Other alternatives were considered and rejected as part of that architectural decision, including the alternative of primarily using cloud infrastructure. Still burdened with the characteristics and cultural traits that it is now working hard to change - insular, not forward-looking, deficient risk management – the ABS locked itself in with a trusted partner.
Together the ABS and IBM were now committed to basing the 2016 online Census form on a solution that had its origins in 2006. The ABS had, in effect, denied itself the opportunity to leverage conditions and capabilities that were changing rapidly over the decade.
As can be seen from above, MacGibbon believed key decisions by the CIO/CISO were critical to the e-Census outcome experienced by ABS. It also appears that key decisions around issues related to security and project delivery were not given sufficient critical thought in the early procurement phases of the project.
During a presentation on December 13 last year to the Institute of Public Administration, Australian Statistician, David W Kalisch, said the ABS had a “misplaced sense of confidence, indeed complacency about the about the e-Census, its security.”
“We worried about the element that we knew would change: the increase in the number of users. We didn’t adequately test and review the things that we thought would not change – particularly the DDoS security.
“A more thorough, independent, review of the DDoS defences would have identified key weakness in the architecture – a reliance on a single layer of protection called ‘Island Australia,” Kalish said.
Kalish continued: “On the surface, we had a regime for risk management in place – the risk of DDOS was identified, the impact of a successful attack was assessed as extreme and we considered an attack to be likely.
“A set of risk mitigations was documented and the Census board was given a report indicating that the residual risk was acceptable. However, the mitigations were not adequate.
“More independent assurance was needed but we also need to foster a culture that sees active risk management as an integral and valuable component of our approach, beyond the form filling and administrative compliance.”
Again, it appears that the lack of segregation offered by the combined CIO/CISO role had a big impact on e-Census cyber security outcomes.
Interestingly the senate committee report ‘2016 Census: issues of trust’ recommended the ABS take a more proactive role in validating the resilience of the e-Census application for the 2021 Census.
During his presentation, Kalisch also made a simple but very clear statement “Key lesson here: you cannot outsource risk.”
If the ABS is going to address these requirements then it cannot simply do the same thing again and keep the roles of CIO and CISO combined.
Sign up for CIO Asia eNewsletters.