ABS claims IBM's botched geoblocking failed the Census

The Australian Bureau of Statistics has blamed its Census IT partner IBM for the technology failures that took down the online national survey on August 9.

In a submission to the senate economics committee examining what went wrong on Census night 2016, published late last week, the ABS claimed IBM had not "adequately addressed" the risks of distributed denial of services (DDoS) attacks.

The statistics body said the company had “failed to properly implement” a geoblocking service called Island Australia that would have halted international traffic targeted at the Census website by a series of DDoS attacks on 9 August.

“The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system,” the agency wrote.

On Census night the ABS said it had been forced to take the website offline to mitigate against four DDoS attacks from overseas. The failure of its network geoblocking function and the collapse of a router had also compounded its problems, the agency said at the time.

Its explanation of the Census technical problems has been questioned by IT experts, who claim the issues more likely stemmed from problems with the agency's architecture and security provisions than external attack.

In its submission, the agency said the wheels began falling off after a fourth DDoS, when IBM began to face issues with border routers it was operating and unsuccessfully attempted to reboot its systems.

This final attack prompted the ABS to take the survey offline to protect the data it had already collected.

IBM was contracted to host the online Census in 2014 following a limited tender process that saw only Big Blue invited to respond due to time restraints.

Market consultants had surveyed the industry offerings and concluded that IBM should be picked because of its track record hosting previous online Censuses, and the “inherent risks in working with any new organisation”.

In a section marked as confidential by the ABS - but released anyway by the senate economics committee - the bureau revealed it contract with IBM demanded 98 percent availability and fault resolution times of less than 30 minutes on Census night.

The submission has since been removed from the committee website, but was published online by security consultant Justin Warren.

The bureau said IBM’s pitch had promised “measures to ensure that it would be ‘highly resistant to web application security attacks’, including DDoS attacks”.

“The ABS did not independently test the DDoS protections that IBM was contracted to put in place, as it considered that it had received reasonable assurances from IBM,” the agency said.

The statistics agency has brushed off any suggestion that the outage had damaged the public’s faith in the Census, claiming a 94 percent response rate at the time the submission was handed in.