ABS preparedness of 2016 Census from DDoS attacks and exfiltration of user submitted data

Alfie John made this Freedom of Information request to Australian Bureau of Statistics

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Australian Bureau of Statistics.

Dear Australian Bureau of Statistics,

I request to know more about the preparedness of the ABS (Australian Bureau of Statistics) from a) DDoS (Distributed Denial of Service) attacks, and b) the exfiltration of user submitted 2016 Census web form data.

COMPROMISED:

Within the Senate Inquiry into the handling of the 2016 Census, the Prime Minister's Special Adviser on Cyber Security (Alastair MacGibbon) submission contained the following quote:

“there was outbound traffic from the eCensus system, and the fear was it was 'potentially malicious'”

Contrary to this, on the 9th of August 2016, a government spokesperson reported by the ABC (Australian Broadcasting Corporation) said:

“No census data was compromised and no data was lost”

I request the following:

- What metrics were used to determine that the outbound traffic could have been “potentially malicious"

- What system(s) were able to detect that the outbound traffic from the eCensus system was “potentially malicious"

- Did this “potentially malicious” outbound traffic contain some user submitted 2016 Census web forms data

- Which countries were the “potentially malicious” outbound traffic destined to

- How much traffic (in bytes) was measured for the “possibly malicious” outbound traffic

- Email correspondence between ABS and ASD (Australian Signals Directorate) and/or ACSC (Australian Cyber Security Centre) in relation to said detected “potentially malicious” outbound traffic

DDoS TRAFFIC:

News reports by the ABC state that the ABS online monitoring systems:

“detect[ed] a significant increase in traffic”

I request the following:

- What metrics and/or thresholds were used to determine that the 2016 Census web form needed to be taken offline

- Could I have a copy of all documents that state said metrics and/or thresholds

- Graphs of aggregated (i.e total and anonymised) web request counts, at a resolution of per minute, to the ABS website servers, between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) request bytes transferred, at a resolution of per minute, to the ABS website serversbetween the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) web request counts, at a resolution of per minute, to ABS’ DDoS Mitigation provider(s) between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) request bytes transferred, at a resolution of per minute, to ABS’ DDoS Mitigation provider(s) between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) web response counts, at a resolution of per minute, from the ABS website servers between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) response bytes transferred, at a resolution of per minute, from the ABS website servers between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) web response counts, at a resolution of per minute, from ABS’ DDoS Mitigation provider(s) between the 1st of June 2016 to the 28th of September 2016

- Graphs of aggregated (i.e total and anonymised) response bytes transferred, at a resolution of per minute, from ABS’ DDoS Mitigation provider(s) between the 1st of June 2016 to the 28th of September 2016

- Email correspondence between ABS staff and ABS’ DDoS Mitigation provider(s) in relation to the detection(s) of significant increase in traffic between the 8th of August 2016 to the 28th of September 2016

- Email correspondence between ABS staff in relation to the detection(s) of significant increase in traffic between the 8th of August 2016 to the 28th of September 2016

- Email correspondence between ABS and ASD (Australian Signals Directorate) and/or ACSC (Australian Cyber Security Centre) in relation to the detection(s) of significant increase in traffic between the 8th of August 2016 to the 28th of September 2016

- Email correspondence between ABS staff in relation to taking the 2016 Census web form offline between the 8th of August 2016 to the 28th of September 2016

DDoS MITIGATION:

The ABS submission to the Senate Inquiry quotes:

"DDoS protection systems were not independently tested"

I request the following:

- Could I have a copy of the Statement of Work, and Master Service Agreement, between the ABS and ABS’ DDoS Mitigation provider(s)

- Email correspondence between ABS and ABS’ DDoS Mitigation provider(s) regarding "independent testing" of the DDoS protection systems as mentioned in the above Senate Inquiry, between the 1st of January 2016 to the 28th of September 2016

- Email correspondence between ABS and ABS’ DDoS Mitigation provider(s) about “operational preparedness and resilience to DDoS attacks” as mentioned in the above Senate Inquiry, between the 1st of January 2016 to the 28th of September 2016

- Any evidence of load/performance testing performed on the ABS web servers between the 1st of January 2016 to the 28th of September 2016

Yours faithfully,

Alfie John

Christina Hill, Australian Bureau of Statistics

1 Attachment

Dear Mr John
I refer to your application in which you seek access to documents under
the Freedom of Information Act 1982 (ABS reference FOI 201617/42). We
acknowledge your request and have attached it below.

