by the ABS as a means of defending
against DDoS attacks.
It appears that IBM and the ABS were in agreement that any botnet in Australia
was of insufficient size to cause serious damage to the eCensus website, and
therefore geoblocking would be sufficient.
However, Island Australia geoblocking was not the only option available
to IBM in meeting its contractual obligations in ensuring resilience in the
face of DDoS attacks. This report has already canvassed why Island Australia
was thought by IBM to be sufficient.
It was put to the committee that Nextgen had raised concerns with IBM that
the Internet Protocol (IP) ranges that IBM planned to block were not
exhaustive, and that Island Australia may not adequately protect the eCensus.
The committee heard that Nextgen offered IBM DDoS protection which was
rejected by IBM.
IBM claimed that the Nextgen solution was not fit for purpose:
We looked at and considered the DDoS protection that was
being offered by Nextgen and, on the basis of the information that they
provided, there were three distinct attributes that we felt rendered it
unsuitable. The first concern was that Nextgen advised us that it required a
four-week training period to learn the particular traffic patterns that would
be coming into the site. We did not have a four-week lead-in period during
which to learn the traffic patterns. And the traffic pattern in the weeks leading
up to census night is not at all representative of what we experience on the
The second concern, which we discussed with Nextgen in
advance of the RFT response being submitted in 2014, was the ability of their
solution to deal with that very high peak we experience on census night and
whether it in fact might be interpreted as a DDoS attack, and that they share
that concern with us. The third was one related to the specifics of the
application and the way we were doing load balancing to distribute the load
across multiple back-end process streams. There was a concern early on in the
process that the Nextgen protection approach might interfere with that load-balancing
mechanism. So for those three reasons we felt that the geoblocking was a very
well adapted solution for the particular characteristics of the traffic, and it
is one which we had experience of in 2011, with both Telstra and Optus, that
they could very effectively and easily implement, so we chose that as our
Evidence received by the committee indicates that the Nextgen solution
was adopted after the resumption of the eCensus, casting doubt on explanations
of why it would have been unsuitable before 9 August made by IBM. IBM claims
that the adoption of the Nextgen DDoS products following the resumption of the
eCensus was in response to a changed threat environment where it had become
public knowledge how the eCensus was being defended.
The choice of geoblocking as the sole means of DDoS protection is
interesting given a number of technical considerations related to the eCensus:
There were some technical problems in that some Australians,
with Australian-based ISPs, will also route in from overseas, just by the
nature of the ways in which those ISPs operate. In fact, the password reset
facility that IBM used actually relied on traffic coming in from overseas to
give Australians that password. So there was a fundamental failure in the logic
of an Island Australia. I could see it as part of a series of protections adding
some value, but to rely solely on it clearly was a failure.
Given that the eCensus system itself relied on communications from
outside Australia, the proposal to protect the application by blocking this
traffic appears curious.
It was pointed out to the committee that there was sufficient redundancy
built into the system by having two ISP links. Had the Telstra router been
properly configured such that when it was restarted it worked properly, the
problems experienced on 9 August would likely have been avoided.
IBM admitted that, in hindsight, further testing of the router would
have uncovered the configuration error before it become an issue on census
But we tested that router failure by simulating it, which is
relatively easy to do in a repeatable fashion. If we had our time again, we
would probably do a hard, powered-off powered-on test of that router. That
would have discovered earlier that we had that reboot and configuration loading
There appeared to be some confusion on census night regarding what had
actually happened with the router, with the ABS being initially under the
impression that the router on IBM's Telstra link had suffered from a hardware
Mr MacGibbon highlighted that the greatest failure on the part of IBM was
that they did not check that Island Australia had been properly implemented by
IBM informed the committee that, with hindsight, they would have sought greater
certainty that their geoblocking protocols had been correctly implemented by
IBM claims that they assumed that all of their contractors had the
ability to implement their instructions:
We as the prime contractor dealt with both Telstra and
Nextgen as our ISPs and expected them, as large internet service providers, to
be able to implement those instructions correctly.
