Minister's myGov DDoS attack claim ruled out once and for all

Services Australia has distanced itself from government services minister Stuart Robert’s incorrect claim of a “significant distributed-denial-of-service attack” against myGov last month.

Rebecca Skinner

Robert made the claim, which he quickly walked back in Parliament, after the online government services portal crashed in the wake of coronavirus lockdown measures were introduced in March.

He had previously admitted to jumping the gun, choosing not to wait for the outcome of the  investigation before blaming the masive traffic surge on a cyber attack.

Speaking at a senate inquiry into COVID-19 on Thursday, Services Australia chief Rebecca Skinner said the agency had never “categorically” advised the minister of such an attack.

She said that while DDoS alarms had sounded when thousands of people thrown out of work had tried to access the portal, there had been no advice about a hacking attempt before the claim.

“Services Australia advised the minister that the denial-of-service alarms had gone off on the network, and that we were in an environment where DoS may have been expected,” she said.

“The alarms on our network had gone off ... because of the extreme demand on the system, and we had to do an investigation.”

She said this was the same approach the agency would take “everytime the DoS alarms went off”, and would involve “engag[ing] the Australian Cyber Security Centre”.

Under questioning from Labor senator Murray Watt, Skinner also said that while the agency had prepared for increased demand, it did not predict the spike in demand that eventuated.

“Decisions were taken to enhance the performance and ability for platforms like myGov to support the influx of people,” she said.

Robert has previously said that myGov capacity had increased from an average of 6000 concurrent users before the meltdown to 55,000 users in preparation for the surge in traffic.

The platform’s capacity has since climbed to 300,000 concurrent users from 150,000 users, as the number of Australians out of work continues to climb in the wake of COVID-19.

But she also defended the agency’s handling of the situation, saying that it would not have been feasible to stand up an entirely new platform for a once-off event.

“You wouldn’t design a computer system to cope with three million logins at one time when the business as usual proposition is about 90,000,” she said.

“The cost of building a system that could cope with that one day wouldn’t be a balance of investment.

“What we do know is that we probably needed to ramp up quickly, which we did - by the end of that week the myGov platform was substantially more stable and able to cope with the larger numbers of logins.

“[But] it would not have been an appropriate investment to build a system to cope with one or two days of absolute unforeseen demand in an event that has never occurred before.”