Project Status Report and Change Management Request
Information technology has advanced but the increasing risk involved with the data associated with the same is a vital concern. The report will be discussing on the legal issues related to the ways in which the data of the Australian citizens are collected for the Census. The privacy issue is a prime concern and the Australian Bureau of Statistics has been found to be using details of the citizens which can be misused therefore resulting in security and privacy breach (Tam & Clarke, 2015). The Australian Bureau of Statistics was answerable to the citizens after it was found that its online Census website was making use of an insecure form of encryption to safeguard the sensitive details of the citizens. The report will be focusing on the insecurities related to the data of the citizens and the various processes that were implemented in order to handle the same.
For the Census of the year 2016 held on August 9th, the Australia Bureau of Statistics has reconsidered its previous decision of not using the names and addresses of people in the Census data. The ABS has made modifications to its policy so that it can help in improving the national policy making and the associated decisions. The privacy advocates showed their concern for the decision as it involved privacy threats to the sensitive credentials of the citizens. Inspite of all the pushback from eminent persons such as the former statistician of ABS, it went ahead with the decision. The decision of keeping the name and address of the citizens in the dataset was made so that a better link could be established in between the Census data and other vital informations creating a dynamic statistical record of the country. According to Duncan Young, the Census program manager, ABS was unable to produce valuable statistics as the linkage process being used considered characteristics such as date of birth or informations related to marital status and the place the citizens are dwelling in. This process of linkage gave them about 80 percentage of rate of success for specific groups of population (Williams, 2016). The new plan was to keep the names and addresses anonymised in a database and these anonymised names will be linked to the third party datasets. The original names and addresses of the citizens will be destroyed after a time span of four years comparing to the present 18 months. It was assured by that the agency researchers will not be allowed to access these data and can be only be used if a senior level committee gives its approval.
Project Planning Workshop Slides and Outcomes Report
The data will be made use of to produce reliable statistics on matters relating to investments done on education, patterns of migration and expectancy of life for the Aboriginal and Torres Strait Islanders by retaining the names of the people.
At present the ABS finds it difficult to track the investments done in apprenticeships versus undergraduate degrees versus TAFE traineeships thus cannot be sure about whether the country is investing the money in the right domains of education. This can be attributed to the mobile nature of the student population and lack of any such unique student number or any such type of identifier that could link their data (Mann & Rimmer, 2016). The new process of keeping the address and the names would help in creating databases with higher level of accuracy and produce a valuable statistics. With the anonymous key generated by making use of a person’s name, ABS will be able to establish a link in between the death records and the Census data which in turn will help in outlining whether a person is of Aboriginal or Torres Strait Islander origin. This will also help ABS in keeping a record of the level of English proficiency in the citizens as well.
The name and addresses of the citizens were to be retained and these were supposed to be transformed into encryption keys so that they can be linked to the third party data sets to create perfect databases which were a huge privacy threat to the citizens. The 2016 Census in Australia was to make use of the name and the addresses conducting linkage of data by making use of the Census. The data including the names and addresses are sensitive in nature and can affect individuals in a huge way. The main concern related to this was that if these data get into the wrong hands then can be mishandled and misused as well. There can happen sabotage of the census and then the information stored will be leaked being accessed by unauthorized persons. The ABS assures to safeguard the privacy of data and protect the same from data breaches. The 2016 Census was to make use of the names and addresses of the citizens to develop a statistical linkage key to serves as a unique identifier. The names and the addresses of the citizens were to be stored till the year 2020. Data with the ABS will be released as aggregates nit including the personal identifiers. The ABS reported of breaches to its system but they did not include the data if the Census. The four DoS attack to the system of ABS raised questions as to how safe is the data of the citizens with them and are they really serious about the security of the data (Xiao, Qu, Qi & Li, 2015). The ABS systems assured that there was no loss of data or any compromises made in the stored data. The collapse of the online Census lead to the review of the system and inquiry was to be done as per the orders of the Prime Minister, Malcolm Turnbull. The cybersecurity advisor of the PM was to inquire about the fact that whether IBM did its part well to provide protection to the four DoS attacks. The retaining of the names and the addresses of the citizens was under the purview of doubt and privacy risk as there was no such measure found in place that could prevent the denial-of-service attacks. The IBM attributed the DDoS attacks to the upstream provider and ABS authorities said that they had to take the site offline on the night of Census owing to the DDoS attacks along with the failure of network geoblocking function as well as the collapse of the router. In the blame game many were attributed for the disruption and the attack. Vocus, the upstream supplier of NextGen admitted of having committed the error of not having putting the geoblocking strategy in place (Mann, 2018). It was said that had the NextGen implemented Island Australia, the DDoS attack could have been prevented thereby preventing the various effects of the eCensus site. The ABS relied exclusively on the geoblocking to defend 2016 Census against the back to back DDoS attacks which was a failure on their turn. MacGibbon denied of any such DDoS attacks and further added that the Census website crashed due to the load of informations at the Census night. The DDoS attacks were believed to be small and the main reason for the site going offline was unexpected load or traffic.