The committee is not in a position to determine the relative truth of
where any fault lies between IBM and its contractors. Mr MacGibbon explained
the situation between the parties nicely:
The Commonwealth, in this instance, was the customer. The
customer went to a builder to build a house. There were blueprints put before
them as to what that house would look like, and the Commonwealth, as the
customer, paid money to the builder to build the house. The builder is now in
dispute with a plumber and a bricklayer about what was or was not done in
relation to the deficient house. IBM, of course, being the builder and Vocus
and Nextgen, when you look at their responses, being the plumber and the bricklayer...I
cannot determine who is right and who is wrong. What I will say is that as the
customer the Commonwealth was not well served.
Extending on this example, the taxpayer has bought a house off the plan
with a sinking foundation and cracks in the walls: they can feel rightly
Did the ABS
have too much trust in IBM?
The ABS had contracted IBM to provide DDoS prevention measures, and IBM
assured the ABS that this was done.
The ABS can rightly say that they expected the eCensus to be secure and stable
in the face of threats:
Senator HUME: Were you surprised by the extent of the
disruption caused by the DDoS events considering on a relative basis they did
not seem to be particularly large?
Mr Kalisch: We were certainly surprised that the
system was vulnerable.
Senator HUME: And you were assured, I assume,
beforehand; otherwise, you were assured that it was invulnerable?
Mr Kalisch: We were assured that that system was robust
and was ready to go to a range of different attacks and mechanisms, not just
It was suggested to the committee that the ABS showed too much trust in
IBM and was not sufficiently proactive in ensuring that IBM was meeting their
In many respects, while I will say to you that this was a
failure to deliver on the contractual obligations that IBM had, there was a
failure on the part of the ABS to sufficiently check that the contract had been
delivered. That could have been achieved through more thorough assessments of
the work done for them by IBM and their subcontractors.
Mr MacGibbon suggested further that the ABS could have been more
proactive in overseeing the implementation of the eCensus project to ensure
that all contractual undertakings were being fulfilled:
If I understand your
question correctly, if they had engaged IBM, could they have verified that they
were building the system that they were contracted to do? Yes, they could have.
They could have had more third-party testing done. They may have asked more
questions of IBM to provide proof that they were delivering the services they
were contracted to do.
The committee heard that the close relationship between the ABS and IBM
could be interpreted as 'vendor lock-in', and that such relationships risk
complacency in project management:
Mr MacGibbon: ...In relation to whether IBM was the
natural choice—and I did hear the questions from the committee earlier—I do
believe there was a degree of vendor lock in—that they were a trusted partner
that had established a relationship over many years and were seen as the
natural choice by the ABS to deliver upon the project. Whether that is right or
wrong is really for others to decide. But certainly I came to the conclusion
that there was a degree of vendor lock in there.
CHAIR: There are risks associated with that type of
closeness of relationship.
Mr MacGibbon: I would not be here in front of you
today if those risks were not real.
This view is supported by the findings of the CapDA report—commissioned
by the ABS to consider options in delivering the eCensus system—which reported
that some prospective solution vendors believed that the ABS would not move
away from IBM:
Whilst the market scan revealed there are some potentially
capable suppliers interested in bidding for this work and thereby generating
competition, there were also substantial reservations expressed as to whether
ABS would genuinely consider alternatives to IBM.
One of the reasons cited by the ABS for partnering with IBM was their
previous experience working with ABS systems and on the Censuses. As explained
to the committee, the ABS assumed that IBM were familiar with their
There was considerable clarity as to our requirements and
their contractual obligations to meet those. We were building on our experience
with two prior censuses, so they [IBM] had an excellent understanding of what
we needed. So I do not think that there was any lack of understanding leading
up to the census.
This assumed familiarity may have contributed to a level of complacency
in project management on the part of the ABS, and in the priority which IBM
gave the project. The ABS could have been more proactive in ensuring DDoS
protection was in place. Whereas the ABS contracted third parties to undertake
load testing and code reviews, IBM was left to test their own DDoS prevention
solution. It was suggested that an external party might have uncovered the hole
in Island Australia that was not revealed through IBM's internal testing. It has not
been explained to the committee why IBM's testing showed Island Australia to be
effective on 5 August, but was later to fail on 9 August.
