The report should be construed through reference to the ambitions of the Advisor's office (and that of the Digital Transformation Agency) and the historic incapacity of the Office of the Australian Information Commissioner. Recommendations for example that the OAIC be passed the ball provoke some wariness given the unwillingness of either the Coalition or the ALP to both adequately fund that agency and to foster a positive approach to privacy protection. Buzzwords such as 'new paradigms' need to be substantiated.
The report states
The Australian Government’s new paradigm of online engagement and services for Australians is not coming. It’s already here.
Government’s response to the eCensus events of 9 August 2016 provides an opportunity to change the conversation about cyber security: to one of trust and confidence in the government’s digital transformation agenda, where ‘digital first’ is the overwhelming preference for Australians, underpinned by tangible security and adherence to privacy.
The 2016 eCensus tells us that more of the same is not enough: there is a new imperative to embrace cyber security as a core platform for digital transformation. And when we make the necessary changes we will increase the chance to deliver on the promise of Australia’s Cyber Security Strategy, to strengthen trust online and better realise Australia’s digital potential. Much of the Government’s dealings with Australians now takes place online, and this trend will only accelerate. But because this world is new, some disruption is bound to occur as culture shifts. And setbacks are inevitable.
The 2016 eCensus was a setback. One of the government’s most respected agencies – the Australian Bureau of Statistics (the ABS) – working in collaboration with one of the technical world’s most experienced companies – IBM – couldn’t handle a predictable problem.
As a result, a key national event trended online globally as #CensusFail – a serious blow to public confidence in the Government’s ability to deliver on public expectations.
While the media proclaimed the usual “cyber attack”, this cyber security issue was, unusually, not a matter of national security. Instead, it was a clear demonstration of the broader impacts – and relevance – of cyber security on Australian society.
The ABS often cites “Australia’s largest peacetime logistical operation” and its proud history of 100 years of conducting censuses for Australians. The scale of the Census is immense and it touches the lives of all Australians. And in 2016 it worked hard to get more Australians to participate online. But this part of the Census represented significant risk.
In perspective, at around $9.6m – a fraction of the $471m overall spend on the Census – the payment to IBM to deliver the eCensus capability was small. Certainly the sum was small to IBM: between 1 January 2013 and 19 August 2016 IBM was awarded 777 contracts across the Commonwealth Government with a total value of $1.55 billion ($13.7m of which was with the ABS). But cost isn’t the only issue. Nor the most important one. Australia now knows that cyber security is not just about national security. Cyber security is about availability of services and confidence in government in a digital age. And the public’s confidence in the ability of government to deliver took a serious blow, more so than any previous IT failure.
Even though the denial of service attacks on the night were predictable and defeatable, the decision to close off the eCensus was justified and no data were lost. The outcome could have been worse. But crucially important is the need to understand how the Census got to the point where the cyber security arrangements brought into question the trust and confidence in a fundamental government service. The public’s lack of confidence will linger. The integrity of the collection and its data are of critical value to Australia.
Looking at the issue and its impact through the cyber security lens, lessons are clear: about managing risk, about security in a digital age and about Australia’s digital future.
Crisis communications and coordination
The nature of the eCensus event, its national implications and the breadth of consequences of something going wrong were clearly underestimated in crisis planning. While the ABS and IBM had a library of incident management documents to guide them through the events of 9 August, they were impractical, poorly tested and none outlined a comprehensive cyber incident response or communications plan that could be effectively implemented.
Further, whole of government cyber security incident management arrangements did not link the affected agency with support mechanisms, leading to sub-optimal communication with Ministers and the public. Escalation thresholds were not clear, nor were obligations and coordination mechanisms across agencies.
The impacts of cyber security events are not well understood. There is not a shared understanding across government, and a well-defined lexicon does not exist. A whole of government approach to resilience is required, and regular exercising of crisis arrangements will be critical.
Security is a risky business…
The ABS’s problems on the night of 9 August stem from decisions taken well before then: decisions about partnership, procurement and project governance. Organisational culture and skills also played a part.
No system connected to the Internet can have guaranteed security. But as more government services move online, project managers will need to address security and respond to security incidents as critical business risks.
The distributed denial of service (DDoS) protections for the eCensus were inadequate, yet were called for in the ABS sole-sourced request for tender (RFT) and written into the contract with IBM. DDoS was a foreseeable threat, and more robust security planning would have led to a different outcome. Controls were not considered within a comprehensive security framework; risk assessments underestimated the consequences of security incidents, leading to insufficient focus on mitigations; and there was poor independent assessment or verification of security arrangements. ABS and IBM emphasised some areas of security – the confidentiality and integrity of data – while underinvesting in the availability of the system.
