Many Australians were unable to complete the Census on August 9 due to the Census website failing.
Australian Bureau of Statistics (ABS) chief statistician has blamed a deliberate “denial of service attack” for the failure.
The first three [attacks] caused minor disruption, but more than two million forms were successfully submitted and safely stored.
After the fourth attack, which took place just after 7.30pm, the ABS took the precaution of closing down the system to ensure the integrity of the data.
Like many government information systems, the Census site was outsourced to an external contractor: IBM. As well as writing the software required for the website, IBM was responsible for providing the computers that hosted it.
All of this is routine for IT projects, both government and commercial. And while reasonably large, the legitimate traffic generated by the Census is dwarfed by the traffic on websites like Google, Facebook and even the nonprofit Wikipedia.
Denial-of-service attacks
Denial-of-service attacks are deliberate attempts to render a computing service unavailable.
Such an attack can be performed in many ways, including interfering with physical infrastructure. However, the most common denial-of-service technique used against publicly available websites is to overwhelm it with huge numbers of requests, overloading the servers and crowding out legitimate users.
Typically, the requests come from “botnets”, which are large groups of computers – often home PCs or other poorly-defended devices – that have been taken over by hackers and are then misused for “distributed” denial-of-service attacks" (DDoS attacks). DDoS attacks have been used by activist hackers, cybercriminals and even state-sponsored hackers.
While the controversy surrounding the privacy implications of the 2016 Census may not have been anticipated by the ABS, a denial-of-service attack against the Census infrastructure was always possible and should have been anticipated – especially a DDoS launched by privacy activists.
There are a number of ways in which the dangers of a DDoS can be mitigated. It is unknown at this point what measures the ABS and its contractors took to prepare for the possibility.
ABS
Poor capacity planning?
From the perspective of the computers straining under the load, a DDoS attack is indistinguishable from a larger than expected number of users attempting to access the system at once.
The public statements of the ABS before Census night cast some doubt on whether the system was adequate to cope with even legitimate demand.
The head of the ABS, Chris Libreri, had earlier claimed that its systems had been tested to cope with the load of actual Census submissions:
We have load tested it at 150 per cent of the number of people we think are going to be on it on Tuesday for eight hours straight and it didn’t look like flinching.
The ABS stated that its website was designed to handle 1,000,000 form submissions per hour. However, Around 18 million Australians live in the eastern states, which equates to about 7 million households.
If even 50% of those households attempted to submit their census during the evening hours from 7pm to 9pm, that would equate to 1.75 million form submissions per hour, 75% more than the reported capacity of the site.
Furthermore, it’s unlikely that traffic would be uniform within that time period. “Spikes” in traffic – perhaps after popular television shows ended – could potentially have overloaded the infrastructure even further.
It seems almost incredible that the team responsible for the contracting would collectively make such an error in their capacity estimates.
Regardless of the details of the attack, and whether other aspects of planning were inadequate, the Census failure will go down as another example of a failed “Big Bang deployment”.
A Big Bang occurs when an IT system is deployed on a large scale, all at once, and is required to work first time. The US healthcare.gov website, the Queensland Health payroll system that failed so spectacularly in 2010, and even Channel 7’s Olympics app are examples of such all-at-once rollouts running into difficulty.
The lessons for proponents of online voting should be clear.
Robert has donated to and volunteered for the Australian Greens.
Robert Merkel, Lecturer in Software Engineering, Monash University
This article was originally published on The Conversation. Read the original article.



Nvidia Tightens AI Chip Sales in Asia With Stricter Customer Approval Process
SK Hynix’s $28 Billion U.S. Share Sale Draws Massive Demand Amid AI Chip Boom
Bain Capital Exits Kioxia After AI-Fueled Valuation Surge
SK Hynix’s $28B U.S. IPO Draws Strong Demand as AI Chip Boom Fuels Investor Interest
Samsung to Launch First Yongin Chip Plant by 2029 as South Korea Speeds Up Semiconductor Hub
SoftBank Corp Partners With Sierra to Expand AI Customer Support Across Japan
Apple Intelligence Cleared for China as Alibaba and Baidu AI Power iPhone Features
Samsung Chairman Lee Jae-yong Expected to Meet Nvidia CEO Jensen Huang on AI and Chip Partnership
TSMC Q2 Revenue Surges 36% as AI Chip Demand Powers Growth Ahead of Earnings
SK Hynix Stock Soars as AI Memory Demand Outlook Fuels Chip Rally
Apple Tests China's CXMT Memory Chips as DRAM Maker Gains Global Market Share
Arm Stock Falls After HSBC Downgrade, Citing Limited Near-Term AI Upside
Yaskawa Electric Shares Slide as Weak Profit Overshadows Strong AI Demand
Trump Administration Launches AI Cybersecurity Partnership to Protect Critical Infrastructure
Apple Sues OpenAI, Former Employees Over Alleged Trade Secret Theft 




