IBM, Treasury in settlement talks over Census failure

IBM Australia boss Kerry Purcell has confirmed he is in talks with the Commonwealth Treasury over a “commercial settlement” to address the failure of 2016 eCensus in August.

IBM's Kerry Purcell appears before the hearing

Purcell and his colleagues faced the Senate’s economics references committee in Canberra today to explain why IBM was not able to cope with a series of DDoS attacks on its electronic Census infrastructure, which ultimately put the survey out of action for days.

He said he is currently in commercial-in-confidence talks with Treasury secretary John Fraser to resolve the issue from a financial perspective.

“We're head contractor and take full responsibility for our role,” Purcell told the assembled parliamentarians today.

“We have reached out to the Australian government to seek to resolve the additional costs incurred as part of the Census.”

Purcell did not specify whether the settlement would involve extra payments from IBM to the government as compensation for the technical troubles, or payments from the government for extra work incurred to IBM.

He said he made contact with Fraser directly after the eCensus closed on 25 September, and the talks are “ongoing”.

“We are working constructively through it. We will hopefully achieve some kind of outcome in the near future,” he said.

IBM will no doubt hope to avoid a repeat of the public legal spat it was dragged into by the Queensland government between 2013 and 2016 by tying the matter up behind closed doors.

On behalf of the company Purcell said he “unreservedly” apologised to the Australian public and the Commonwealth government.

Responsibility hot potato continues

Despite Purcell's contrition, however, IBM witnesses at the hearing continued to turn the spotlight towards Vocus and Nextgen as the original source of the DDoS mitigation failure that set the Census night drama in motion.

IBM told the commitee that the “primary root cause” of the geoblocking mitigation strategy failing was an upstream Vocus router in Singapore, which meant overseas DDoS hits were still streaming through to the Census website despite assurances from partner Nextgen that the “Island Australia” geoblocking mechanism had been properly configured.

IBM maintained that if this upstream infrastructure wasn’t exposed, the domino-like sequence of events that followed would never have happened.

“In short, geoblocking protocols were not properly applied by one of the ISPs and this occurred  … after we received repeated assurances they were properly put in place,” Purcell said.

Big Blue did admit, however, that it had incorrectly read traffic metrics that subsequently caused it to take the website down as attackers trying to exfiltrate data.

IBM engineer Michael Shallcross said one of the flow-on consequences of IBM’s routers being overwhelmed by the attack was that it sent their traffic monitoring dashboard haywire.

Usually, he said, the measurement data is sent through from the routers at regular one minute intervals, but during the attacks these pings could be delayed by several minutes, which meant traffic measurements were “artificially inflated” by the backlog, giving the “appearance of outgoing traffic”.

Based on these dubious readings, the ABS decided to take down the site as a precaution to prevent any data loss.

IBM repeated its insistence that no private information was leaked in the attack.

Shallcross also countered arguments from Nextgen that it knocked back superior DDoS mitigation techniques suggested by the telco.

He said the Nextgen option required a training lead in period that was longer that the Census team could afford within its time restraints, that there was a risk the Nextgen solution would mistake Census submission peaks for a DDoS attack, and that the specifics of the solution threatened to interfere with IBM’s load balancing mechanism.

The hearings continue.