IBM might be sorry for the bungled 2016 Census, but it didn’t miss a chance to shift the blame.
The global technology company has unreservedly apologised for the failed Census fiasco today during a Senate Economics References Committee, but ultimately laid the blame on the failure of a geoblocking service overseen by subcontractors NextGen Networks and upstream internet provider Vocus Communications.
Officials from the Australian Bureau of Statistics and IBM faced a senate inquiry Tuesday over the bungled census which saw the website inaccessible by the Australian public for days following a number of attacks.
Kerry Purcell, the managing director of IBM which won the contract to deliver the e-census platform began his evidence by taking full responsibility for the failure.
He offered an “unreserved apology” to the Australian public and the government as “a valued customer”.
He assured the hearing that “no personal information was compromised” but said the shutdown of the website did “not sit well” with the company.
While IBM issued a mea culpa, they were then quick to lay the blame at the feet of Australian communications company NextGen Networks and its upstream provider Vocus, blaming them for failing to implement a geoblocking service called Island Australia to prevent traffic reaching the site from outside Australia.
IBM said the “primary root cause (of the meltdown) was access into Australia via a router through a third party, a partner of ours.”
“In short, the geo-blocking protocol was not properly applied by one of the ISPs.,” Mr Purcell said.
ABS officials had previously told of two small scale attacks on the website in the morning of census day. But a third attack at 4.50pm raised concerns about a significant co-ordinated attack from overseas.
IBM confirmed today that a majority of the traffic detected during the distributed denial of service attack (DDoS) in the afternoon had come from Singapore.
Such attacks are designed to overwhelm websites by bombarding them with traffic to cause them to crash.
At 7:27pm there was a fourth attack which IBM executives detailed to the inquiry, saying that protocols put in place to block traffic outside of Australia had failed.
“We contacted the Telstra and NexGen contacts to seek their confirmation that they had implemented the Island Australia geoblocking protocol. Telstra confirmed they had it in place in their link and were not seeing any excess traffic on that link,” said IBM executive Michael Shallcross.
“We were, however, still seeing excess traffic on the link from Next Gen and over the course of that attack that link become fully saturated.
“The traffic was coming primarily from Singapore on one particular router on which the geoblocking rules had not been effectively implemented and that was the primary source of the volume of traffic coming down the Next Gen link,” he said.
Last week NextGen Networks and Vocus Communications refuted the assertion made by IBM that they were ultimately responsible for the census meltdown.
In a submission to the senate inquiry IBM said: “Had NextGen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent this DDoS attack and the effects it had on the eCensus site.”
However Vocus blasted the accusation in its own submission to the inquiry.
“Vocus does not agree that the fourth DDoS attack was the cause of the site becoming unresponsive,” the telco said.
“The fourth attack comprised of attack traffic which peaked at 563Mbps which is not considered significant in the industry, and lasted 14 minutes … such attacks would not usually bring down the census website, which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks.”
The geo-blocking had been tested prior to census day and had been working, it added.
Nextgen said it wasn’t privy to the “Island Australia” geoblocking strategy until July 20, just six days before the eCensus site went live.
“After becoming aware of ‘Island Australia’, Nextgen advised IBM that the IP address range requested by IBM was part of a larger aggregate network, and therefore it was not possible to provide specific international routing restrictions for this range.
“NextGen recommended using an alternative IP address range, which would give IBM better control, but this was rejected by IBM,” the company said.
IBM officials also told the inquiry that the country’s top cyber security body, the Australian Signals Directorate, was not contacted until a fourth DDoS attack at 7:30pm.
Mr Purcell also said that census work was not outsourced to India, where its main operation centre is based. However he could not confirm whether other work was outsourced overseas and said he would take the question on notice.