The exchanges between the ABS, the Australian Signals Directorate (ASD) and IBM also suggest a lack of clarity in capacity, roles and responsibility for cyber security across government and with contracted service providers. Agencies look to ASD for advice to provide assurance; this may lead to a false sense of confidence. ASD endeavour to provide comprehensive advice and assistance. However, ASD’s ability to provide an integrated assessment will be limited by their available resources and the time available to address the request. ASD have outstanding expertise for supporting agencies, but not the capacity to service the clear need across government. A new approach is needed for agencies to meet Australians’ expectations of a modern digital government.
Protecting Australians’ privacy
The DDoS attack against the eCensus system did not include the compromise of personal information of Australians. In fact, the ABS’s decision to shut the eCensus website on 9 August was a privacy-protective measure.
However, the closure of the website appears to have amplified existing community concerns about security and privacy in relation to the Census; concerns which originated from an ABS decision to retain names and addresses for up to four years in Census 2016, in combination with the move to ‘digital first’. There is more that the ABS can do to improve its practices, from external scrutiny to enhanced public engagement on privacy issues. All agencies can learn from the ABS’s experience.
Not just communications, but engagement…
In most respects, the ABS had a well formed and prepared communications strategy and awareness raising campaign; but it was focussed on the wrong things. The communications problem they needed to address was not a low level of awareness of the Census, but rather, the introduction of a ‘digital first’ approach and the associated barriers to participation – concerns over security and privacy.
The ABS failed to adapt its media and communications in response to the public relations storm that built up in the weeks prior to the Census regarding privacy and security in both mainstream and social media. Instead, ABS rigidly stuck to its plans, forgoing crucial opportunities to influence and drive the conversation around the Census. Processes for approval of campaigns, and changes to them, may need to be changed to promote agility.
On Census night, the ABS severely underutilised social media as a communications tool to keep the public up to date and informed of the incident. The ABS’s lack of timely and transparent communications lost it trust because it opened the door to speculation. The continued slow updates and virtual absence from the media meant that ABS struggled to win back the trust of the public in the following days. Ministers must also be supported with clear and accurate advice, and senior executives must be equipped to understand and talk about cyber security as a matter of business risk.
Procurement, contracting and governance
Procurement practices fell short. Vendor lock-in, coupled with a particularly close and trusting relationship between the ABS and its long-term supplier IBM, meant that the ABS did not seek sufficient independent verification and oversight of critical aspects of the eCensus. Documentation suggests that there was compliance – risk matrices completed, committee meetings held, minutes taken – but the security culture was not resilient and adaptable. The ABS and IBM had delivered eCensus services for the 2006 and 2011 Censuses as well, the latter with a third of the population utilising the online form. Why should 2016 be any different?
The risk appetite of the ABS was not clearly defined: harm and consequence assessment appeared underestimated – particularly associated with security risks to the eCensus – leading to unsatisfactory risk mitigation strategies.
A lesson in culture
Culture matters. And the culture of the ABS identified by the Australian Public Service Commission (APSC) Capability Review in 2013 — insular, inward looking, reactive — affected decisions and performance as the ABS planned and carried out the 2016 Census. Moreover, its reliance on past patterns to guide future strategies doesn’t work.
The prevailing culture can be identified in actions and decisions taken to prepare for the 2016 Census that date back to June 2012. Many seem innocuous, and almost all are compliant with established government practice. In many ways, the ABS is seen as an exemplar of established government practice: ticking the boxes, but not appreciating the challenges change presents. There is no doubt that the preparations for the 2016 Census occurred during a complex time for the ABS. They were without a substantive Australian Statistician for most of 2014. However, it is clear that the ABS’s culture clearly contributed to the outcomes on Census Night. The ABS’s actions since only underscores the importance of culture: it has steadfastly refused to own the issue and acknowledge responsibility for the factors leading to the events and shortcomings in the handling of events on the night.
Over the last few years the ABS has devoted energy and resources to aggressively address the cultural issues highlighted in the APSC Capability Review. The ABS must draw upon the lessons it takes from the Census experience to help guide and advocate the cultural change path it is following.
