The Australian Bureau of Statistics was unprepared for the “simple” and “obvious” cyber attack that apparently shut down the Census, an internet security expert has said.
On Tuesday evening, the Census website crashed thanks to repeated “Denial of Service” (DoS) attacks, according to the ABS. A DoS attack is designed to make a network unusable by flooding it with millions of fake users.
At 7:45pm – as millions of Australians went online to complete their Census – the ABS chose to shut down the system, for fear of further DoS attacks (see a timeline of the Census night drama below).
The site remained offline all Wednesday and an update posted at 9.15pm was pessimistic about its chances of getting up and running that day.
“We continue to work with Australian Signals Directorate and our providers to get our secure online Census form back up as soon as possible,” the ABS said in a statement. “A further update will be provided tomorrow [Thursday].”
While at least one cyber expert wondered whether Chinese, unhappy about the Mack Horton vs Sun Yang drugs saga, might have played a role in the attack, others questioned whether a DoS attack caused the online Census to shut down.
Online security researcher Dr Mike Johnstone wrote in Computerworld that it was more likely the failure was caused by too many Australians logging on to do their Census at once, rather than a DoS attack.
He conceded it may have been possible that a combination of a DoS attack and the system buckling under the weight of traffic caused the website shutdown.
But Dr Johnstone concluded: “If it’s probable the Census servers simply failed under the weight of their task, then that’s the most likely explanation, rather than a deliberate DDoS attack”.
Australian government ‘cyber security novices’
Computer forensics expert and cyber intelligence investigator Simon Smith told The New Daily that the government’s lack of preparation and expertise on cyber security was proved on Census night.
“Wake up Australia, ‘Cybergeddon’ is here,” Mr Smith said. “Australia is probably one of the weakest places in the world (cyber security-wise).
“I’m very afraid to say that we are extremely crap at protecting ourselves. It’s not as if the government really put much effort into security, is my first reaction to the Census crash.
“Denial of services attacks are the most obvious attacks, they happen every day.”
The ABS and minister responsible for the Census, Michael McCormack, said the attack likely came from overseas.
By Wednesday afternoon, Mr McCormack appeared to have been the subject of hacking on his own website, as News Ltd political editor Samantha Maiden confirmed to Channel Ten’s The Project.
‘It was a successful attack, not a hack’
Special advisor to the PM on cyber security, Alistair MacGibbon, told Sky News he did not know if the attack intended to steal information, or just to make a point about the hackers’ abilities.
“It was successful because the ABS made the decision to take the website offline, because they wanted to make sure the worst case scenario [loss of data] didn’t occur,” Mr MacGibbon said.
He said the government believed no sensitive data was stolen.
Mr MacGibbon continually referred to the DoS as an “attack”, but not a “hack”, even though earlier in the day Mr McCormack refused to use the word “attack”.
Attack map shows … no attack
Despite the ABS’s claims, a website dedicated to tracking attacks, like DoS, showed no unusual activity in Australia.
Tech security guru Matthew Suckling posted this map from digitalattackmap.com:
— Matthew Hackling (@mhackling) August 9, 2016
Was it China?
Melbourne University cyber security expert Dr Suelette Dreyfus said the DoS attack could have been perpetrated by Chinese citizens unhappy about the Mack Horton vs Sun Yang drugs saga.
“It’s not way out of left field [as a motivation],” she told the ABC.
Australian swimmer Mack Horton branded Chinese competitor Sun Yang a drug cheat after he beat Sun in the men’s 400m freestyle final at the Rio Olympics.
Horton’s comments prompted a torrent of abuse, from literally millions of angry Chinese.
Dr Dreyfus believed it was unlikely China’s government would have committed such a “noisy” attack.
Social media skewers ABS, government
As the Census website went offline and it emerged that it had been caused by a DoS attack, Australians took to the internet to goad the authorities responsible for the census.
— Hugh Riminton (@hughriminton) August 9, 2016
Is it strange for a government agency to "reassure" people their data is safe by claiming they were hacked? #CensusFail
— Jen Dudley-Nicholson (@jendudley) August 9, 2016
— Virginia Trioli (@LaTrioli) August 9, 2016
— Peter Martin Garrett (@petergarrett) August 10, 2016