In 2016 Australia’s online census crashed and burned after legitimate attempts to complete the survey were mistaken for a DDoS attack, the routers funnelling traffic failed, and disaster recovery plans did likewise.
A probe into the fail revealed poor planning, little testing, and many red faces. The mess ultimately saw IBM pay AU$30m to the Australian government to compensate for costs incurred in making the census available. Big Blue was vindicated, to some degree, by the fact that Australian government agencies signed off on its security plans. The incident, which came to be known as #Censusfail, became a byword for Australia’s government being bad at technology.
Little wonder, then, that the Australian Bureau of Statistics (ABS) decided to commission an independent audit of its preparedness for the 2021 census.
The first conclusion of the report [PDF] based on that audit is that planning to date has been “partly effective”.
The report goes on to damn preparations with faint praise, finding that while “largely appropriate planning and governance arrangements” are in place, “the risk framework is compromised by weaknesses in the assurance arrangements.”
On the IT front, the bureau’s preparations are again rated “partly effective”.
“Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers. The ABS has not put in place arrangements to ensure that improvements to its architecture framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.”
Australia’s IBM-assisted Census fail burned AU$30 MEEELLION
The report also found that “partly appropriate” security controls are in place and that the bureau’s high-level security measures and controls are “sound”. However, the agency’s security strategy has not been fully implemented.
Nor has the bureau fully implemented its new IT framework, so Census tech is not compliant and is in any event built outside the agency’s architecture standards. It also lacks controls for managing non-compliance. “The ABS has not established a process to mitigate the risk of unauthorised changes being implemented across systems supporting the Census.”
Data handling is not in great shape either. The review rated current practices as “partly appropriate” and warned the ABS “has not fully implemented controls for managing the quality and protection of 2021 Census data and does not have in place appropriate arrangements to monitor control implementation.”
The report therefore recommended an assessment of the risks created by non-compliance, plus the creation of controls for mitigating unauthorised and inappropriate system changes. Those controls will focus on developers that have access to migrate their own changes to Census-related systems. Regular review of progress on security was also recommended, as was a review process to make sure the review processes are working.
The ABS has agreed to all recommendations. It now has nine months to get them right: Census day is 21 August 2021. ®