IBM geoblocking plan for Census was a failure: MacGibbon

Relying solely on geoblocking for DDoS protection was a failure by IBM, Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon has said.
Written by Chris Duckett, Contributor
Alastair MacGibbon
(Image: APH)

There were certainly better alternatives than IBM's Island Australia geoblocking plan to mitigate DDoS attacks, Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon has told the Senate Economics References Committee investigating the 2016 Census.

"On face value, that might seem logical because the Census was only for Australians," MacGibbon said. "There were some technical problems in that some Australians with Australian-based ISPs will also route in from overseas ... in fact, the password reset facility that IBM used, actually relied upon traffic coming in from overseas to give Australians that password."

"So there was a fundamental failure in the logic of an Island Australia."

MacGibbon said he could see it forming part of a number of protections, but to rely on it alone was a failure, with the biggest failure being to adequately test if the plan was going to work.

The Special Adviser to the Prime Minister on Cyber Security said the fourth DDoS attack that resulted in the Census site being taken offline was around the 3Gbps mark, similar to the first DDoS experienced by the site as detailed by IBM earlier in the day.

During its testimony, IBM said the false positive data exfiltration event that led to the site being pulled was a result of one of the DDoS attacks causing the packets for its load measurement data to arrive at its dashboard systems intermittently. As the dashboard expected data to arrive each minute, when a bunch of delayed packets arrived, the dashboard summed them together and showed what appeared to be an outward traffic spike over a single minute, rather than usual data over a number of minutes.

IBM Australia and New Zealand managing director Kerry Purcell told the committee on Tuesday that the company has not sacked, nor disciplined, any of its staff over the Census debacle.

"Directly related to the Census, the answer is no," he said.

MacGibbon said later in the day the "eminently small" 3Gbps attacks should have been handled, with DNS provider Dyn facing attacks at the weekend in the magnitude of 1000Gbps, and stressed that the DDoS attacks did happen and were not a result of Australians jumping onto the website to complete their Census forms.

IBM was not the only target for MacGibbon's ire, with the Australian Bureau of Statistics (ABS) also in line for criticism.

"This was a failure to deliver on the contractual obligations that IBM had," he said. "There was a failure on the part of ABS to sufficiently check that the contract had been delivered."

"We can't determine who was right and who was wrong. As the customer, the Commonwealth of Australia, was not well served."

MacGibbon said if ABS had checked the work that IBM had completed, it may have discovered the hole in the Island Australia plan.

"I do believe there was a degree of vendor lock-in ... they were seen as the natural choice," he said.

The Special Adviser to the Prime Minister on Cyber Security has handed his report on what happened on Census night to Prime Minister Malcolm Turnbull, but it has not yet been released.

In the aftermath of Census night, Turnbull said he was angry that the site fell to an "entirely predictable" denial-of-service attack, and that heads would roll.

Editorial standards