IBM assured ABS of census site resilience

By Dylan Bushell-Embling
Monday, 26 September, 2016

The Australian Bureau of Statistics had been assured by vendor partner IBM ahead of the high-profile census website outage last month that the system was capable of withstanding a DDoS attack.

In a submission to the Senate enquiry into the outage, the ABS noted that IBM was responsible for mitigating the risk of loss of system availability due to a DDoS attack under the census system contract.

During 2016 the agency sought and received “various assurances from IBM about operational preparedness and resilience to DDoS attacks”, the submission states.

One of the key measures IBM implemented to address the risk involved geoblocking IP access to the system, a process codenamed “Island Australia”.

According to the submission, after the ABS approved IBM’s plan, the company undertook live testing of Island Australia and informed the bureau that the system worked exactly as expected.

While the ABS undertook a range of independent testing of the IBM-developed system, the bureau did not independently test the DDoS protections put in place by the company “as it considered that it had received reasonable assurances from IBM”.

At no time was ABS offered or advised of additional DDoS protections that could be put in place, and no suggestion was made that the protections that were planned were inadequate.

Yet the inquiry into the incident has found that a series of DDoS attacks rendered the site inaccessible on census night. The ABS also asked IBM to take the site offline after a fourth DDoS attack and after a monitoring system mistakenly labelled some outbound traffic as malicious.

Image courtesy of Open Grid Scheduler / Grid Engine under CC