Integrity of the Census
The Census outages prevented Australians from filling in forms online for almost 43 hours. This not only precluded online responses during the outages, but also likely reduced online responses over subsequent days due to confusion about security and the status of the eCensus. Considerable catch up then followed and many more Australians than planned turned to paper forms.
58 per cent of households participated online, up from 33 per cent for the 2011 Census. But ahead of the Census, the ABS had expected that 65 per cent of households would participate online. 2016 online return rates did not reach what were expected or desired.
Short delays in response do not impact on data quality. Many more households than usual not completing the Census by the end of the data-collection period would reduce quality. The Census response rate, a critical indicator of quality, is estimated to be over 96 per cent. At this stage, it is unclear if the target rate of 96.5 per cent will be met. This target is based on the rate achieved in the 2011 Census.
A more granular assessment of Census quality will not be available until data has been processed, which will be completed by March 2017. Other indicators of data quality, such as refusals and item non-response rates, are likely to be comparable to, or better than, outcomes in the 2011 Census. Unaware of these encouraging signs, post-Census surveys of public attitudes towards the 2016 Census find that many Australians believe that the data collected is unreliable. The latest Survey found that: • 42 per cent agreed, to some extent, that this year’s Census has been a failure; and • 33 per cent agreed, to some extent, that the data collected from this year’s Census are unreliable.
For the Census to be fit-for-purpose, the users of the statistics, and the public more generally, need to see the Census as credible. This credibility is to ensure that Census statistics are used for their intended purpose and that the public continues to provide quality responses to future Censuses.
Cyber Security for Australia’s Digital Future
The ABS’s experience provides insight into agencies’ ability to operate in a digital age. Unpacking the incident, the scope is broad-ranging: issues facing the ABS included dealing with privacy issues in a dynamic technology environment, while adapting communications to new forms of online media. The ABS did not look at alternate service options, such as cloud service provision. Cloud computing can offer significant security, cost and efficiency benefits, but the ABS’s interpretation of privacy obligations of the Census and Statistics Act, and a lack of maturity in cloud service offerings at the time the contract was established, impeded take-up of cloud services which were limited to serving static content. There are likely similar barriers to cloud take up across government.
Digital awareness, including security risks and consequences, needs to be a core part of toolkits to deliver services in a modern online economy, where the needs and expectations of the community rapidly evolve. Small agencies such as the ABS are probably ill-equipped to deliver technology outcomes of scale.
The August 2015 review on ‘Learning from Failure’, by Professor Peter Shergold AC, called for more adaptive government and enhanced responsibility and accountability for program management. There are opportunities to adopt learnings from the eCensus incident in Phase Two of the government’s Digital Transformation Agenda: security must be ‘baked in’ to design and delivery. Government can develop a more ‘shared service’ consultancy approach to cyber security to boost agency capacity.
So what now…
The ABS is likely not alone. Agencies need to transform their thinking to support a truly digital engagement with Australians. And cyber security and privacy was shown to be critical to the confidence of Australians in the online services delivered by government, and therefore in government itself.
While the eCensus delivery was a single technical project, it was also a step toward the government’s future digital services agenda. And the setback the Census suffered must lead to a significant mindset shift that all agencies will need to make: digital disruption of their own service delivery.
All agencies must learn from the ABS’s experience. This report contains: • actions to improve the fundamentals supporting the transformation to secure onlinegovernment; • improvements to the ABS approach to technology risk, procurement and governance; • better practice recommendations for agencies as they make the transformation to online government.
The report features the following Summary of Recommendations
• Crisis Communications and Coordination: The Department of the Prime Minister and Cabinet should strengthen cyber security incident management arrangements across government and ensure the policy is widely circulated, well understood and regularly exercised. This includes:
o incorporating lessons learned from the eCensus incident response into the Cyber Incident Management Arrangements (CIMA);
o ensuring effective crisis incident notification and coordination arrangements across Australian Cyber Security Centre agencies and between the Australian Cyber Security Centre, the Crisis Coordination Centre and the Department of the Prime Minister and Cabinet;
o developing communications strategies, with key talking points for a range of cyber security incident scenarios; and o developing a whole-of-government ‘cyber security lexicon’ to assist with clear and consistent communication relating to cyber security issues.
• Education: The Attorney-General’s Department should develop a “Cyber Bootcamp” for senior government executives and Ministers as part of the Cyber Security Strategy Awareness program. The Bootcamp would educate participants about cyber security fundamentals and how to talk about issues with the public and be aligned to Data61’s work with the Australian Institute of Company Directors.
