Doubt has been cast on claims that the 2016 Census was subject to a denial of service (DoS) attack, with cyber security experts saying the ABS may not have been fully prepared for the number of people filling out the questionnaire online.
The Australian Bureau of Statistics forcibly crashed the 2016 Census website on Tuesday night as millions of Australians were attempting to fill out the compulsory, five-yearly, survey, and attributed the shutdown to a failed router, geo-blocking not operating correctly and four 'denial of service' events on the website.
The DoS attack or event, depending on who you ask, is the digital equivalent of someone parking their truck across your driveway to stop vehicles coming in and out, the government has said.
DoS attacks can be used to obscure actual hacking attacks, however some cyber security experts have questioned whether there was an an actual attack. Others say if there was, the ABS cannot guarantee it wasn't hacked.
They may not have been prepared for the number of people they have herded into this electronic pen.
But it's most likely the network was simply overloaded by traffic, said the University of Melbourne's Dr Suelette Dreyfus.
"They said that there was a traffic increase at about 10 in the morning, and then another traffic increase at 11.46am, or just before lunch," she told The Huffington Post Australia.
"So it's possible that it was a set of people who were just logging on at lunch time to fill out their Census."
Dr Dreyfus also acknowledge that the use of Virtual Private Networks (VPNs), which thousands of Australians use to access American servers for Netflix, iTunes and Amazon, could possibly have contributed to the problem.
"Theoretically, it is possible they could have been using VPNs to log in. We don't know that, we don't know the details because they haven't shared them."
HuffPost Australia asked Dr Dreyfus if it was possible the ABS could have mistaken multiple attempts to log on as a DoS attack.
"Either that, or they didn't have confidence in their own system's robustness to handle heavy load," she said.
After the fourth attack, just after 7:30pm, the ABS took the precaution of closing down the system to ensure the integrity of the data.— Census Australia (@ABSCensus) August 9, 2016
We're working to restore the service. We'll keep you updated.— Census Australia (@ABSCensus) August 9, 2016
Hmm, 8M expected online @ABSCensus subs. Probably over 6-10pm time slot. Load tested at 1M/hr. Wasn't DDOS, was inability to do basic maths.— Dr David Ingram (@dingram) August 9, 2016
The minister responsible for the Census, Michael McCormack, said on Wednesday it was neither a hack or attack on the website, which was shut as a precaution. Firewalls on the website were not breached, he said.
Special cyber security adviser to the Prime Minister, Alastair MacGibbon, told reporters in Canberra he was not using the word attack or hack to explain the incident.
"There was no breach, there was no intrusion, there was no hack. This was a denial of service."
WHAT'S A DENIAL OF SERVICE?
A denial of service attack stops people doing what they want to do on the internet. There are broadly two types -- a DoS, whereby the target is flooded so the network becomes inoperable; and a Distributed Denial of Service (DDoS), where thousands of unique IP addresses flood the target.
Denial of Service attempts are common on big business and government, and in this instance it appears most of the traffic came from the United States.
"It would be where a hacker would probably try to hide their point of origin, so they might hop to many different computers, and then they might attack the website with a view to making it not function," Dr Dreyfus said.
She said the fact that the ABS was unable to cope with DoS events raised questions.
"About the thoroughness and the robustness of testing that one would have assumed would have been done prior to the census," she said. "I read one technical expert comment that this was akin to the police station complaining when a couple of kids went down there and tried to take it over with water pistols."
WHAT DON'T WE KNOW?
"What the unknown is is the volume of data linked to those denial of service attacks," said Professor Matthew Warren from Deakin University's School of Information and Business Analytics.
He told HuffPost Australia that if the volume of data being thrown at the ABS was high enough, they would have no choice but to shut down.
"There are still some missing items, but what it does imply is that the data in the Census system is safe but the data that would have been in transaction... may have been lost.
"They do have an issue over what to do with the data in transaction."
But the government on Wednesday said there was no capacity issue with the ABS system.
"We were receiving forms at a rate of 150 per second," said MacCormack.
"Our capacity is 260. The denial of service breached the online form because it didn't get caught up by the GEO blocking. That was the aspect in the protection system that didn't operate fully."
But Dreyfus said it appeared as though the DoS incident coincided with a system meltdown.
"They may not have been prepared for the number of people the have herded into this electronic pen," Dreyfus said, in reference to the ABS's ambition that 65 percent of households complete the Census online.
"There needs to be a proper, independent, transparent, public inquiry in to this. I would like to know whether or not this DoS attack was of any real significant substance."Suggest a correction