The committee heard that the ABS did not undertake an Information
Security Registered Assessors Program (IRAP) assessment. An IRAP assessment
assesses the implementation, appropriateness and effectiveness of an
information security system's security controls. As explained by Alastair
The IRAP process is a process designed for third parties that
are certified by or accredited by the ASD to come in and look at the
architecture of systems—the schematics, for want of a better description—to
ensure that they meet the information security requirements of the Commonwealth
depending upon the level of security and protection needed in those systems. I
would describe it as a compliance assurance process that should not be relied
upon for all of IT security but is a practice that is necessary for ensuring
that systems at least meet certain standards.
The committee was further informed that it is not possible to know
whether an IRAP assessment would have uncovered the flaws that allowed the DDoS
attack to affect the eCensus.
The relevant consideration here is whether the ABS should have had taken
a more proactive oversight role in relation to the eCensus, and also whether
they had the capacity to do so. CapDA's report that recommended the ABS partner
with IBM was, in part, premised on the fact that ABS lacked the internal
capacity to deliver the eCensus without outside assistance:
CapDA's report, as you are aware, noted that we did not have
sufficient in-house capacity to run that application ourselves and that we
would need to look at procuring an external partner to host that application.
CapDA's report highlights the professionalism and dedication of the
staff at the ABS, but in the end recommends that the ABS did not have the
internal capacity to develop and deploy an eCensus. If they did not have the
ability to develop a solution themselves, it stands to reason that they would
only have a limited capacity to question and challenge a contractor employed to
develop such a solution.
Why did it
take so long for the eCensus to resume
The eCensus website was offline for over 40 hours; from around 8.00 pm
on 9 August to approximately 2.30 pm on 11 August. The committee heard that
IBM was ready to resume collecting eCensus forms on the night of 9 August, but
that the ABS wanted to ensure that the security of the eCensus application
before proceeding further:
As the protection of personal information was paramount for
all concerned on census day, a cautious approach was taken by IBM, the ABS and
ASD to ensure and verify that data security was never compromised before the
site was restored. IBM was ready to restore the eCensus site after three hours,
around 10.30 pm, but its closure was extended by 40 hours, following a
direction given to IBM by the ABS.
The committee heard that the ABS wanted to ensure that the eCensus
website was no longer vulnerable to further DDoS attacks, that additional
backups were in place, and that no data had been compromised before reopening
the eCensus website. As the Australian Statistician explained:
There were three particular aspects that we wanted to be
satisfied about. One was about the security of the data which, as we say, was
something that we were assured of after three am the next morning. The second
aspect was really related to the nature of the router and that there was a
working contingency, and that was something that was still the subject of some
discussion on the following morning and through the following day. The third
aspect was that—certainly against the backdrop of the system being vulnerable
to a DDoS event on the night before—I wanted to be as sure as we could be that
it would not be vulnerable to a second DDoS event. And so that was where there
was further engagement with ASD—and Telstra certainly assisted in that process
as well—making sure that there were a number of additional protections put in place.
Mr MacGibbon expressed his support for ABS' approach in delaying the
resumption of the eCensus until satisfied that all faults had been rectified,
There would only be one thing worse than the site being taken
down that evening after those four denial of service attacks, and then the
confusion around the router and the outbound traffic, and that was to get the
site back up and have it knocked back down again.
Once the ABS was satisfied that the system was secure and robust, the
Australian Statistician ordered that the eCensus website be reopened; the
eCensus was back online at approximately 2.30 pm on 11 August.
Was any personal data at risk?
The eCensus website was shut down due to fears that personal information
might be compromised. As discussed above, at around 7.30 pm there was an
observed elevation of outgoing data from the eCensus website. Fears that this
traffic representing personal data led to the website being shut down.
The system developed by IBM for the 2016 eCensus employed a range of
measures to prevent any loss of data.