|
Risks |
Impact |
Probability |
|
|
1 |
Design and management |
High |
High |
|
2 |
Expectations of public |
High |
Medium |
|
3 |
Privacy implications |
High |
High |
|
4 |
Choosing partners wisely |
Medium |
Low |
|
5 |
DDoS attacks |
High |
Medium |
|
6 |
Website security and security certificate |
Medium |
Low |
|
7 |
Geoblocking and long response time |
High |
High |
|
8 |
Mismanagement in between stakeholders |
Medium |
Medium |
|
9 |
Technical failure of hardware and software |
Medium |
Medium |
|
10 |
Lack of statement of work |
High |
Medium |
Risks
Table 1: Risk matrix
|
Risk ID |
Risk |
Risk description |
Risk Mitigation |
Severity |
Owner |
|
1 |
Design and manage |
A major transformation as such required proper management but the ABS took the nature and complexity of the project lightly. |
Pre-planning and proper management structure. |
High |
Project Sponsor |
|
2 |
Expectations of public |
Media coverage related to the fines and other such events panicked the people and they took to the call centers and the enormous amount of requests could not be handled by the system. |
Communicating well with the panicked people. |
High |
Human resource manager |
|
3 |
Privacy implications |
The names and address were to be retained and it was a serious privacy issue for the people as there sensitive data could be misused in this way. |
Act according to the privacy and data policy of the country. |
High |
Project manager |
|
4 |
Choosing partner wisely |
IBM was responsible to provide e-Census application but it failed in this venture. Thus partners should be chosen wisely and a regular check should be done to ensure that work is progressing in the right direction |
Frequent meetings keeping a check on the updates. |
Medium |
Project sponsor |
|
5 |
DDoS attack |
The four DDoS attacks on the website disrupted the system forcing the ABS to go offline. |
Anti-DDoS software should have been in place. |
High |
IT head |
|
6 |
Website security and security certificate |
Old users shift to using SHA1. |
The security officer needs to convince the old users to shift to SHA2. |
Medium |
It head |
|
7 |
Geoblocking and long response time |
The only security measure in place and the response time was long. |
Fast response system. |
High |
IT head and project manager |
|
8 |
Mismanagement in stakeholders |
NextGen said that inspite of its recommendations to take preventive measures for DDoS attacks; IBM did not take any heed to do the same. |
Meetings and discussions on regular basis. |
Medium |
Project manager |
|
9 |
Technical failure of hardware and software |
Technical systems failure. |
Test of the technical systems for various attacks. |
Medium |
IT head |
|
10 |
Lack of statement of work |
No proper and organized structure for implementation of the e-Census. |
Structuring and organizing work. |
High |
Project manager |
Table 2: Risk register
Lack of proper encryption of the data
The Australian Bureau of Statistics was in new again when it was found to be using insecure encryption format to safeguard the sensitive informations of the citizens. Tests conducted on the encryption technique being used revealed that the website was making use of SHA-1 algorithm which had been long before tagged as insecure. The Australian Signals Directorate had deprecated SHA-1 from the list of its approved cryptographic algorithms in the year 2011 as it was found to be prone to attacks. Similar verdict was provided by the US National Institute of Standards and Technology and SHA-1 was not supposed to be trusted after January 2014. The ABS defended itself by saying that some of the old browsers and operating systems exclusively support SHA-1 and thus to enable citizens with these older versions SHA-1 had been retained (McLeod, 2017). The sensitive information of the citizens was still at risk of being misused or mishandled owing to the man-in-the-middle downgrade attack. The man-in-the-middle attack downgrades the encryption version in the computer by making use of backwards compatibility and at the same time increases the chances of the citizen’s data to be intercepted. The ABS failed in implementing forward secrecy that would have been effective in protecting the past communications along with the sessions from compromise.
