In August 2016, the Australian Bureau of Statistics (ABS) made its now ill-fated shift to a mainstream online census process.
Prior to the application going live an extensive media campaign enthusiastically promoted the benefits of a digital solution and reassured citizens that their personal data would be safeguarded, despite the ABS retaining identifying information for much longer than previously.
After several Distributed Denial of Service (DDOS) events – even the decision as whether to refer to them as ‘attacks’ became politically charged – the system was taken offline for 43 hours during the peak demand period to protect the data, to the great political embarrassment and discomfort of the government, the ABS and all involved.
There is no question that a DDOS attack should be a standard expectation for any major government online service, especially one that is so actively promoted, courts controversy by appearing to move the ‘privacy’ goalposts with limited consultation and has a massive time-sensitive throughput surge known as ‘census night’. For predisposed groups and individuals, it’s the equivalent of painting a big red target on the system.
As with all high profile public sector IT failures – regardless of jurisdiction – there has been significant discussion regarding the underlying factors that led up to #Censusfail, as Twitter started referring it to it almost immediately. Many of these focussed on the specific technical shortcomings of both the design and its subsequent testing by the main contractor, IBM.
Three months later and the official review into the debacle by the Prime Minister’s special advisor on Cyber-security, Alistair MacGibbon, has been publicly released, in an effort to provide greater clarity around not only the events of 9 August, but also the preceding 18 months of decisions that led to such a fiasco.
The report calls out an ‘overly-cosy relationship’ between the prime contractor, IBM, and the ABS.
While there is no assertion of impropriety, the report identifies a high number of occasions where ‘sole source’ provisions were used to procure services.
Apart from nefarious motivations, which are certainly not alleged in this instance, the driving force for sole source in government procurement is speed. The fact is that, even with recent efforts to streamline processes, public sector procurement simply takes too long.
Given the ongoing drive for ‘agility’ that is being promoted across Australia and around the world, there is a major challenge in speeding things up, whilst adhering to ‘old-style’ procurement practises.
The rational public sector response to this need for speed has often been to setup procurement to favour an existing provider arrangement – not due to dishonesty – but simply to ‘get things done’.
The eCensus outcome clearly highlights the dangers of this approach. The concern is that the very public negative publicity rightly associated with #Censusfail causes a tightening of compliance within old-school procurement approaches and increases delays, rather than designing a new procurement regime that delivers on speed without undermining probity.
The MacGibbon review goes on to call out the dangers of taking an overly prescriptive view of legislation as a contributing factor to the outcome.
During project development, the ABS precluded certain technical approaches based on their strict reading of the Census and Statistics Act, without a deeper consideration as to the intent of the legislative construct, and whether it could be achieved by alternative mechanisms.
We commonly see such examples of ‘playing the security card’ (or the privacy card) as a mechanism to shut down discussion of innovative approaches to problems.
This is not to imply that privacy or security are unimportant in the public sector, when the ABS experience shows they clearly are, but to highlight that they are often used as ‘blockers’ without reference back to the underlying intent of the legislation.
Australian public servants are not unique in this. In analysing the impediments to greater cross-agency collaboration, the New Zealand Government noted a culture that exhibited the same behaviour, that is using security and/or privacy ‘rules’ to push back against change without validation.
On a more positive note #Censusfail could be the ‘cyber-security event we had to have’, to channel the ex-Australian PM, Paul Keating.
The impact of a relatively straight-forward and predictable denial of service event has reinforced that core government services are as much about availability as they are about confidentiality. Furthermore, while there was extensive media debate prior to the eCensus regarding the security of information and the potential for it to be ‘hacked’, no information was compromised.
With the report calling for a cyber-security ‘boot camp’ for senior public servants #Censusfail may well be the turning point at which, in Australia at least, there is a greater maturity within the public sector as to the critical importance of cyber-security, rather than the traditional approach of leaving it to the ‘propeller heads’.
Al Blake is principal analyst, government technology at Ovum.
ABOUT OVUM
Ovum is a leading global technology research and advisory firm. Through its 180 analysts worldwide it offers expert analysis and strategic insight across the IT, telecoms, and media industries. Founded in 1985, Ovum has one of the most experienced analyst teams in the industry and is a respected source of guidance for technology business leaders, CIOs, vendors, service providers, and regulators looking for comprehensive, accurate, and insightful market data, research, and consulting.
With 23 offices across six continents, Ovum offers a truly global perspective on technology and media markets and provides thousands of clients with insight including workflow tools, forecasts, surveys, market assessments, technology audits, and opinion. In 2012, Ovum was jointly named Global Analyst Firm of the Year by the IIAR.
Ovum is a division of Informa plc, one of the leading business and academic publishing and event organisers globally, headquartered in London. Informa is quoted on the London Stock Exchange.
View Ovum Profile