IBM explained to the committee that:
In terms of the primary security objective here of protecting
respondent data, we had encryption mechanisms in place to ensure that the data
was fully encrypted while it was in transit—in flight from the respondent to
the census site—and that it was encrypted while at rest and stored within the
backend of databases. IBM does not have the keys to be able to decrypt that
data, so we have not and have never been at any point able to see any of the
respondent data that is stored on our systems. So encryption is the primary
mechanism that ensures the integrity and protection of the data from external
These keys are in the possession of the ABS and are necessary to extract
any meaningful data from the census forms.
The ABS reported to the committee that they were confident that eCensus
data had been secure at all times:
I have to say I was confident all along that there was no
breach, because of the nature of the security architecture. We had end-to-end
encryption; we had had the architecture well reviewed. So the problem was that
we could not explain this—as it turned out—false positive alert, and IBM could
not explain to us what it was. We felt it was extremely important that we be
able to assure the Australian public that our faith in our security was well
The Australian Privacy Commissioner and Acting Australian Information
Commissioner 'received the necessary assurances [he] required to be satisfied
that the personal information being collected as part of the 2016 census was
The Special Advisor to the Prime Minister on Cyber Security was also clear that
no data was at risk:
There has been no dispute with any party that no data was
lost from the census, and there is agreement that there was encryption from end
to end and that the ABS held the keys to decrypt.
Evidence to this inquiry from parties involved with either the events or
the investigation on 9 August 2016 are all in agreement that no personal data
was incorrectly accessed or released.
It goes without saying that the eCensus website should have had the
capacity to withstand what was a relatively minor attack. IBM designed the
system so that even if one link was disabled, the second should have been
sufficient to carry legitimate traffic and continue processing census forms.
Criticisms made with the benefit of hindsight must necessarily be
tempered, but there appears to have been significant and obvious oversights in
the preparation of the eCensus. IBM's failure to have tested a router restart,
or have a backup synchronised and in place, appears to have been significant
contributing factors to the failure of the eCensus on 9 August. Further, the
appropriateness of Island Australia must also be questioned given that some
components of the eCensus—such as password resets—required access to
international servers. Although it is impossible to say with certainty and
hindsight what would have been had the ABS made different decisions, allowing
IBM to undertake their own testing and the failure to complete an IRAP
assessment appear to be significant oversights in project management.
The ABS' primary consideration during the period under discussion was to
complete an accurate census of Australia. As discussed in preceding chapters,
community trust is a central ingredient of a reliable census, and the ABS has
repeatedly said that information security is one of its primary objectives. In
light of this—and the information available to the ABS through the IBM
monitoring system— the decision taken by the ABS on the evening of 9 August to
close access to the eCensus website appears to be justifiable, understandable,
and entirely correct.
A narrow focus on the events of August risks treating the symptoms and
ignoring the disease. Questions regarding the validity of the ABS' actions
should be focused on the years and months before the 2016 census when the
decisions were made that would manifest themselves on 9 August 2016. The confirmation
that the census would proceed, the delayed development of an eCensus solution,
the use of a limited tender and the erosion of internal capacity to adequately
oversee the development of the eCensus are all serious concerns that may
contributed to the events of 9 August 2016.
The committee expected that the 2016 census would be
subject to the two-pass ICT Investment Approval Process (IIAP) outlined
by the Department of Finance. The census project had lifetime ICT costs
over $10 million once IBM, UXC Saltbush and Revolution IT contracts were
taken into account. Further, as recognised by the ABS, the 2016 census was a
high risk project.
The ABS told the committee that the Department of Finance determined in
October 2012 that the 2016 census was not required to complete to the IIAP.
In answers to questions on notice, the Department of Finance noted that the
project did not meet the criteria for inclusion in the IIAP.
The committee notes that the ICT Review document recommending tendering for the
eCensus was not completed until May 2014. The committee considers that the IIAP
is in need of review to ensure that:
projects such as the 2016 census fall within scope;
the Department of Finance re-assesses projects at a later date if
the splitting of contracts is not a mechanism to skirt whole of life
cost limits included in the IIAP.
