Subscribe to our Newsletter
It’s the most visible edifice of government and a linchpin of our democracy. No wonder the Parliament House finds itself a constant target of attacks, both online and off.
The underground carpark of Canberra’s Parliament House, which lies directly underneath the iconic water feature that’s ubiquitous on TV news broadcasts, is in disarray. Pedestrian barriers, construction residue, scaffolding and dust are everywhere as Stephen Campbell, half apologetically, escorts me past the metres-thick concrete and steel barriers that are being erected in the carpark as a security measure.
It’s ironic because this same building was, not too long ago, subject to violating and aggressive attacks against which no amount of concrete or steel could have protected it. In February 2010, notorious hacking group Anonymous — which has made a name for itself compromising the Web sites of everybody from the Department of Broadband, Communications and Digital Economy (DBCDE) and the CIA to the US Federal Trade Commission, Church of Scientology and Greek Ministry of Justice — launched a distributed denial-of-service (DDoS) attack on the Parliament House Web site in a protest against Senator Stephen Conroy’s proposed mandatory Internet content filter.
For a group trying to choose the highest-profile target possible, there couldn’t have been a more tantalising target than the Parliament House Web site, which was still running software that had been in place for nearly a decade and riddled with potential soft spots.
Part of a year-long campaign of filter protests that also included the February 2010 ‘Operation Titstorm’ scorched-earth DDoS assault on government Web sites, the attack took the site offline for 50 minutes — boosting Anonymous’ global profile and creating further urgency for a massive overhaul of the site.
Web site refresh
Even as the Parliament House Web site was brought back online, however, staff within the Department of Parliamentary Services (DPS), in which Campbell serves as director of the Project Management Office, had to front perhaps the country’s most demanding user base to explain how the attack had been possible.
The answer was, in the main, far from complex: the existing site was old, non database-driven, and built on static HTML pages with inconsistent style sheets; so it was old and had a number of known vulnerabilities, so it was more a matter of if rather than when. Unfortunately for DPS staff, the Anonymous attack came just a month after the team, along with prime contractor Fujitsu, had begun working to code a complete replacement for the site based on the Sitecore CMS.
Replacing the site, which was launched in March 2002 based on static HTML pages and lacked even basic modern features such as support for style sheets and banners. The site had been earmarked for replacement some time earlier, having reached its end of life and proved unable to support growing demands from internal and external users that wanted features like on-demand streaming, live updates on legislation schedules and progress, better information about Parliamentarians, and so on.
Also important was the need to support a transition to mobile devices like tablets and smartphones, as well as the government-wide requirement that its site support features like WCAG 2.0 accessibility standards. “You wouldn’t have wanted to do all that on our old Web site,” Campbell offers. “It was too far gone.”
“Now, we’ve taken that next step and made sure it’s mobile and provides all the services people want. It’s all about giving our clients and the public a more interactive experience with Parliament; our ultimate goal is to provide a Web accessible tool for timely access to information about Parliament and its activities to support the Parliament, and the work of Senators and Members.”
Despite some claims to the contrary by outside parties who argued that the site was relatively simplistic, the project ultimately ended up costing $3.1 million and running twelve months over schedule before it was launched this February.
The delays stemmed not from any inherent inability to deliver — but, rather, the need to not only deliver a complex and extensively integrated site experience to the satisfaction of all stakeholders, and with an iterative security approach designed to prevent a repeat of the Anonymous attack. Testing may have pushed the launch date back, but political sensitivities around its security offered little alternative.
“We’re very conscious about our front page,” says Campbell. “It’s a shared page, owned by the three Parliamentary departments to provide the right information for all. It’s not a political tool — we represent the Parliament and not the view of the government or Opposition — and we need to be careful about what information is put up there.”
When your key stakeholders are the Senate and House of Representatives, prosaic notions of ‘mission critical’ deployments go to a whole new level: both groups of Parliamentarians are used to scrutinising public projects closely, and all had their own opinions about how the site should be redeveloped. Recognising this, Campbell says, the project was always run from its earliest days with extensive consultation from DPS, Senate and House stakeholders. Workshops were run to gather requirements by targeting each functional area across all three departments prior to going to market for a solution.
During the design phase, the project team — which included a range of roles from project manager and project officers to infrastructure staff, Web administrators, database administrators and others — brought design mockups to staff throughout Parliament House offices, coffee shops, and other places where people gathered.
Feedback was solicited directly from Senators and Members as well as their staff, with regular forums run to ensure everybody involved had the chance to offer their feedback on the emerging design. Usability testing was run based on personas ranging from a student to a home-owner, to a legal professional, to a member of a Senator’s or MP’s staff. Representatives of each persona were selected from rural areas as well, to undertake testing. Eye tracking capability was exercised to determine how to best present information on a Web page for maximum effectiveness.
The process also expanded to include guidance from the Parliamentary Library, which offered extensive guidance on information structures and archival requirements, and the publishing unit responsible for services like the production of Hansard records and the ParlInfo database.
As with any content management environment, tight controls over publishing rights were essential — and had to be tied in with core identity management systems capable of enforcing tightly granular control policies.
“We all share the systems and various components and content of the system,” Campbell explains. “It’s not one owner who gets control of everything, and everyone has their own opinions on how it should look or how things should be presented. Trying to come together, and to agree on a consistent view on how we do our business, was one of the challenges of the project. The key thing was the core functionality: our end goal is to ensure the proper functioning of Parliament.”
Despite a concerted plan to get the site completed quickly, getting a consensus with so many stakeholders wasn’t easy. But that turned out to be the least of DPS’ problems: by late 2010, issues with functionality and data migration — as well as a limited number of potential windows of opportunity coinciding with the off-peak times when Parliament isn’t in session — had already pushed back the delivery timeframe.
By the time Anonymous struck again at the end of that year, it became clear that there was a lot more still to be done before the redeveloped site could go live.
“The migration progress is very difficult,” Campbell explains. “When people need to continuously maintain and update the content, it’s difficult to get that content ready for us to move it over; we have to run systems in parallel, and be able to verify and validate that everything’s working.”