By Mathias Hammer
It should have been the world first: On August 9, 2016, two-thirds of Australia’s citizens were supposed to complete the population census online but instead a cyber attack against the Australian Bureau of Statistics’ (ABS) website led to the premature abandonment of the census. A series of “Denial of Service” (DoS) attempts – a tactic used to force a website into shutting itself down – forced the ABS to take its online census offline for the next couple of days.
The episode illustrates that, as the security analyst Robert Potter has recently pointed out, day-to-day hacking has become a commonplace occurrence in recent years, to the point that the “norms of cyber security have developed a level of acceptance” for such a practice. Yet Potter’s argument that cyber warfare may make autocratic states more vulnerable than democratic ones should take an additional point into consideration: this particular attack highlights the damaging impact which insufficient cyber security policies can have for democratic societies. In particular, public trust into the proper functioning of the institutions of government is at stake. Autocratic societies, by definition, supplant public trust in themselves through the direct threat of violence against anyone who might dare not to pretend to be in support the regime. The leaders of such regimes have much lower stakes in upholding public trust in themselves than the Australian government, which has lost some goodwill overnight.
That the responsible minister, Michael McCormack, felt compelled to publicly deny on the following day that any hack had taken place while simultaneously admitting that several DoS attempts had, in fact, occurred only serves to demonstrate this point. The public fallout was severe. Almost instantly after the census was aborted, the hashtag #censusfail was trending in the Australian twitter-sphere. A popular Melbourne radio host – a hugely influential group in a country where the majority commutes to work by car every morning – summed up the mood on the following morning “We trusted you once – you blew it.”
Image Attribute: Twitter Screenshot of APPS Policy Forum's Tweet
We don’t know who the attackers were or what exactly their overall aim was, but it is clear what they have managed to accomplish: they have made the Australian government look incompetent in the eyes of its own citizens. Trust in institutions, a public good that cannot be measured in financial terms, has become the real victim. The list of relevant actors with an interest in such an outcome is limited and does not include any of Australia’s current allies and overseas security partners.
Was the fiasco avoidable? To counter the increasingly common threat of Denial of service (DoS) and Distributed Denial of Service (DDoS) attacks, mitigation practice includes a series of well-known techniques. Defending a website against multiple access requests from simulated users consists in finding ways to distinguish between genuine human traffic and incoming pseudo-requests from bots or hijacked “zombie” computers. The only way to achieve a satisfactory degree of success is to combine a suite of approaches which interrogate the nature of incoming traffic and allow flexible responses to an emerging crisis situation. Actors can then orient themselves on a range of predefined threat scenarios and the adjacent contingency policies and protocols. In other words, while complete security from cyber attacks is not possible, their likelihood can be reduced through informed risk management. Echoing Sun Tzu remark that “the art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”, the current thinking behind confronting cyber security challenges embraces a risk management approach. The episode highlights that managing this risk includes the following four policy measures:
1.) Capacity building is required to increase the pool of available cyber security expertise; preferably through a comprehensive approach based on a public-private sector partnership
2.) An appropriate classification system of threat scenarios will allow identification of different types of security incidents and will erase ambiguity on what constitutes an attack
3.) Communication policies need to govern the reporting of identified incidents and assign clear disclosure responsibilities
4.) Online service delivery must recognize the maintenance of public trust as a key principle.
Following the virtual skirmish, the Australian government had no choice but to relaunch its pioneering effort to bring population counts into the digital age. Other democratic governments in the region have an interest in closely observing the lessons learned.
About the Author:
Mathias Hammer (TR RID: L-9180-2016) is a historian based in Canberra. His research interests focus on the Asia-Pacific region and include politics, diplomatic ties, security issues and cyber security.