The committee makes no suggestion that the Department of Finance acted
inappropriately or that the ABS split contracts to minimise value-based
The committee also notes that the responsible Minister has not taken
responsibility for the outcomes of the 2016 census. The committee calls on the current
Minister, on behalf of the government, to take responsibility for the
shortfalls in oversight that have been revealed through this inquiry. While
many parties have not lived up to their responsibilities in delivering the 2016
census, the primary responsibility lies with the government.
The committee recommends that the Australian Government commit the
necessary funding for the 2021 census in the 2017–18 Budget.
The committee recommends that the ABS conduct open tendering processes
for future census solutions requiring the participation of the private sector.
The committee recommends that the ABS give greater attention to
intellectual property provisions in contracts that include licensing and
The committee recommends that the 2021 eCensus application be subject to
an Information Security Registered Assessors Program Assessment.
The committee recommends that the ABS take a more proactive role in
validating the resilience of the eCensus application for the 2021 census.
The committee recommends that the Department of Finance review its ICT
Investment Approval Process to ensure that projects such as the
2016 Census are covered by the cabinet two-pass process.
The committee recommends that the Australian Government provide
portfolio stability for the ABS.
The committee recommends responsible ministers seek six-monthly
briefings on the progress of census preparations. These briefings should cover
issues including, but not limited to, cyber security, system redundancy,
procurement processes and the capacity of the ABS to manage risks associated
with the census.
Census Inquiry Service
In addition to the eCensus website suffering a prolonged outage, the
telephone-based Census Inquiry Service (CIS) also buckled, but this time under
the demands of the community. As the ABS explained:
Due to a range of factors including public concerns regarding
fines that had been unprompted by the ABS, faster than expected postage of
approach letters and a general high awareness of the Census, the CIS
experienced unprecedented demand that greatly exceeded ABS forecasts. The unavailability
of the online Census on Census night significantly exacerbated the number of
calls. This led to significant ‘call blocking’ and inconvenience for
Australians both in the lead-up to and on Census night. We apologise for this,
and the ABS will take account of this experience in planning future Censuses.
The ABS reported that the demand forecast for the 2016 census was
1.6 million calls, compared with 1.04 million calls received for the 2011 census. The committee
heard that by 8 September 2016 there had been 3.2 million attempts to call the
CIS, of which 1.1 million had been answered. In addition there were
1.6 million calls to the automated inquiry service, of which
0.9 million were handled electronically.
The ABS outlined their strategy for dealing with excess demand should it
It was decided that the strategy for managing excess calls
would be to politely request that callers call back later if the queues are at
capacity, rather than provide callers with long wait times. This strategy is
known as call blocking.
The ABS submission concludes: 'The use of call blocking meant that 90.8
[per cent] of callers that got through to the CIS had their calls answered
within 5 minutes'.
For the approximately one-in-three people who managed to make it onto the phone
queue, the wait was relatively short.
Some submissions reported that people were unable to request a paper
form in a timely manner due to excess demand on the CIS, meaning that their
paper forms arrived well after 9 August.
Other submitters reported that their request for paper forms was not processed
correctly or in a timely manner.
It was pointed out to the committee that households that do not have a
telephone or internet connection would not have had any way to complete their census
or obtain a paper form in 2016: a challenge that was previously circumvented by
the physical delivery of paper forms to every household. These households were
likely followed up by Field Officers at a later date.
The problems affecting the telephone service were of particular concern
to vision impaired Australians who were required to contact the telephone
system in order to access the 12-digit code for the census, clarify information
about the accessibility of the online forms, or request the census in an
The Science Party also expressed concern that the unavailability of both the
eCensus and CIS may adversely affect the response rate to the census.
It was put to the committee that having to request a paper form via a
telephone service added an additional unnecessary step that households had to
complete in order to undertake the census.
ID Consulting, an Australian based demographic consultancy, argued that:
There is a large segment of Australia’s population who would
prefer a paper Census form (particularly older residents), but the phone lines
were jammed and these households were unable to get through. In any case asking
a household to ring up to enable them to respond to the Census in their
preferred way creates another level of impediment to responding and reduces the
The committee heard that community perceptions that the census had to be
completed on the night of 9 August or face a fine added to general frustration
Vision Australia, for example, told the committee:
Vision Australia spoke to people who were deeply distressed
by the lack of information available; their anxiety was exacerbated by the
threat of fines for not completing the Census on time. The abrupt message left
on the service that people should call back later only added to this confusion.
