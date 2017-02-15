Opinion: Has the ABS learnt anything from its e-Census DDoS debacle?

The lack of segregation offered by the combined CIO/CISO role had a big impact on e-Census cyber security outcomes

The Australian Bureau of Statistics (ABS) suffered a humiliating failure of its systems last August, which was largely attributed to its inability to manage security and operational risk of a key business system.

Shortly after the event, we were told by prime minister Malcolm Turnbull that heads would roll, lessons would be learnt and changes would be made. But after extensive investigations by the government and the Senate, did heads actually roll? Is there any evidence of positive changes?

ABS’ long term CIO/CISO Patrick Hadley, who has been with the organisation for 5 years, retires on March 6. He’s had a long career with many agencies and commercial organisations prior to joining the public service.

His departure creates an opportunity to review the role he performed with the ABS and indeed address any structural weaknesses, which may result from the now dated practice of having the CIO also fulfil the CISO role. This is very much a practice from the early 2000s and not consistent with good governance practice and current trends.

The new ABS CIO/CISO position has appeared on the APSJOBs website recently and disappointingly does not suggest the ABS has learnt anything about segregation of duties nor does it appear to be willing to improve CISO access to the ABS CEO, the Australian statistician.

Once again, the role of CIO and CISO is combined and the job largely appears to be about system delivery and is located two levels down in the organisation. Maybe this is not a problem? Maybe the ABS is different and does not need to follow current practices and trends in technology governance?

Let’s examine if the combined roles of CIO/CISO were at all critical in the failure of the Census system?

Below is an extract from the report prepared by Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security.

A procurement plan prepared in June 2014 proposed approaching only IBM citing the same reasons for a single source approach as in September 2008: dependency on IBM and time pressure. The procurement plan was approved by Patrick Hadley, Chief Information Officer, on 20 June 2014.

In September 2014, the ABS again engaged IBM through limited tender, a similar approach as direct sourcing which involved no market testing, this time for the supply of the 2016 eCensus and Data Capture. On 23 September 2014, Patrick Hadley, Chief Information Officer, approved the spending proposal for the 2016 eCensus solution.

On 20 June 2014, the ABS CIO approved the procurement plan for a limited tender to be issued to IBM for an e-Census solution (online electronic form). Once IBM was given responsibility for delivery, the key architectural decision to host the 2016 Census online form in a fully dedicated facility followed.

