Wednesday, August 10, 2016

#CensusFail - What the ABS did well, what they didn't & what other agencies should learn from it - PLUS: Who attacked the Census?

I feel sorry for the ABS guys this morning - they've just seen three years of planning and effort effectively blow up in their faces, and I expect many staff are now scrambling to address the issues from overnight in order to move forward.

I know how dedicated and hard working they are, and how committed they've always been to providing a statistically accurate picture of Australia to support good government policy and services.

However I also feel it is appropriate to look at what's happened with the Census 2016 process - the good and the bad - and provide some context and thoughts for others across government on what they can learn from the ABS's experiences.

It is right after Census night, and much remains unclear - I expect a more complete picture of events to emerge over the following days and weeks. However there's still much that can be observed, critiqued and analysed from the events thus far.

Let's look at the facts to start.

This was the ABS's 17th Australian Census and the organisation has a highly enviable international reputation for its capability to effectively collect, securely store and usefully distribute Australian statistics. It is one of the best organisations of its kind globally and has been highly trusted and respected by successive governments and the Australian public for how it has conducted itself over the last 105 years.

Despite this, successive governments have progressively cut the ABS's funding, with the ABS forced to consider making the Census 10 yearly, rather than 5 yearly, due to budget cuts. In fact if not for a $250 million 5-year grant from the Coalition government in 2015 to upgrade ageing (30yr old) computer systems, it is questionable whether the ABS would be positioned to maintain Census timing and reliability.

The 2016 Census was the first in Australian history to be predominantly online. The ABS has had an online capability since the 2006 Census and was moving digital in degrees. For 2016 the ABS estimated it would cost at least $110 million extra to hold the census predominantly in paper, so the move to digital first was both sensible and pragmatic given the ABS's reduced funding.

As a result, the ABS aimed to have at least 65% of Australian households (call it about 6.5 million) complete the Census online.

Around the same time the ABS (not the government) also made a decision to retain names for up to four years (up from 18 months in 2011 and 2006) after the Census and create linking keys which would be retained indefinitely. The purpose was to allow the ABS to connect Census data with other datasets to uncover deeper statistical trends to better inform policy.

The ABS did conduct a form of public engagement over this decision to retain name data and linking keys, however this was quite limited - I wasn't aware when it was held and apparently it only received three public responses indicating concern.

The same proposal was discussed in 2006 and 2011 and rejected due to privacy concerns. I'm not sure how the ABS felt the situation or environment had changed to make this proposal acceptable.

Over the last four months privacy advocates, senior ex-staff of the ABS and non-government politicians have become increasingly vocal over this privacy change - with the discussion coalescing online at #CensusFail over the last two weeks (just prior to 'Census night').

The ABS's response to this has been to largely repeat (in various ways) 'you can trust us', and avoid publicly engaging with the issue or its underlying causes in detail.

Partly as a reaction to not feeling heard or engaged, the voices of opposition have gotten louder and louder, reaching the media and prompting at least seven Federal politicians to publicly announce they would not be providing their names to the ABS in the Census. Alongside this, IT specialists have tested the edges of the ABS's Census systems and highlighted several apparent vulnerabilities - which the ABS has also not engaged with in a public way beyond 'trust us'.

At the same time ABS phone lines for Census were widely reported to be congested - with the ABS in its site saying from 8 August that people should delay calling until the 10th (after Census night on the 9th).

It's worth noting that alongside this slowly rising opposition, the ABS was quite outspoken about how people who did not complete the Census could be charged $180 per day indefinitely until completed and those who provided false information could be charged $1,800 - although they were careful to wrap this stick in a little cotton wool, stating that there were only about 100 fines issued in 2011.

The ABS's Census campaign, similar to past Censuses, focused on 'Census night' - where Australians could take a 'pause' to respond to the Census and inform future policy for Australia. They tried to create a party atmosphere, with the Census being an engaging family experience that could be undertaken on Census night.

In fact people were able to complete the Census up to two weeks earlier (and 2 million households did), as well as complete the Census up to six weeks afterwards without any prospect of a penalty. While some people understood this, the ABS's communications campaign focused very much on that one Census night on 9th August - which was an approach likely to concentrate demand for the online Census system into a 5pm to 10pm period on that one night.

On Census night the Prime Minister and many others commented publicly via social channels on how easy the system was to use and complete - until around 7:15pm when the first issues began being reported online, with failures to submit completed Censuses and the Census site being slow and unresponsive.