Hash tag Censusfail- Citizens’ concerns
The security issues are a matter of concern as ABS will be using the names and the addresses of the citizens collected under the Census for the sole purpose of linking data. The public is concerned about the privacy of their data and the future implications of the changed policy (Cross, 2016). Citizens took to twitter to voice their protest on the changed policy of ABS urging them to reconsider or reverse their decision. Many of the citizens were promising to boycott the survey if the changed policy nit reversed. All the protests and concerns did not succeed in changing the decision of ABS.
The ABS attributed the extensive outage of its census website on the four denial-of-service attacks but assured the citizens that the informations collected till date was safe with them. As per the statement of the officials at ABS, “The 2016 online Census form was subject to four denial-of-service attacks of varying nature and severity”. The first three attacks did not cause much disruption but after the fourth attack, the ABS shut the system so that the integrity of the data is ensured. The citizens took to the social media platforms to complain about the inability to access the website of the Census. The crash of the website added to the already happening battle of using the name and addresses.
Impact
McCormack, the Minister in charge of the Census of 2016 was of the opinion that the crash of the website was the result of four DoS attacks along with the failure of geoblocking and the collapse of the Telstra router (Wang, Zheng, Lou & Hou, 2015). Later on the Telstra was denied of having any link with the crash of the website. McCormack said that the systems were purposely shut down as a precaution to the attacks.
The Digital Transformation Agency is encouraging cloud based services at a higher rate providing agencies with the enhanced power over the certifications in its process involved in rewriting the federal government’s cloud strategy. The new strategy was enacted as a replacement of 2014 cloud computing policy and this has been designed to support those agencies that are supporting the cloud services. The ABS wanted secure cloud hosting as the solution to the attacks on the website (Mann, 2018). For the 2021 Census the agency has already started searching for providers those who are highly experienced to design, host as well as support digitals service for the Census of 2021. The perturbation algorithm was found to be faulty but the ABS authorities were of the opinion that the vulnerability was fixed.
Conclusion
The main reasons behind the attacks can be attributed to IBM’s service provider NextGen and Vocus, NextGen’s upstream supplier for disruptions in geoblocking functions and collapse of router. The ABS should not have solely relied on the geoblocking function for the purpose of security as if it had made use of other methods the attacks could have been avoided.
References
Cross, C. (2016). Submission to the Senate Standing Committees on Economics on 2016 Census.
Mann, M. (2018). Privacy in Australia: Brief to UN Special Rapporteur on Right to Privacy.
Mann, M., & Rimmer, M. (2016). Submission to the Senate Economics References Committee on the 2016 Census. Submission to the Federal Parliament of Australia.
McLeod, F. (2017). Legal practice: Cybersecurity must be for firms. Bulletin (Law Society of South Australia), 39(8), 14.
Tam, S. M., & Clarke, F. (2015). Big data, official statistics and some initiatives by the Australian Bureau of Statistics. International Statistical Review, 83(3), 436-448.
Wang, B., Zheng, Y., Lou, W., & Hou, Y. T. (2015). DDoS attack protection in the era of cloud computing and software-defined networking. Computer Networks, 81, 308-319.
Williams, L. (2016). NDIS: No quality or secure guidelines. Green Left Weekly, (1106), 12.
Xiao, P., Qu, W., Qi, H., & Li, Z. (2015). Detecting DDoS attacks against data center with correlation analysis. Computer Communications, 67, 66-74.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