• Security Framework: The Australian Signals Directorate should strengthen the framework to help agencies improve the security of their networks: o update the Information Security Manual about security measures to protect the availability of online services; o in collaboration with the Digital Transformation Agency, lead a ‘sprint’ to lift agency capabilities to protect against denial of service attacks; this should provide a pilot model for future ‘sprints’ to build cyber security capacity across the Commonwealth; o develop and implement a security framework for high-risk online essential services and special events, to complement the high risk agency security framework identified in the Cyber Security Strategy; and o review its model for prioritisation and proactive engagement with agencies to provide cyber security support and develop a service catalogue of offerings to ensure clear understanding of capabilities; this may require additional resources to achieve. The Australian Signals Directorate should come back to government with a plan coordinated with the Cyber Security Special Adviser.
• Creating a Positive Risk Culture: The Department of Finance should assist agencies to actively engage with cyber security risk by developing: o guidance for managing risk in ICT and cyber security outsourcing; and o a strategy to accelerate government to improve agency understanding and uptake of secure cloud services and hasten cloud certification to PROTECTED (potentially modelled on the US FedRAMP program). This would require additional resources for the Australian Signals Directorate for accreditation services. The Australian Signals Directorate should come back to government with a plan coordinated with the Cyber Security Special Adviser.
• Embracing Adaptive Government: The Department of the Prime Minister and Cabinet’s ICT Procurement Taskforce should consider the ABS eCensus procurement process as a case study on the barriers and opportunities to delivering better ICT outcomes. This should include developing a more agile approach to market testing and contracting options, ICT procurement skills and outsourcing oversight arrangements.
• Cyber Security in a Digital First World: The Digital Transformation Agency, in partnership with the Australian Signals Directorate and the Department of Finance, should:
o develop a proposal for consideration by the Digital Transformation Committee of Cabinet to create a “cyber security shared services” digital security consulting organisation within the Digital Transformation Agency. This would ensure security is integral to all new online service delivery proposals and facilitate partnering between agencies to draw on cyber security expertise in larger agencies with more mature capabilities.
o consider how to strengthen central governance and assurance, and this ownership may no longer logically sit with ASD, given their broader portfolio of responsibilities.
o identify capable agencies and accredit them to deliver shared services for citizen-facing projects where, for higher risk online delivery programs, smaller agencies must partner with (or source their ICT project management from) an identified lead agency or through a core service such as GovCMS.
Recommendations for the Australian Bureau of Statistics
• The ABS should engage an independent security consultant for a wide-ranging examination of all aspects of their information collection and storage relating to Census data – from web application through to infrastructure and policies and procedures.
• The ABS should ensure future significant changes to personal information handling practices are subject to an independently-conducted privacy impact assessment and are supported by broad ranging consultation.
• The ABS should adopt a privacy management plan to enhance its capability to identify and manage new privacy issues.
• The ABS should assess and enhance existing ABS privacy training for staff.
• The ABS should develop a specific strategy to remove the current state of vendor lock-in. • The ABS should strengthen its approach to outsourced ICT supplier performance management to ensure greater oversight and accountability.
• The ABS should draw upon the lessons it takes from the Census experience to help to guide and to advocate for the cultural change path it is following.
• The ABS’s decision in August to assemble an independent panel to provide assurance and transparency of Census quality is supported and the resulting report should be made public.
• The ABS should implement a targeted communication strategy to address public perceptions about Census data quality. The ABS should report monthly to their Minister outlining progress against the above recommendations.
Better Practice Guidance for Agencies:
• Agencies should review their approach to cyber security incident response planning and coordination and exercising of those plans with stakeholders.
• Agencies should ensure independent security assessments are conducted on critical ICT deliverables.
• Agencies should test security measures and monitoring systems for online government services under foreseeable adverse conditions, including under attack conditions.
• Agencies should be conscious of updated interpretations of governing legislation to addressing the changing technological environment. Agencies should review their oversight and assurance arrangements for outsourced cyber security services.
• The Office of the Australian Information Commissioner has recommended the government develop an APS-wide Privacy Code in collaboration with the Office. The Code should address privacy and security risks by requiring all agencies to:
o have an up-to-date privacy management plan
o appoint dedicated privacy contact officers
o appoint ‘Privacy Champions’
o undertake written Privacy Impact Assessments where relevant, and
(13,500 litres of glue but alas, no data on the amount of coffee consumed or Red Bull purchased by coders.)o take steps to enhance internal privacy capability.