ABS quietly drops Census data security claim

The Australian Bureau of Statistics' claim that a security audit had rated their systems in the 'Cyber Secure Zone' has disappeared from their website.

Information security is all about getting the details right, but it seems that the Australian Bureau of Statistics (ABS) got one key detail wrong when reassuring citizens that their Census data would be kept safe.

The ABS claimed, on the web page Data Integration Frequently Asked Questions, that in 2014 the Australian National Audit Office (ANAO) had rated the bureau as "being in a Cyber Secure Zone (having high-level protection from external attacks and internal breaches and disclosure of information)."

Except it didn't.

The report in question is ANAO's Cyber Attacks: Securing Agencies' ICT Systems. It found that the ABS had not yet reached full compliance with the Australian Signals Directorate (ASD) Top Four Mitigations against targeted attacks. That means no "Cyber Secure Zone" rating.

ANAO Secure Zones

Agency Compliance Grade: summary assessment of agencies' compliance with top four mandatory strategies and related controls, and overall ICT security posture.

Image: ANAO

The ABS had sufficient internal controls, however, to score a spot in the "Internally Secure Zone".

The same was true, incidentally, for the other six agencies audited: Customs, Australian Financial Security Authority (AFSA), Australian Taxation Office (ATO), Department of Foreign Affairs and Trade (DFAT), Department of Human Services (DHS), and IP Australia.

So where has this "Cyber Secure Zone" rating come from?

We put that question to the ANAO.

"The selected auditees had not achieved compliance with the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM)," an ANAO spokesperson told ZDNet on Tuesday.

"The ANAO has not conducted a follow up audit on the ABS since 2014; therefore I cannot validate your statement in your ZDNet article that the bureau now claims that it's rated in the 'Cyber Secure Zone'."

Oh dear.

ZDNet forwarded ANAO's response to the ABS on Tuesday, seeking clarification. While the ABS has acknowledged receiving our request, we have yet to receive a response.

But some time on Wednesday or Thursday, all mention of the "Cyber Secure Zone" was removed from that ABS web page.

The ABS may not have an ANAO "Cyber Secure Zone" audit rating, but the involvement of the ASD in securing its systems should be reassuring -- even if the ABS also uses the ASD's old name on that page, the Defence Signals Directorate (DSD). Another detail that needs attention.

But with the Census now being described in some quarters as lifelong surveillance, ASD involvement has also helped fuel the conspiracy theories. It's fair to say this is Australia's most controversial census ever.

The prime minister is unfazed by all this. On Friday, Malcolm Turnbull told Melbourne Radio 3AW host Neil Mitchell that he'll be filling out his Census form online.

NEIL MITCHELL: You reckon it will work?

PRIME MINISTER: Yes. Well I'm -- we're certainly advised so by the census. I thought Mr Kalisch [David W Kalisch, Australian Statistician] gave a good explanation for it and defended his decision and the approach well. It is important that we move to -- we use electronic platforms more for government work. The reality is that most of us do much of our -- much if not most of our commercial transactions online nowadays. So it is a digital world.

Yes, we should do things online because it's a digital world. But wait. It's a digital world because we do things online. Isn't that circular reasoning?

Thank you, prime minister.

More on Census 2016