Over the last couple of days the Australian media has been having a field day at the expense of the Australian Bureau of Statistics (ABS) and their temporarily unavailable online Census.
A cursory glance at any form of social media will have you confronted with the bold trending statement #CensusFail. Creating frustration and a public loss of confidence in the ABS (and by association it seems, the current government as a whole) may well have been the ultimate goal of whomever was behind the successful Distributed Denial of Service (DDOS) efforts on 9 Aug 16, because this has certainly been accomplished. However, and unless the attack is claimed by the cyber-attacker(s) who perpetrated it, it is probable that we will never know.
Creating frustration and a public loss of confidence in the ABS (and by association it seems, the current government as a whole) may well have been the ultimate goal of whomever was behind the successful Distributed Denial of Service (DDOS) efforts
DDOS is a method used by cyber-criminal threat actors to cause annoyance and hinder businesses and other organizations around the world. Examples of DDOS are rampant and not hard to find with a quick search online; as recently as 17 Jul 16 a DDOS attack rendered several US Congress websites unavailable for three days.
A DDOS attack is not considered a ‘hack’ as such, as it does not in itself try to gain access to or attempt to interfere with data contained within a site/system; it is however considered a form of ‘attack’. It simply stops legitimate users from using a service – in this case the Census website. DDOS is also one of the most difficult attacks to mitigate due to variety of methods available to attackers, and the fact that they can be launched remotely to appear from any number of global locations. So despite the fact ABS had reportedly invested significant sums into protecting the Census website, and testing it for the stress that millions of legitimate Census taking users were expected to place upon it, a DDOS was always going to be a very real possibility.
Despite the obvious disruption, and relying on information made available to date, the actions that the ABS took once the attacks became apparent appear sensible. When so much is at stake, and once control starts to become difficult, isolating the system/taking it offline is sometimes the best method to ensure that the confidentiality and integrity of data is assured.
When so much is at stake, and once control starts to become difficult, isolating the system/taking it offline is sometimes the best method to ensure that the confidentiality and integrity of data is assured.
So far it has been reported that the data was successfully protected, as Prime Minister Malcom Turnbull is quoted. “I want to assure Australians that the unequivocal advice we have received from IBM, from the Bureau of Statistics, from the Australian Signal Directorate, is that their Australian Census data is safe, it has not been compromised. The site has not been hacked, it has not been interfered with – their data is safe.” This should provide a measure of relief for the Australian public, as the ultimate issue at hand was always going to be about the security of personal data that had and is yet to be collected.
The Census will continue to be carried out once the website is restored; however, one of the key lessons that should be learnt from this is that a proper incident and associated communications plan should be in place to address such scenarios. Initial communications from the ABS referring to ‘hacks’, and advice that users should continue trying to login ’15 minutes’ later only fuelled anxiety and frustration of the Australian public. Confusion was further increased with conflicting statements from MPs and ABS spokespeople over what had actually happened.
The angst that this experience created can only assist cyber threat actors in achieving their goals.
The angst that this experience created can only assist cyber threat actors in achieving their goals.
The need for effective incident response and communications plans previously alluded to should be a key consideration for other government agencies (as well as private entities) that are currently developing further online capabilities as part of the Commonwealth Government’s nationwide technology upgrade. Irrespective of whether an attack is successful or not an organisation should have the ability to effectively communicate a unified and consistent response to its stakeholders. This will go a long way to easing the worries of the public, who for the most part rely on official explanations when it comes to technical issues.
The previously mentioned DDOS attack on the US Congress provides a good example of how good incident management and communications with users should be managed. Online events such as the Census, especially where there is so much controversy in the lead up to it (in regards to privacy in this case), will always attract malicious parties who desire this sort of national/global audience and potential impacts.
The Census was too great a target to not have had at least some kind of attack against it. Thankfully for Australian’s it looks like our data was protected and an inconvenience and a healthy dose of frustration and media hype is the worst of it.