The Australian government has told the Senate Economics References Committee that the Australian Bureau of Statistics (ABS) will subject its forthcoming policy and procedural changes to an independent Privacy Impact Assessment and “broad consultation” before implementing them in response to the 2016 Census debacle.
One such change, however, will not include allowing citizens to omit their names from Census forms, with the government holding firm that it has no intention of removing names and addresses from Census responses prior to their four-year expiration date.
The government’s comments were made in response to the findings and recommendations handed down by the Senate Economics References Committee in November as a result of its inquiry into the 2016 Census, and directly follow a recommendation made by Greens Senator Richard Di Natale during the inquiry.
“The ABS has already been subject to considerable external scrutiny about the management of personal information from the 2016 Census,” the government wrote.
“The ABS has subsequently made a number of modifications to the initial proposal and policies and practices to take into account community concerns and the recommendations of external reviewers.
“In April 2016, the ABS responded to community concerns by committing to the destruction of names and addresses from the 2016 Census no later than August 2020. Names and addresses will be deleted earlier if there is no longer any community benefit derived from their retention.
“This assessment will be made annually.”
In what was labelled as a confluence of failure, the ABS experienced a series of denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated, which resulted in the Census website being shut down and citizens unable to complete their online submissions on August 9, 2016.
In its response to the committee, Australian Government Response to the Senate Economics References Committee Report: 2016 Census: Issues of Trust, the government commented on all 16 of the recommendations made, agreeing with — or taking on board — all but one.
In its report [PDF], the government agreed that the ABS should update its internal guidelines to make clear that consultation requires active engagement with the non-government and private sector, after the ABS said in its submission to the committee in September that technology giant IBM failed to adequately address the risk posed to the Census systems it was under contract to provide, and that IBM should have been able to handle the DDoS attack.
“The online Census system was hosted by IBM under contract to the ABS, and the DDoS attack should not have been able to disrupt the system,” the ABS said in its submission last year. “Despite extensive planning and preparation by the ABS for the 2016 Census, this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future.”
The economics committee suggested the ABS take a more “proactive” role in validating the resilience of the eCensus application for the upcoming 2021 Census, which the government said is already underway.
The government said it will also continue to fund the Census and its associated activities and noted that procurement of all Census solutions will be conducted in line with the requirements of the Commonwealth.
Additionally, the committee recommended the Department of Finance review its IT Investment Approval process to ensure that projects such as the 2016 Census are covered by the Cabinet’s two-pass process.
The government took this recommendation on board, announcing earlier this month it will be reviewing all significant IT contracts in search of greater transparency and oversight over its AU$6.2 billion annual technology spend.
It is expected the review will include all non-corporate Commonwealth entities and all active projects over AU$10 million in value, or those that engage a large number of Australians.
The final recommendation made by the committee last year — and the one not agreed with by the government — was that the minister responsible for the agency act as a matter of urgency to assist the ABS in filling senior positions left vacant for greater than six months.
The government responded by stating filling positions, with the exception of the Australian statistician, is not the role of government.
In response to the recommendations of the Inquiry of the Senate Economics References Committee and the MacGibbon Review of the Events Surrounding the 2016 eCensus, the government commented that the ABS is currently implementing a number of changes to policy and procedural frameworks which will “ensure future significant changes to personal information handling practices”. It will also be subject to an independent Privacy Impact Assessment and broad consultation, the government said.
Following the Census debacle, Prime Minister Malcolm Turnbull asked Alastair MacGibbon, Australia’s first special adviser to the prime minister on cyber security, to conduct a review on the events that led up to the eCensus form being temporarily taken down.
MacGibbon’s review was tabled in November alongside the Economics Committee’s and comprised a lot of overlap.
The security veteran outlined a number of recommendations for the government, in particular for the ABS, to which the government said in its response it has “accepted all of its recommendations and agreed that we must embrace cybersecurity as a core platform for digital transformation”.
In his report, MacGibbon observed that preparations for the Census took place during a “complex time” for the ABS, which included the position of its leader, the Australian statistician, remaining vacant for most of 2014.
“However, it is clear that the ABS’s culture clearly contributed to the outcomes on Census night. The ABS’s actions since only underscores the importance of culture: It has steadfastly refused to own the issue and acknowledge responsibility for the factors leading to the events and shortcomings in the handling of events on the night,” MacGibbon wrote.
MacGibbon was also concerned with the communication strategy the ABS had in place on Census night.
“The ABS failed to adapt its media and communications in response to the public relations storm that was brewing in the weeks prior to the Census regarding privacy and security in both mainstream and social media. Instead, the ABS stuck rigidly to its plans, foregoing crucial opportunities to influence and drive the conversation around the Census,” MacGibbon wrote.
In response, the federal government said the ABS will consider how best to address communication before the next Census.
Source: SANS ISC SecNewsFeed @ February 27, 2017 at 09:09PM