e-Census software tester Revolution IT claims it was not given a mandate to test against Distributed Denial of Service (DDoS) attacks but a curious testimonial from Australian Bureau of Statistics (ABS) Technical Director, John Citizen, praises their subject knowledge and advice.
When Fairfax journalist Peter Martin examined the fallout of last week’s bungled e-Census failure in his piece, Code Red: How the Bureau of Statistics bungled the 2016 census, he made mention of the software tester, Revolution IT.
He wrote, “By 7.30pm, as millions of Australians tried to get online at once amid what may have been denial of service attacks, the system crashed and was taken down. It had been built by IBM for $9.6 million and load-tested by Revolution IT for $469,000. ABS robots, set up to automatically respond to tweets, encouraged Australians to continue to try to log on.”
International Business Machines (IBM) had been brought in by the ABS to develop the e-Census system. Initially, the ABS had planned to conduct the e-Census itself but changed direction in 2014.
News editor at iTnews, Allie Coyne, wrote at the time, “Running the Census in-house would help address security perceptions arising from the data being handled from a third-party, the ABS said at the time. It said it also made sense to outsource the project to a third-party rather than deal with the one-off high traffic spike internally.
The agency became 95 percent virtualised after cutting 300 physical servers to 70, which hosted 1500 virtual machines.
But the Bureau of Statistics today confirmed it had decided to once again partner with IBM for hosting of the 2016 eCensus in order to ensure the expected high volumes would be properly managed.”
On Wednesday, the ABS blamed a DDoS for having to take the e-Census offline, impacting the entire country. It appears neither system builder IBM or the ABS asked the testing company to perform a simulation of a DDoS attack.
Revolution IT examined its own involvement in the fiasco and quickly cleared itself from any wrongdoing. In a statement on their website, the company asked itself three questions, the second of which points to a mandate. It classes simulation of a DDoS as a security testing feature and not part of the performance testing it was asked to do.
Why did the website fail after having been tested for large numbers of users?
This question should be directed to ABS, but according to ABS the website did not fail. It was taken offline due to security concerns. The understanding and difference between security testing and performance testing is important here. DDoS attempts were not part of the performance testing and would have been a security testing consideration which was not part of Revolution IT’s mandate.
Indeed, on its website the company offers both security testing and performance testing among a suite of services.
On security, it states, “Everyone is aware of the threat from hackers: denial of service attacks, website vandalism, data theft and network trespassing.”
For performance, it says, “To accommodate higher traffic levels, you need to have confidence your system can cope. Find out how these performance testing solutions let you analyse and prepare for all kinds of high-capacity scenarios.”
Yet, a curious testimonial at the bottom of of Rev’s website from ABS Technical Director, John Citizen, praises their subject knowledge and advice on the e-Census project.
“Revolution IT worked in a highly collaborative and well organised manner, and their subject knowledge, expertise and advice were key to achieve our project goals and objectives. We were impressed with how well they engaged with our e-Census solution provider (another private company).”
Funnily enough, the ABS organisation chart dated, July 04, 2016, lists no such position as “technical director” or anyone going by the name of “John Citizen”. What does this say about the overall integrity of the company’s e-Census performance data if it has falsified a testimonial on its front page?
Australians may not be given the whole story from any proposed inquiry. The confusion may provide the fog of war the federal government wants. It has already signaled that “national security” may prevent the public from knowing the true origin of the alleged DDoS.
“The information that I have from the Australian Signals Directorate and from the ABS is that the cyber attacks on the census website came from offshore and appeared to originate from the United States,” Turnbull said.
— David Marler (@Qldaah) August 10, 2016
— Insiders ABC (@InsidersABC) August 13, 2016