2016 Census: failure in planning, blame the engineers Friday, 12 August 2016

News article written by Corbett Communications. The statements made or opinions expressed do not necessarily reflect the views of Engineers Australia. This evolving news story was correct at the time of going to print.

What appeared to be a perfect storm brought down Australia’s first online Census on 9 August that involved the forcible crash of the site (which lasted 40 hours) while thousands of Australians’ computer screens were filled with error messages. 

It has been revealed by The Australian that the previous Coalition Government had raised concerns about the ABS’ computer systems, data protection and vulnerability to hacking more than a year ago. But, present-day Coalition PM Malcolm Turnbull, who stated prior to the Census night that ABS security was “absolute”, shifted the blamed from government to the ABS and IBM which had the Census site $9.6 million contract. He said there were “clearly very big issues for IBM – the provider of the systems – and the ABS itself” and told Radio 2GB that measures that ought to have been in place to prevent denial of service attacks interfering with access to the Census site were not put in place.

“That was a failure that was compounded by some failures in hardware – technical hardware failures – and inadequate redundancy,” he admitted.

Former Queensland premier Campbell Newman, a former engineer, said the Census contract should never have been awarded to IBM. Newman had black-listed the IT giant following the Queensland Health pay scandal and said due diligence or even a Google search would have prevented IBM from being awarded the contract.

An assessment of ABS ICT infrastructure early in 2015, according to The Australian, concluded it was “highly vulnerable to failure and error” and that its ability to maintain existing systems was “increasingly compromised”.

“Critical IT infrastructure has components that are more than 30 years old. One in three applications are classed as unreliable, with issues occurring daily or weekly, and one in six applications are no longer supported by the vendor due to outdated technologies,” Treasurer Joe Hockey and his Parliamentary Secretary Kelly O’Dwyer were quoted as saying.

While the mainstream media talked about privacy concerns in cross-referencing data and the ABS’ plan to retain people’s names longer in the lead-up to the Census date, Melbourne-based software engineer Ben Dechrai was the first to highlight that the ABS website supported the SHA-1 hashing algorithm - a component of a Secure Sockets Layer (SSL) certificate used to prevent the modification of data - that for years has been considered insecure.

The Australian Signals Directorate deprecated SHA-1 from its list of approved cryptographic algorithms from 2012 onward. All major web browser operators will stop accepting SHA-1-based signatures by 2017 while Google ceased its support from 2016 and Microsoft (Internet Explorer owner) said it would do this from September this year. And despite 14 data breaches of personal information since 2013, the ABS is still supporting SHA-1 to ensure people using older versions of web browsers can fill out the online form in the census. Dechrai told ZDNet.com there was a more secure way.

“[The ABS should make] the page where people click to start the Census less secure, so it works on older browsers, [and then] do browser detection. If the browser is too old, prompt them to upgrade or order the paper form,” he advised. “Only supported browsers show the ‘Start’ button [which loads the submission form from a properly secured server].”

Dechrai agreed the ABS needs information, just not the type gathered in the 2016 Census. As a software engineer, his commentary is indicative of how engineers are faced with present-day ethical and sometimes political dilemmas.

“The ABS doesn’t need to know who the Muslims are though, just how many there are. The ABS doesn’t need to know who’s bought a new car, just how many. The ABS doesn’t need to know anyone’s date of birth to provide them services; age is sufficient. A postcode is all the information they need from our address in order to provide the services that Australians in my suburb need, in my suburb,” he stated.

“Under fear of prosecution, the ABS is creating a profile of all people, and then using our names and addresses to link that to ATO data, immigration department data, health department data, education department data, and more.”

A wide range of credible voices echoing Dechrai’s, from government, industry and academia expressed concerns about the online security of the upcoming Census. Dechrai went on to accuse the ABS of lying about how the data it has gathered has been used since 2006 (without publicly disclosing the fact) adding that its online census collection will leave Australians wide open for a cyber-attack. The US Census Bureau website was subject to just that in July last year. Online hactivist group Anonymous was able to get in and leak employee data.

As for the ABS website and this year’s online census, Dechrai said, “they are creating a database that is now a really big target to hackers. It was anonymous [not the group] before, so not so interesting,” he said. “Now it’s going to be a gold mine.”

Author: Desi Corbett