As the appointed hour for tonight’s census approaches, the question on many lips is: will it go smoothly, or will it be a repeat of the infamous 2016 #Censusfail?
Australians may remember the chaotic 40-hour shutdown suffered by the census website from 7:30pm on census night back in 2016. Fingers of blame were pointed in all directions, and the Australian Bureau of Statistics (ABS) suffered a heavy blow to its reputation.
A forensic audit later revealed multiple causal factors, not least of which was a series of malicious “denial of service” (DDoS) attacks. This type of attack aims to paralyse a website by bombarding it with too many requests at once.
What happened in 2016?
In essence, the online platform used in 2016 had insufficient built-in safeguards against DDoS attacks. This led to a hardware failure and the ultimate collapse of the system.
It is also possible the large number of legitimate access requests from people simply trying to complete their census contributed to the failure. The ABS later claimed the technology infrastructure was inadequate for the job at hand, despite assurances from its provider, IBM.
After the DDoS attacks, system monitors reported what appeared to be an unusually large amount of outbound traffic, which suggested confidential data were being exfiltrated. The ABS shut everything down to prevent further data loss.
It was later found that the unusual outbound traffic reading had been false. There was no loss of confidential data.
How will 2021 be different?
The 2021 census is being coordinated by PricewaterhouseCoopers, one of the largest professional services networks in the world.
Moreover, the online platform will run on Amazon Web Services, by far the largest cloud computing services provider in the world. It has certified capability at handling “protected workloads”, which means the Australian Signals Directorate has signed off on its trustworthiness to host citizens’ data.
With these choices, the ABS has minimised the risk of a 2016 repeat.
To pay for all of this, the ABS was allocated A$38.3 million over three years in the 2019-20 federal budget.
Census website opened early
By opening the census website on July 28, there will be less of a traffic spike on census night itself.
From July 28, Australians began receiving letters with their login ID and password. They could log in immediately to complete their censuses.
There have been informal reports that people have had difficulty logging on because it appeared from the letter that there were spaces in the sequence of nine characters that make up the password. The password was grouped into three lots of three characters on the letter.
But if the spaces are entered, the login fails. There should be no spaces in the password entered into the census website.
What makes a website resilient?
Resilient websites are those that are better able to withstand attacks in the first place, and — if a failure caused by excessive load or a cyber attack does happen — can recover with a minimum of downtime.
It is no great mystery how to do this. It is a matter of good engineering and ample resources. Around the world, there is a growing number of businesses whose livelihood depends on having a resilient website. Providers of web services like Amazon’s AWS and Microsoft’s Azure must guarantee these high levels of service, to win and keep these clients’ business.
This is the level of resilience the census platform is using.
How will we know if 2021 is a success?
2016 was Australia’s first digital census. It seems likely the lessons from that bumpy first outing have been learned.
Moreover, top-shelf service providers have been engaged, and sufficient funding secured. With the arrangements currently in place, we can expect tonight’s census to be a success.
But there can be no absolute guarantees. We live in a world in which cyber-attacks from unfriendly nation states, organised criminals, hackivists and garden-variety cyber-crooks are a daily occurrence.
The good news is that Australia’s ability to fend off this malicious disruption is improving every day.
by : David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University