1. What is your advice to boards about managing their cybersecurity risks?

Cybersecurity is a contemporary business risk for everyone. Boards would ignore cybersecurity at their peril. Similarly, they also can’t substitute cybersecurity for other risks. Essentially, modern boards are facing many risks at the one time and cybersecurity is just another risk that has been added to that list.

In terms of our particular challenges here at the ABS and what we struck with the 2016 Census, in the lead up we had an understanding about the different elements of cybersecurity that could come and bite us. Aspects around data security, infected systems or a Distributed Denial of Service (DDoS) capacity constraints. These were all identified in the lead up to the Census as potential risks. We thought we had mitigations in place to deal with all of them. At the end of the day, the mitigation we had through IBM wasn’t sufficient.

For me there were probably three clear lessons out of that incident:

  1. The importance of having sufficient internal expertise;
  2. Having access to quality external suppliers; and
  3. Independent verification of the performance of the internal and external controls

Those three things provide a comprehensive mitigation strategy.

2. In the lead up to the 2016 Census, what was the ABS’s relationship with the public like?

In the lead-up to the 2016 Census, there was a lot of misinformation from a niche group of privacy advocates. There were comments about the ABS collecting names and addresses for the first time, whereas we’d done that for 100 years. There were also assertions that collecting names was illegal, whereas I had very clear and unambiguous advice from the Australian Government Solicitor that it was statistical information and that’s what we were collecting. There was a lot of misinformation that was being picked up in the media, social media and political commentary, and the ABS was not as effective as we should have been at dealing with those false claims.

The environment in which the Census was being run was one where there were contentious perceptions that were permeating through media and social media. Even with that, what we had found through the market research that we had undertaken around community perceptions was that quite consistently throughout that whole privacy debate, 97-98% of the community still expected to complete the Census accurately and fully. And that’s what we achieved.

Even though we had the online outage that caused the ABS’s reputation to take a hit, what we actually achieved through the 2016 Census was pretty much what we’d been able to achieve in past Censuses. Participation in the 2016 Census was comparable to 2006 and 2011, and the Census data quality in 2016 was just as good in 2016 as for previous times.

That stands in stark contrast to the media and social media narrative.

There was some loss of trust in the ABS overall around August 2016, but that’s been restored back to usual levels where 90% of the community say they’ve got strong trust in the ABS.

3. The DDoS attack on the 2016 Census had the potential to damage the public’s trust in the ABS and its operations. What did the ABS do following the incident to mitigate that risk in the short term?

We were transparent and open with the public about what happened. At the time we were upfront with telling the public as much as we knew about as early as we knew it. We also undertook a number of reviews and were subject to some reviews that got into those issues, Australian Signals Directorate advised that there’d been no data lost and the Census data was safe, so there wasn’t a hack.

Cyber for Directors

The Privacy Commissioner undertook an investigation and gave us a clean bill of health that there had been no data breaches. Then there was the MacGibbon Review and related Senate Inquiry processes which we fully collaborated with and contributed to.

4. What initiatives has the ABS undertaken to rebuild trust with the community?

Probably the one thing about building trust, one of the core aspects that could have been an issue with the release of the Census data is people not trusting the quality of the data.

What I did around the time of that outage, was to establish an independent assurance panel which drew national and international experts together. I gave them free reign over our data processes so they could ask whatever questions they liked and then they produced an independent report which essentially gave a tick to the quality of the data and the confidence with which the data should be used.

Establishing that independent assurance panel in August 2016 (that then publicly reported in June 2017) was really important to ensure there could be community and key user trust in the Census data quality when it was released and subsequently used.

Also around the time of the Census data releases, we tried to make sure the community got full value from the data. We worked pretty closely with the media and other key data users to make sure they were best placed to report the information and gave them ready access to our analysts that could provide them whatever data they wanted from the Census and whatever comparisons they wanted from 2016 back to 2011 or 2006. It was important to make sure the community received value from the Census following their efforts to participate and supply their information to the ABS.

Additionally, the successful and smooth process that the ABS undertook around the marriage law survey has also contributed to rebuilding our reputation with the community as able to produce and undertake a very challenging statistical exercise but do it in a way that exceeded community and government expectations.

5. What measures has the ABS put in place to guard against another DDoS attack happening?

As a first step looking at our internal capability, we bolstered our internal skills and also put greater effort into information security more generally across the ABS. The Cyber-attack in the Census caused us to rethink our resource prioritisation and we’ve put extra effort into that.

We also engaged with a number of highly skilled external partners who provided us with further testing of our capability and protections and use of Amazon web services provided us with extra capability in the Marriage Law Survey.

With the Marriage Law Survey, we actively sought whole of government expertise from the Australian Signals Directorate and the Digital Transformation Agency to assess our cyber capacity. They were willing to join us as accountable partners at the start of the process. They were working in lock step as we designed and then implemented the survey. They provided us with key advice, more as contributors rather than reviewers.

6. In the context of constrained funding, how is the ABS managing its transition from its legacy systems?

This is a challenge for all public agencies. Ensuring we’ve got contemporary systems that meet community expectations and the expectations of our professional staff. We’re currently running some statistical systems that are now over 30-40 years of age. In the technological generation we’ve got at the moment, that’s in the Dark Ages.

A number of years ago, governments made it imperative for agencies to bid for any refreshing of systems through the budget process and that’s made it more difficult for agencies e.g. having capital depreciation withdrawn from their funding. We need to go back through the budget process to seek all system upgrades of any scale.

In the ABS’s case, my predecessor Brian Pink had the foresight to initiate the development of a business case for refreshing ABS systems, drawing on internal ABS resources. In 2015, the current government decided to give ABS $250m for a refresh of our systems. We’re about halfway through that process. It’s certainly a challenging process to upgrade those statistical systems and really have a look at our statistical processes to see whether they can be enhanced at the same time.

It’s something we’re managing alongside still delivering over 500 statistical releases a year. One of my senior staff refers to it as “changing the engine while flying the plane”.

7. With six years to prepare for the Census versus the 100 days in the lead-up to the Marriage Law Survey, how did you implement cultural change to allow the ABS to become more nimble and agile?

Because the Marriage Law Survey came after 2016 Census, there were certainly a number of features of running the Census we could use in the Marriage Law Survey. The engagement with Australian Post, working with Fuji Xerox, all of the work around the inclusion strategies with people in remote communities, or people with disabilities or people from migrant communities. A lot of those aspects were things that were features of the 2016 Census that we could utilise.

The other aspect was there were some learnings from how we undertook the 2016 Census that we could pretty quickly put in place. We learnt some things about risk management, cyber risk, issues management, working better with the media and social media and the political environment. And we could put in place changed approaches. We were also very clear at the ABS about the expectation that we wanted to deliver a very good consumer experience.

One of the things we did following the 2016 Census is that we didn’t ignore the lessons coming from the Census. We took those lessons on board very early and were implementing them anyway. We’d already started that implementation phase when the Marriage Law Survey came along. If the converse was the situation where we’d ignored the lessons of the Census, we wouldn’t have been in such good shape to implement the Marriage Law Survey, and I’m sure the outcome would not have been so positive.