Australia’s Census Fail

On August 9, Australia attempted to conducted its census. The compulsory census is taken every five years and the information gathered produces not just a snapshot of the country’s makeup, but also provides valuable data for policymakers and academics.

This was the first census to be conducted online, and the government was hoping that two-thirds of the public would submit their information electronically, rather than via the traditional paper form.

However, on the very evening when people were encouraged to fill out the online form, a cyber attack against the Australian Bureau of Statistics’ (ABS) website led to it being shut down for two days, leaving millions of people unable to complete the census, and creating an embarrassing headache for both the ABS and the government.

A series of distributed denial of service (DDoS) attacks were made on the ABS site. A DDoS attack is when a network of computers from various locations around the world bombard a website with up to millions of access requests in an attempt to overwhelm it and force it to crash

In the weeks leading up to the census there was much media attention focused on the public’s privacy concerns regarding the online census. Previously, the paper form census did not require citizens to provide their name alongside other information about their background and circumstances; those who did provide their names would have this information stored for 18 months only. However, the new online census made is mandatory to provide a name in order to proceed with the form, with the information being stored for four years. Non-compliance risked a A$180 fine. A number of senators stated that they would not be entering their names, providing great oxygen to those highlighting the privacy concerns.

The media attention--combined with spokespeople from the ABS, as well as a number of government politicians, guaranteeing perfect security with the census site-- created a juicy target for hackers looking to cause mischief.

Alongside the DDoS attacks, the ABS seemed to significantly underestimate the load capacity that would be required for the census to be conducted. Leading up to August 9, the ABS boasted that its website would be able to handle 1 million form submissions every hour, or 260 forms a second. Yet with 9.2 million households in the country, most of which would have attempted to fill the form out in the first few hours after arriving home from work, there seemed to be a basic mathematical failure on the part of the country’s official statistical body. The ABS reported an increase in traffic around 7:00 pm Australian Eastern Standard Time (AEST) and the site was down by 7:30 pm AEST.

A spokesman for the ABS described a "confluence of events" that led to the census site being taken down. These included the system's geo-blocking protection not working effectively, the failure of a hardware router, and a monitoring system which "threw up queries we needed to investigate."

Prime Minister Malcolm Turnbull was quick to reassure the public that there had been “no penetration of the ABS website." The DDoS attacks and capacity overload merely prevented people from accessing the site. He said no data had been compromised.

An initial assessment from the Australian Signals Directorate, an intelligence agency within the Australian Government Department of Defense, found there was no back-up when the system came under pressure from the DDoS attacks, as well as finding flaws in the design of the system that supported the census home page.

Further investigation is bound to focus on IBM’s efforts to protect the the A$470m (US$360m) project, and could impact the company’s ability to gain future government contracts.

By the time the ABS website was shut down on the evening of August 9, only 2.3 million households had been able to complete the census form. Two weeks later the ABS received forms from 6 million households, leaving over 3 million households still yet to complete the form. The ABS was organizing census collectors to go door-to-door to collect the outstanding forms.

While no data was accessed by those who launched the DDos attack, the disruption to the census process has brought into question whether any of Australia’s government agencies have the capacity to run large-scale technological projects, especially those that require mass public participation within a small timeframe.

After the time-consuming counting by hand that followed the recent federal election, where it took eight days to determine a result, both the prime minister and the opposition leader called for Australia to move toward a system of electronic voting (either online or through voting machines). However, after the mess of the census, that idea is likely to be met with serious lack of public confidence.