Topics: ICT Strategy; Cybersecurity; Digital Transformation; Fed.
With many of the census flaws deep-rooted in the “years and months before” the events of August 9, recommendations from the 2016 Census: issues of trust report are significant for not only the Australian Bureau of Statistics, but all current or future Federal Government projects dependant on ICT.
Of the report’s 16 recommendations for the future conduct of the census, most were centred around the procurement, operation and defence of the census solution, as well as governance, information security and privacy.
A large proportion of the issues linked to the events of August 9 were found to be established in the lead up to the census, often relating to poor planning and project management.
“A narrow focus on the events of August risks treating the symptoms and ignoring the diseases. Questions regarding the validity of the ABS’ actions should be focused on the years and months before the 2016 census when the decisions were made that would manifest themselves on 9 August 2016”, the report states.
“The confirmation that the census would proceed, the delayed development of an eCensus solution, the use of a limited tender and the erosion of internal capacity to adequately oversee the development of the eCensus are all serious concerns that may contribute to the events of 9 August 2016.”
Special Advisor to the Prime Minister on Cyber Security at the Department of Prime Minister and Cabinet Alastair MacGibbon suggests in the report that much of this may have stemmed from the close relationship between the ABS and IBM – a type of vendor lock in – that risked complacency.
While the ABS was within its rights to continue its longstanding relationship with IBM for the eCensus solution, which has existed since 2005 and delivered 100 per cent availability for the last two censuses, the report indicates that less scrutiny could also have been detrimental to the project.
“This assumed familiarity may have contributed to a level of complacency in project management on the part of the ABS, and in the priority which IBM gave the project.”
Furthermore, although the ABS began planning for the 2016 Census on June 2011 and was allocated funding in the 2013-14 budget, it wasn’t until September 2014 that IBM was contracted to develop, deliver, implement and host the eCensus solution. This is largely because the ABS considered delivering and deploying the solution in-house for an extensive period.
The report recommends “that the ABS take a more proactive role in validating the resilience of the eCensus [solution]” and use an open tender process for its future procurement.
The use of an open tender process had previously been highlighted in the May 2014 Census 2016: ICT Capacity & Capability report by Capability Driven Acquisition (CapDA) as a means to achieve value for money and overcome a lack of internal capacity to develop the solution. However, despite commencing planning in 2011, due to time constraints and “inherent risks in working with any new organisation”, a limited tender process that “potentially involved procuring IBM’s services given their existing experience of the application” was recommended.
“This route although not ideal from a procurement perspective, would have the benefit of mitigating the increasing risks to what is a far more complicated Census Program than has ever previously been attempted and in what is a much reduced timeframe for a [partner] to come ‘on board’ than in earlier Census cycles”, the CapDA report stated.
The census report also suggests that “if they [the ABS] did not have the ability to develop a solution themselves, it stands to reason that they would only have a limited capacity to question and challenge a contractor employed to develop such a solution.”
While many of the problems were found to stem from poor planning and project management on the part of ABS, the report indicates there were many that were beyond ABS’ control and systematic of wider issues within government.
Issues with internal capacity could have stemmed from funding, which the committee found “had been eroded over a number of years while the demands and expectations placed on the organisation have increased”. As such the report recommends that the government “provide sufficient funding for the ABS to undertake its legislated functions”, “portfolio stability”, and commit funding for the 2021 census in the 2017-18 budget – a year earlier than funding was committed for the 2016 Census.
The committee was also told by the ABS during a hearing that “the Department of Finance determined in October 2012 that the 2016 census was not required to complete to the IIAP [two-pass ICT Investment Approval Process]”, as the project didn’t meet the assessment criteria.
The process is currently used to assess new policy proposals or internally funded proposals that are: ICT-enabled, have a whole-of-life ICT cost of $10 million or more, or high risk.
However, the report states that if the “lifetime ICT costs” of the IBM, UXC Saltbush and Revolution IT contracts, which totalled more than $10 million, and the high-risk nature of the project had been taken into account, then the project would have met the requirements.
The report recommends that Finance review its ICT Investment Approval Process to ensure projects such as the 2016 Census are covered by the cabinet two-pass process, projects are re-assessed at a later date if required, and projects split into more than one contract not be a mechanism to skirt whole of life cost limits.
Similarly, the eCensus solution avoided an Information Security Registered Assessors Program Assessment – an Australian Signals Directorate initiative that is usually conducted on cloud services, gateways and information systems. While the reports states that there is no certainty that this process “would have uncovered the flaws that allowed the DDoS attack to affect the eCensus”, it is recommended that the 2021 eCensus application be subject to an examination.
The report also recommends improved oversight from the responsible ministers by seeking briefings on the progress of census preparations every six months, covering issues like cybersecurity, system redundancy, procurement processes and the capacity of the ABS to manage risks associated with the census.