The ABS has been blasted for its long-term reliance on IBM for IT outsourcing, with a review suggesting its trust in the vendor is misplaced and that the “cosy partnership” should be forcibly broken.
The Prime Minister’s special advisor on cyber security Alastair MacGibbon savaged ABS in a long-awaited review of the eCensus disaster.
He said the ABS continually cited “tight timelines and dependency on current solutions” as reasons to keep using IBM, even on projects like the Census which it knew occurred at regular intervals.
He called the relationship between ABS and IBM “a cosy partnership”, and recommended the ABS “develop a specific strategy to remove the current state of vendor lock-in.”
The review criticised the use of “select” and “limited” tenders, which limited market testing and kept IBM firmly entrenched.
It said the ABS relied solely on pricing information provided by IBM for both the 2011 and 2016 eCensus solutions, weakening “the rigour of … value for money assessments”.
In addition, the ABS was blinded by its trust in IBM, the review found.
“The ABS had established a strong trust partnership with IBM,” the review said.
“As a result, the ABS became reliant and dependent on IBM. The ABS did not have an effective means of monitoring and assessing IBM as an outsourced service provider…
“IBM’s assurances were taken at face value: if IBM said in an email that DDoS protections worked, the ABS took comfort.
“The ABS provided minimal challenging or inspection, and did not use third parties to test and verify that DDoS protections were actually in place or effective."
Cost may also have played a part.
MacGibbon noted IBM’s eCensus contracts were worth $9.6 million out of a total Census spend of $471 million.
“Certainly the sum was small to IBM,” he said, though he did not consider it the most important issue at stake.
The trust between ABS and IBM was exposed as things fell apart on Census night.
This was no clearer than in the disjointed approach to escalating the issues.
IBM “requested investigative support from the ASD [Australian Signals Directorate] when ASD was already engaged with the ABS”, the review found.
Then, later in the evening, “IBM contacted the Australian Federal Police (AFP) for assistance. AFP in turn contacted Australia’s Computer Emergency Response Team (CERT Australia), who contacted ASD.”
While the incident response plan specified that “all engagement with third parties be handled by the ABS”, there was a clear lack of awareness of this between the parties, the review found.
Costly misinterpretations
In addition, the Census fail exposed several instances where the ABS misinterpreted assurances and legislature.
This included asking the ASD to provide resources to assist ABS and IBM to find the source of anomalous outbound traffic on the eCensus system – which turned out to be a false positive.
As the ASD was not across the intricacies of the system, its staff “would be of minimal use”, the review concluded.
The ASD was also asked on Census night to send staff to IBM’s Baulkham Hills facility “where the eCensus was hosted”.
The review found the ABS had misunderstood “the level of support ASD could realistically provide”, owing to its interpretation of ASD advice.
Another costly misinterpretation saw the ABS forgo ISP-level DDoS mitigation services, for which it has faced strong criticism from the industry and its ISP partners.
“It is the understanding of the review that the ABS initially applied a 2011 interpretation of the Census and Statistics Act 1905 to the 2016 eCensus system,” the review said.
“This interpretation required that only ABS staff should be able to access encrypted or unencrypted respondent data.
“This requirement may have prevented consideration of commercial DDoS mitigation services. Using a commercial service would require encrypted – or in some cases, unencrypted – respondent data to be analysed by a service provider and judged non-malicious.”
“It is likely the legislative interpretation constrained procurement options for DDoS mitigation.
“The ABS disputes this conclusion."
However, the review pegs the ultimate responsibility for DDoS mitigation on IBM.
While noting IBM "may dispute some details" of alleged failures, it still bore contractual responsibility for DDoS mitigation, and the review found "no indication of any step taken by the ABS to release or waive IBM from its responsibilities relating to DDoS".
IBM is presently trying to settle with the government over the failure.
The review calls for some soul-searching across a number of departments and agencies on how future cybersecurity incidents are handled and mitigated, and how staff are trained to deal with them.
Small business minister Michael McCormack today revealed the government had reached a confidential settlement with IBM, but did not disclose details.
