Over 50 commonwealth sites pulled for maintenance on one 2017 weekend without interim solution

An inquiry into the digital delivery of government services has heard the Australian government pulled 54 websites down for an entire weekend, without providing a duplicate or interim website for citizens.

Facing the Finance and Public Administration References Committee on Wednesday was Ian Brightwell, who was previously CIO of the New South Wales Electoral Commission for 17 years.

Brightwell, appearing in a private capacity to the inquiry, believes poor IT governance is to blame for status of the government's technology-based service delivery.

"On the 6th of May 2017, 54 commonwealth government websites were taken down for maintenance for a whole weekend," he said.

"It seems the agencies responsible for these websites did not see fit to take such precautions and took the ABN Lookup and 53 other sites offline for two days.

Also read: Digital transformation: A CXO's guide (TechRepublic)

"This is not something Facebook would do, so why would the government agencies do it if the government has standard to encourage everyone to use digital services?"

When asked by the committee if maintaining websites to potentially prevent situations like the Department of Immigration and Border Protection publishing information of nearly 10,000 asylum seekers would be in the best interests of everyone involved, Brightwell explained that maintenance and pulling down websites aren't synonymous.

"Don't equate maintenance with taking down websites," Brightwell said in response. "Websites like this, normal practice, acceptable practice ... [at the electoral commission] we had hot sites -- if one went down, the other one was there and up within a minute or two -- this should be normal practice."

He said the secondary websites should be hosted elsewhere, so if for example Sydney goes down, Melbourne can take over straight away.

"If you don't have that, you're not doing the job right ... you're running that on a secure cloud somewhere and you replicate it because you take your virtual machines and then you just drop them there overnight," he added.

"This is normal stuff and what horrified me about that was the fact they had nothing -- they took it down just for maintenance -- they should be switching to the hot site, maintaining the production ... there should be no outages like that, you don't have it with Facebook, you don't have it with Google, you don't have it with most organisations because they actually manage for failure -- they apparently didn't for these 54 sites.

"They didn't manage with the idea that failure was going to occur on their websites."

Brightwell said such services should be online 24/7, but said there isn't even a digital service standard, nor any suggestion of what is a suitable uptime for digital services used by citizens.

On August 9, 2016, the Australian Bureau of Statistics (ABS) experienced a series of denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated, which resulted in the Census website being shut down and citizens unable to complete their online submissions.

The Census was run on on-premises infrastructure procured from tech giant IBM.

The ABS previously said that IBM failed to adequately address the risk posed to the Census systems it was under contract to provide, and that IBM should have been able to handle the DDoS attack.

According to Brightwell, in the case of the ABS, underqualified staff were forced to make decisions about things that they have no idea about.

"And sometimes they guess right, sometimes they guess wrong," he said.

"People in the ABS knew that Island Australia as a DDoS strategy was hopeless, somehow the senior management at the ABS did not know that. Service providers even advised the ABS that it was an inadequate strategy and even offered alternatives. Senior management did not recognise nor acknowledge that -- this is not unusual.

"The people given management roles don't have the relevant background but they're at the right level so it's seen as an appropriate job.

"That person [who] was two levels down was attributed with making certain decisions which were critical, that wasn't at the executive level where those decisions were being approved."

He said brain surgery isn't performed by an intern, after all.

In order to fix this dilemma the Australian public service finds itself with, Brightwell said departments need to keep the role of the CIO and the CISO separate.

"The ABS, after their failure, made a position still available as CIO/CISO and the AEC has done exactly the same thing -- that is bad practice, very bad practice," he told the committee.

"They should be separating the CISO, putting them under a separate report, through to the CEO through another depsec, but they should not be one and the same."

RELATED COVERAGE

• ATO spent AU$333m on employment outsourcing during year of outages
• IBM lambasted by ABS for failing to handle Census DDoS
• Four years ago no one would know if we had an outage: ATO
• How the ABS prepared for the same-sex marriage survey using the public cloud
• Australia's Department of Home Affairs focused on untangling its data problem
• ATO called out for not tracking costs in digital transformation program
• Government's dumb data disasters demonstrate decaying diligence
• AEC 'satisfied' with security risks absorbed ahead of the 2016 election
• Australian Electoral Commission battens down the cyber hatches
• Australian Home Affairs thinks its IT is safe because it has a cybermoat
• Electoral Commission exploring how technology can simplify voting process