From 7:30pm the level of complaints had escalated enormously, and shortly thereafter the ABS reports it took the site offline due to a series of at least four denial of service attacks on the site, one of which exploited a vulnerability in a third party service.

The Australian Signals Directorate (the government agency that other government agencies calls in when foreign interests or organised criminals digitally attack - and manage much of Australia's cyberwarfare capability) said that the attack was malicious and foreign-based.

However the ABS's Twitter account continued to cheerily post about completing the Census, TV and radio ads continued, and the ABS didn't announce the site was down temporarily until 8:38pm - almost an hour later.

The ABS then didn't announce the service would not be restored until 10:59pm - over three hours later.

This morning we learnt officially about the attack and the ABS's response. The ABS shut down the site to protect the data they had already collected, protecting the privacy of the 2 million plus Census forms successfully submitted earlier in the night.

The ABS's chief statistician, David Kalisch, told ABS radio this morning (10 August) that, "after the fourth attack, which took place just after 7.30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data."

As reported in the Sydney Morning Herald, Mr Kalisch He also described the events that caused the issue: the system's geo-blocking protection was not working effectively, a hardware router failed, and a monitoring system "threw up queries we needed to investigate".

We've also learnt that the Privacy Commissioner is now investigating the matter.

The Minister responsible has said that the "Census [was] not attacked or hacked" - though this is somewhat of a half-truth. A Denial of Service attack is an attack, and can be used to attempt to 'brute force' access underlying data. The ABS successfully defended the site's integrity and prevented data loss (hacking), but it was definitely an attack.

Now there is currently some doubt over whether there was a Denial of Service attack, however for the purposes of this post, I'll take the ABS's word for it.

More details will emerge over the days and weeks to come, but let's look at what went wrong and why.

What went wrong and why

The issues raised prior to Census night may have explicitly focused on privacy and security, but they were really about engagement. Simply speaking, many people in the community felt that they had not been sufficiently engaged about the ABS's decision to change how long it kept personally identifiable data or how it would be linked to other datasets.

The ABS's consultation approach - which I missed entirely - appears to have failed to engage the group who were most likely to be concerned about privacy considerations, and the agency's attitude after privacy concerns were raised was too dismissive and high-handed.

This isn't simply my view - I've seen the same basic concerns raised time and time again about a level of ABS engagement arrogance and refusal to go more deeply into a conversation than 'trust us' and 'those concerned are crackpots'.

So the first thing the ABS did wrong was have an insufficiently long or engaging process of socialising the Census changes and reassuring key voices by demonstrating a very interactive process of addressing potential issues and concerns.

This perhaps speaks to the ABS biting off too much in this Census - both going to a digital-first model and introducing changes which many people felt increased the privacy risks. If the ABS had focused on one of these changes this Census (digital-first), and had then introduced the data retention changes next Census, they would have had a much easier job of it.

The concerns around privacy escalated as people found potential security holes in the Census system - such as this plaintext issue - which the ABS essentially ignored and dismissed.

Whether or not this, and other issues, were merely perceptional or were real issues which the ABS then addressed, acknowledging the concerns and addressing them in a mature and engaging manner would have gone some way to address the concerns and satisfy those raising them. Instead all the community received was government motherhood statements amounting to 'trust us'.

In a time when trust in government is low and people are regularly bombarded with media stories about data breaches, 'trust us' has no meaningful use as a government message. Instead the ABS needed to have a highly flexibly and collaborative approach to communication - inviting privacy advocates to special sessions with Census officials who could explain the technical nuances of what was being done, and policy officials who could explain the benefits of the approach.

With this style of engagement the ABS could have transformed the privacy community into advocates for the Census, rather than opponents, and greatly limited the pre-Census jitters which has resulted in a high profile loss of faith in the ABS and in the government.

A side-effect of the ABS's failure to engage was the creation and growth of the #CensusFail hashtag on Twitter - which then became a lightening rod for the subsequent issues the Census experienced on the night of 9 August.

With the ABS focusing attention through its media campaign on 'Census night' it was inevitable that most people would attempt to complete their Census forms online in a very narrow window - between 5pm and 10pm on August 9th. This was even though it was possible to complete the Census earlier or later.

