The Prime Minister’s top cyber security adviser, Alastair MacGibbon, says IBM and the Australian Bureau of Statistics should never have relied on geoblocking to defend the 2016 Census against DDoS attacks.
“Relying solely on it was clearly a failure,” he said. “There are certainly better alternatives than geoblocking."
MacGibbon today appeared before the Senate committee investigating what went wrong on 9 August after the website set up to collect electronic Census responses was taken out by a series of DDoS attacks, and then kept offline by a confluence of back-office failures that followed.
He told the committee the four DDoS attacks against the Census website were “eminently small” and “should not have degraded the system”.
The measured attacks registered at about 3Gbps, he said, barely worth a mention compared to the 100Gbps attacks companies face every day, and certainly not in the same category as the reported 620Gbps of traffic directed at journalist Brian Krebs’ website in September this year.
The former cyber cop submitted his official review into what went wrong on Census night to the Prime Minister on 14 October.
“This was a failure to deliver on the contractual obligations IBM had, and a failure by the ABS to check that the contract had been properly delivered,” he said.
In earlier hearings, the committee was told that one router not properly configured to IBM’s “Island Australia” geoblocking mechanism was the first thread to come undone, as traffic then continued to channel through Singapore and overwhelm IBM’s servers.
MacGibbon blamed IBM for not properly checking that upstream providers Nextgen and Vocus had fully implemented the geoblocking protocol, but also for putting all its eggs in one basket.
“I would see it as part of a series of protections,” he said.
“Had Island Australia worked properly it may have protected the site. But there are other DDos mitigations that can be acquired from ISPs and it is my understanding that they were not acquired.”
At the same time, the advisor acknowledged that the bureau should have asked more questions of IBM.
MacGibbon suspects some of the complacency in protections might be traced back to an element of vendor lock-in between the ABS and the partner it has used since the 2006 Census.
The bureau decided to bypass an open approach to market during preparations for Census 2016, and to deal directly with IBM - a decision that was grilled by senators.
MacGibbon also dispelled theories that there never was a DDoS attack on the Census website, and it simply crumpled under unexpected Census night load.
“The load from legitimate eCensus respondents was almost exactly as plotted by ABS officials,” he said.
“I can tell you there were four DDoS attacks … I suspect that these attacks didn't show up [on DDoS tracking websites] because they were so small."