Census 2016: Government must set the right example

This week, the Australian Bureau of Statistics (ABS) became the object of intense focus but it was for all the wrong reasons.
Written by Rachael Falk, Contributor

Tuesday was due to be the day when millions of Australians completed the eCensus. ABS decided years ago to make this the first time that a majority of Australians would be encouraged to complete the Census online.

While there were whispers of some sort of folksy narrative around filling out the census being a "great Australian thing to do", that narrative, if it did ever exist, certainly died under the din of other pressing issues for Australians.

And those pressing issues had been brewing for a while.

Just like when a plane crashes, it is usually the result of a series of failures or missed opportunities to rectify a fault or vulnerability. The negative public sentiment that bubbled up, and some might say over, towards government had been brewing for a long time. And it is for this reason that the apparent failure by many involved to read and anticipate the consequences of those pressing issues that contributed to make Census night and the following days unnecessarily confusing.

Let us step back in time and back to July 2012 when the Attorney General's Department released a Discussion Paper (DP) Equipping Australia against Emerging and Evolving Threats (PDF).

Quietly tucked away in Chapter One of that DP was a sub-paragraph with the innocuous heading of "Modernising the Industry assistance framework" and three lines about "tailored data retention periods for up to 2 years for parts of a data set".

It was not even clear what that initially meant but the two words "data" and "retention" were pretty clear. With that sleepy sub-paragraph tucked away in the DP, a privacy/cyber security genie had been unbottled.

Little did the Attorney General's Department and government realise that many Australians weren't so laid back about government and a range of agencies having access to their communications metadata. There was a Parliamentary Joint Committee on Intelligence and Security hearing -- which I attended as part of Telstra's appearance before the Committee -- and many government and non government agencies were asked to justify their desire to have access to this data.

When the metadata issue cropped up again in 2015, the case for it had taken on a decidedly national security flavour, and it was clear that many people were not comfortable with the notion of their communications metadata being stored for a period of time.

The privacy and security debate got back into top gear around the collection and storage of eCensus data recently, as it was becoming apparent that the ABS were relatively silent on the issue of cyber security controls.

On 1 August, we were being assured by ABS via Twitter that our data "is always safe and secure" with them. In fact, do we know if they were compliant with all of the Australian Signals Directorate Top 4 Mitigation Strategies?

So failing to appreciate the public sentiment about giving over data electronically, which now included retention of names for a longer period of time and the ABS' failure to allay security concerns, we now turn to the morning after.

Many people had experienced cyber frustration in the form of being unable to access the ABS website. However, we all woke up the next morning to the ABS telling us that they had taken the website offline because it had been the subject of a denial of service "attack".

Unfortunately, instead of being open and admitting that were not entirely sure about what had occurred, that they were simply concerned about the integrity of the website, or that they were not prepared for DDOS, the ABS came out with inconsistent statements and explanations.

Then there was a series of public statements where the words attack or hack kept on being used in contexts that were not right. To outsiders, these inconsistent statements were confusing and created further concern for an already skittish public.

It does beg the question of who was in the ABS/IBM Operations Centre that evening and how carefully their data was reviewed before any public statements were made about any sort of disruption or impact to their servers.

When interviewed by the ABC on 12 August, statements by David Kalisch, the ABS Chief Statistician, were still confusing particularly when there were whispers in other parts of the cyber security world that suggested the ABS had declined DDOS protection -- which Kalisch said he was not aware of. The understanding of what caused the issue on Tuesday night still remained the same but this time there was a confluence of events coupled with a DDOS "attack", there were some "monitoring issues" and some "data issues" but again, he denied they had misunderstood the data.

Given that public sentiment was already low in relation to privacy and security, more effort needed to be done to allay those concerns and be transparent about what security controls were in place and reasons for capturing and retaining such sensitive data.

While it is absolutely correct to say that most of our lives and valuable data is already stored by government departments and businesses online, it is the aggregation of large amounts of personally identifiable information that will always remain a pot of gold for any cyber criminal or nation state.

People are now waking up to this risk and while they may happily share with Facebook or Google and unwittingly share with a range of other app providers, government and government agencies are always held to a higher standard.

Tuesday night was the culmination of poor reading of the public sentiment in relation to how many people were concerned about privacy and security.

Any organisation and government seeking to collect, store, share and use valuable data should be prepared to explain, in plain English, what they are doing to keep that valuable data safe, who has access to it, where it will be stored, who is protecting it and how well it is protected. Government wants to build a cyber smart nation so that "Australians have the cyber security skills and knowledge to thrive in the digital age".

It isn't just cyber awareness that begins with government -- it is leadership and setting the example.


Editorial standards