With the Census being a national event and the high profile of 'Census night' due to both the ABS's positive #MyCensus campaign and the negative #CensusFail campaign, it was highly probably that someone would see the narrow high-volume Census night window as an opportunity to embarrass the Australian Government, make a privacy point or attempt to steal a massive honeypot of data that could have been mined for decades for commercial and political gain.

I'm sure the ABS foresaw this. They'd done extensive loadtesting and everything I'm sure they could to secure the system. However they were also partially responsible for creating the window in which there would be a peak load that could be exploited.

As such, the highly probably happened. Someone (or someones), somewhere in the world attacked the Census process with a series of four brute force Denial of Service attacks (again I'm taking the ABS's word that there were active attacks).

These attacks aim to flood servers with so much traffic that they give up secure information or fall over and stop working.

We know from the Australian Signals Directorate that the attacks were launched primarily from offshore. I'm unsure if the ABS had designed its system to separate known foreign and domestic traffic, which could have helped mitigate part of these attacks - but there are ways for attackers to mask their locations, so this is not a certain way to counter them.

We know that the first three attacks caused little damage other than minor delays and hiccups, but the fourth found a vulnerability in a third-party service and the ABS pulled the Census site down.

This was absolutely the right technical approach to take, but again the ABS made a series of unforced errors in its engagement.

Firstly, in the days before the Census the ABS declared that its system was unsinkable - "It won't crash". Technically this was true - it didn't. However the impact for users was the same as a crash, the system went offline.

The Prime Minister similarly said that ABS Census privacy "was absolute". This, to anyone involved in privacy and security is simply untrue - and the ABS's actions on Census night created a perception that the Prime Minister was lying or poorly informed by the ABS.

Both the actions above created a situation where the ABS over-promised and under-delivered. Rather than making people trust the ABS and Census approach, it has created more fear and uncertainty and made the ABS look, in the words of New Matilda, "like a deer caught in the headlights".

It would have been preferable if the ABS had made it clear that they had taken the advice of security and privacy specialists and taken all the actions within in their power to protect the Census process.

Rather than declaring "It won't crash", they should have said "whatever happens we will safeguard your data to the best of our ability", and highlighted that people could complete the Census over a period of time at their leisure, rather than having to pile in on 'Census night'.

In other words, agencies should underpromise and overdeliver. The ABS, like other government departments, already had a high level of trust and faith from Australians. Making undeliverable claims, as they did, to try to signal they were trustworthy only gave them enormous downside risk and challenged malicious external hackers to try to bring them down.

Next, the ABS did not tell people immediately about their actions by saying something at 7:45pm like "We've detected attempts to access Census data and, in the interests of Australians, taken the decision to take our system offline until we're sure your data will continue to be as safe and secure as possible". Instead there was no real public communication of the ABS's decision (right though it was) until Wednesday morning.

This was a major, major, engagement failure. People were engaged and trying to complete the process the ABS had asked them to complete. Yet the ABS did not have the courtesy to tell them that they could not complete it until hours of frustration afterwards (though the ABS did tell the government).

People had trusted the ABS, given up their evenings to 'take a pause' for Australia - and the ABS then left them hanging and wasting time - unsure if they would be fined.

This did more than damage trust in the ABS and government. It destroyed respect.

To other government agencies - trust and respect must be mutual. They are built slowly over time, but can be destroyed in an instant. The ABS just did that, and the impacts will be felt, by the ABS, by the Turnbull Government and by other agencies for years to come.

The impacts will be subtle. Every major IT project will be met with scepticism. Statements by Ministers and senior public servants will be disregarded and lampooned. What has been lost will take years to recover.

Now the ABS has to pick up the pieces and move forward - so what's the best way to do this?

This is a classic crisis recovery scenario writ large. Transparency is the key. The ABS has to own the issues and be proactive about engaging media and the public on what happened and why the ABS acted as it did.

It did get off to an OK start this morning with David Kalisch's interview on ABC radio. Now the community needs a continuing stream of engagement clarifying the steps the ABS has taken and what will happen next.

The last tweet from @ABSCensus was a 9:53am. it's now 1:51pm. The ABS realistically need to be communicating at least hourly on what is going on while peoples' attention is still focused on #CensusFail.

The ABS should reframe its communications campaign (using any budget it has left) to focus on how it put public interest ahead of its own reputation, pulling the Census site offline until it was certain it could guarantee the security it promised Australians.

The ABS needs to commit to deeper and longer engagement with the community and specifically privacy advocates around any future Census changes - potentially even step back from it's position on linking data, committing to working more closely to communicate the benefits and safeguards and listening to the concerns of the public.

