Despite the barrage of social and mainstream media criticism, the cyber incident against the Australian Bureau of Statistics’ 2016 Census, being referred to by the government as a website denial of service incident, has a silver lining — it has exposed a lack of understanding in Australia around the role of sound risk management in cyberspace.
While the incident is a sore point in terms of reputation and trust, it provides a now very public opportunity for government agencies, at all levels, to take heed of the lessons the ABS will be learning in the hardest possible way. They are lessons that apply to any organisation with a website that is critical to the ability to do business. In short, this can happen to you too.
At a strategic level, these lessons are about understanding and managing the positive and negative risks of being online. Of course, denial of service attacks are but one type of cyber threat organisations need to consider. The risks posed by cyber threats against organisations will naturally vary depending on a range of factors including operational context, business strategy and structure, market behaviour and, arguably most importantly, cyber security posture.
Effectively managing risk in cyberspace reduces the cost of doing business, improves market and customer reach, enables the faster and more convenient delivery of customers services, additional opportunities to innovate, and the list goes on. However, if the infrastructure enabling your online endeavours is not appropriately secure, the positives cannot be fully realised, or indeed not realised at all. Further, if the infrastructure is not trusted, even getting out of the gates can be challenging.
Social media commentary from cyber security experts (leveraging the hashtag #CensusFail) has rightly pointed out that the ABS and its contractors should have prepared for the reasonably high likelihood of a denial of service attack — and been ready to go on the front foot in the media if such an attack were to be successful.
The significant media attention around the issue of Census data privacy and, to a lesser extent security, gave the ABS a big heads-up on the possibility of something of this nature happening, malicious or otherwise. There are also the experiences of other government agencies to draw on —moving from analogue to digital service delivery has generally attracted similar debates about privacy, trust and security, and denial of service incidents have been suffered in the past.
The announcement by the Commonwealth’s Privacy Commissioner that he will investigate the privacy implications of the incident will go some way to assuring Australians that the Government is focused on protecting the privacy of personal information. It may also help repair some of the damage done to people’s trust and confidence in online government service delivery.
But what of security and risk? The swift move by the Prime Minister to ask his cyber security special adviser to also investigate the incident will likely elicit an understanding of what happened from a technical perspective but also, and perhaps more importantly, whether government agencies cooperated sufficiently on the cybersecurity of the online Census (noting that primary responsibility lies in this case with the ABS). This will be the opportunity to identify lessons for improved cyber risk management in the future — and how agencies and other organisations can set about applying them.
Regardless of where these investigations lead, issues relating to cyber incident management, the resilience of infrastructure and ICT supply chain security will no doubt arise. All are matters of risk and risk management. To fully appreciate the outcomes of the investigations and their implications, one hopes #census2016 delivers greater collaboration between organisations on cybersecurity and compels better consideration of, and planning for, cyber risks going forward.
It should also speed up implementation of the initiatives in the government’s Cyber Security Strategy focused on improving the cybersecurity of its agencies.
It may be wafer thin, but it’s a silver lining nonetheless, and one that will only grow in importance in line with our dependence on online service delivery.
Michelle Price is senior adviser, cyber security for the National Security College at the Australian National University, on secondment from the Department of the Prime Minister and Cabinet.
This article was originally published at the APPS Policy Forum.
Any feedback or news tips? Here’s where to contact the relevant team.