Vision Australia recommended that future Censuses should feature a
dedicated, separate telephone service for people who require alternate formats
or assistance to complete the census.
The committee recommends that the ABS consider establishing a dedicated
telephone assistance line for people who require special assistance in
completing the census.
Development, delivery and collection of census forms and materials
In June 2014, the ABS signed a Memorandum of Understanding with
Australia Post to support the 2016 census.
The ABS explained that Australia Post's mail service was used to deliver and
return required materials from the majority of households. Households that were
going to respond online received a log-in code via the post, and households
that requested a paper census form would have delivered and returned that
information via the post.
In preparing for the 2016 census, the ABS attempted to anticipate local
needs by tailoring delivery to area needs:
In some areas of Australia, where the postal service was
likely to be unsuitable or insufficient address information was known, Census
Field Officers delivered materials to each dwelling, enabling residents to
either complete their form online or mail back a paper form. In other areas
where a high proportion of residents were expected to need to complete the
Census form on paper, all households were delivered paper forms in addition to
Despite the relative surety of the mail system in Australia, some
submissions claimed that residents at certain addresses were not provided with census
information. One such example related to the committee states:
We know of one elderly person in our community, whose address
was apparently not listed by the ABS, who did not receive the letter at all,
and had to go to extraordinary lengths to obtain the census questionnaire form.
The person has lived at that address for 48 years and reports having had no
difficulties in receiving previous census forms and completing them.
It was put to the committee that the correspondence from the ABS with
the log-in codes for the eCensus had the appearance of junk-mail and may have
been discarded by some residents.
From the perspective it of survey design, ID Consulting observed:
Lack of personal contact with a collector on delivery means
households are less engaged with the Census and the mail-out logins were often
ignored or thrown in the bin as junk mail.
The ABS submission highlights the lengths they went to in order to
support the community to complete their census forms:
In partnership with CSIRO, ABS developed and tested the
Census instruction letter, reminder letter and their envelopes to best support the
Australian public undertaking the required actions – completing the Census
online or requesting a paper form. Forty-nine variants were tested through
random control trials, in order to select the best approach letters to
households and reminder letters where completed forms had not been submitted.
The role of field officers
One of the largest logistical elements of the census is recruiting the
large number of Census Field Officers (CFOs) required to assist
households complete the census. Approximately 38 000 temporary staff were
recruited for the 2016 census.
The evidence received by the committee amply highlighted some of the
challenges in conducting such a large project that incorporates new elements
such as the eCensus and form mail-outs. Some submitters felt that the conduct
of CFOs was inappropriately persistent and aggressive. It was reported by one
Field Officers were required to adhere to a strict timeline
for visiting dwellings, with five visits scheduled over three weeks from 26
August to 16 September. Given the context of 'I've got until 23
September', this was seen as tantamount to harassment by many householders, who
resisted what they perceived as unreasonable pressure to comply.
At least one CFO reported to the committee cases where the households
were visited multiple times because of insufficient information sharing.
Others felt that the ABS—as represented by CFOs—were insufficiently
proactive in following up on households.
The committee was told that CFOs in many mail-out areas did not commence their
visits until two weeks after census night, by which time the census was no
longer 'front of mind' for many people.
This appears to be a consequence of the move to a digital first census which
reduced the role for CFO:
The use and approach of reminder letters were planned to
allow half of all Australians to respond to the Census before household visits
were required. Household visits were planned to provide support to any
households that required it, deliver additional materials and remind households
to complete the Census.
Additional concerns raised in submissions included issues such as
insufficient training, an over-reliance on CFOs using personal resources to
ensure the success of the census, and that the information flows between the
ABS and CFOs were insufficient.
As the face of the census in the community, CFOs were the ones who were left to
motivate people to participate in the census following the events of
Navigation: Previous Page | Contents | Next Page