In short the ABS has to eat humble pie.

If the ABS takes these steps it will, over time, recover the trust and respect of the public, rebuild its reputation and regain its position as one of the most respected and trusted government institutions.

However if the government and ABS can't get their story straight (already an issue) senior egos or politics get in the way, the ABS decides to be 'selectively transparent' and only share details it thinks are important to the people it deems important - the strategy will fail.

I have enormous respect and trust in the people who work at the ABS and hope they take the steps necessary to turn this tragedy into a resurgence. The responsibility for their future success is on their shoulders, and I hope they bear it well.

PS: Who attacked the Census and Australia?

I consider that there's four potential groups who may have led the attacks that led the ABS to take the website offline. Note that it's even possible that several groups attacked around the same time - seeing the same opportunity.

These are:
  • Random opportunity hackers - people who saw an opportunity to bignote themselves by claiming the Australian Census as a 'scalp'. With the ABS touting themselves as totally secure and a five hour window with maximised traffic, it wouldn't take much for an individual or group of hackers to decide to take down the Census for LOLs and credibility.
  • Organised crime - groups who systematically hack organisations for data they sell or use for fraudulent activities. These groups would see the Census as an enormous honeypot of data they can sell and resell for years to come, containing all the vital information for identity and credit card fraud. Again these groups would easily be able to pick the best time to hack the data as the ABS flagged it in their advertising, Census night when millions of households attempted to use the service. 
  • Privacy groups - 'organisations' like Anonymous often go after organisations they see as crossing the line on privacy - as the ABS was seen to be doing by a number of people. Their goal would simply be to disrupt the process as a political awareness tool.
  • State-sponsored hackers - a number of governments (China and Russia chief amongst them) use state-sponsored hackers to attack foreign governments, companies and other organisations that oppose their perspectives, embarrass them or as a tool in geopolitical positioning. In this case the Census was a high profile event for Australia, with a new one-seat majority government in place. Disrupting the Census would cause political damage and fallout, potentially even causing the government to fall, but at minimum reducing the trust Australians have in their government and creating distrust that could be exploited later. Given than Australia has been considered by China as embarrassing China on several recent occasions - over China's East China Sea installations and at the Olympics, an attack disrupting the Census might be considered proportionate retribution to 'teach Australia its place'. China has been known to perform similar acts against Australian non-government organisations, such as film festivals showing politically sensitive films - attacking the Census would be a bold escalation, but a plausible one. These hackers may also look to access data on individuals as a secondary bonus - as a foreign government could use it for years to come for commercial and political gain.
My view on the above scenarios - random hackers are least likely. Australia isn't that significant and the Census, while a public target, isn't a 'hard' one by international standards. Military targets are more often targets for credibility.

Privacy groups would have flagged the attack. Their gain is in public exposure and ridicule and, while there's been plenty of that for the ABS, they'd want to clearly own the hack and make their point.

Organised crime is more likely, but attacking on Census night is potentially too early as not all the data is in. It would be more probable these groups would target the ABS once the data is collected, or would attempt a social attack (paying an IBM or ABS staff member) as this is likely easier and less of a public signal than a brute force attack. These groups don't want public attention, so this form of public attack is rare.

In my view the most likely scenario is that state-sponsored hackers targeted the Census to embarrass the Australian Government in return for a perceived slight. I reckon the Chinese have the most reason right now to do so, although the Russians, when annoyed at Tony Abbott's 'shirtfront' comments, did send a significant navy force to Australia's coast using a G20 meeting to signal their disapproval and defiance.

There's few other nations that publicly have an issue with Australia (and the capacity to carry out this attack) - but very remote possibilities are North Korea, or the failing IS (though IS would have taken credit right away).

1 comment:

  1. Hi Craig. Love the analysis. I am in despair over the communications. It was like watching the Titanic go down... the unsinkable digital platform. Good communicators would never have handled the communications or engagement in this manner. They would also have strongly recommended separation of the two issues - it's enough to have the privacy problem in the forefront of everyone's mind. I do feel that the ABS has had the problem of a lack of funding, but there is also a lack of understanding on how IT systems fail, that you don't create scenarios that can stimulate negative behaviour and that you keep people on the journey through the change. They should be doing hourly updates on Twitter and swamping the interweb so we will start to relax and feel that they have the situation under control.