(See attached file: FOI 201617- 42.docx)

Your request was received by the ABS on 28 September 2016 and the 30 days
statutory period for processing your request commenced from that date.  If
this request will take longer than 30 days to process, we will contact you
to negotiate an extension of time.

You will be notified of any charges in accordance with the Freedom of
Information (Fees and Charges) Regulations, should they apply, in relation
to your request as soon as practicable.

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

References

Visible links
1. mailto:[ABS request email]
2. http://www.abs.gov.au/

Christina Hill, Australian Bureau of Statistics

1 Attachment

Dear Mr John

This email refers to your FOI request (FOI 201617/42) received on 28
September 2016.

The purpose of this email is to advise you, as required under Section 24AB
of the Freedom of Information Act 1982 (FOI Act) that I consider a
practical refusal reason exists under Section 24AA of the FOI Act in
relation to your request.

I have set out my reasons and the actions required by you in the attached
letter.

(See attached file: FOI 201617-42 Practical Refusal Letter.pdf)

The FOI Act requires that you respond to this notice before the end of the
consultation period, which is 14 days from the date of this email.

Kind regards,

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

References

Visible links
1. mailto:[ABS request email]
2. http://www.abs.gov.au/

Dear Christina Hill,

I have narrowed the initial scope of my FOI:

COMPROMISED:

Within the Senate Inquiry into the handling of the 2016 Census, the Prime Minister's Special Adviser on Cyber Security (Alastair MacGibbon) submission contained the following quote:

“there was outbound traffic from the eCensus system, and the fear was it was 'potentially malicious'”

Contrary to this, on the 9th of August 2016, a government spokesperson reported by the ABC (Australian Broadcasting Corporation) said:

“No census data was compromised and no data was lost”

I request the following:

- What metrics were used to determine that the outbound traffic could have been “potentially malicious"

- What system(s) were able to detect that the outbound traffic from the eCensus system was “potentially malicious"

- Did this “potentially malicious” outbound traffic contain user submitted 2016 Census web forms data

- Which countries were the “potentially malicious” outbound traffic destined to

- How much traffic (in bytes) was measured for the “possibly malicious” outbound traffic

DDoS TRAFFIC:

News reports by the ABC state that the ABS online monitoring systems:

“detect[ed] a significant increase in traffic”

I request the following:

- What metrics and/or thresholds were used to determine that the 2016 Census web form needed to be taken offline

- A graph of aggregated (i.e total and anonymised) web request counts to the ABS website servers, between June 2016 to at least the 15th of September 2016

- A graph of aggregated (i.e total and anonymised) request bytes transferred to the ABS website servers between June 2016 to at least the 15th of September 2016

Note: The above graphs will already exist within the ABS' web team's, or their NOC's (Network Operations Center), server monitoring systems, so this should take minimal time to retrieve.

DDoS MITIGATION:

The ABS submission to the Senate Inquiry quotes:

"DDoS protection systems were not independently tested"

I request the following:

- Could I have a copy of the Statement of Work, and Master Service Agreement, between the ABS and ABS’ DDoS Mitigation provider(s)

Yours sincerely,

Alfie John

Wolfgang Hertel, Australian Bureau of Statistics

Dear Mr John

Following your correspondence to the FOI Contact Officer on 30 September
2016, I have reviewed your narrow scope and consulted with relevant
business areas within the ABS. At this time, I am of the opinion that your
request continues to fall into scope of a practical refusal. I recommend
that you consider the following options to guide you in further refining
your request such that a practical refusal reason no longer exists.

Firstly, components of your request are posed as questions and I recommend
that, as per the FOI Act, you request specific documents so that the ABS
can more effectively identify the information that you seek. Secondly, if
you are able to prioritise the components of your request, the ABS FOI
team can then inform you at what stage the request falls into scope for
practical refusal. This will afford you the best likelihood of receiving
the information that you desire most.

Given that it has taken some time for the ABS to respond to your narrowed
scope, and subject to your agreement, I am prepared to extend the
consultation period by 7 calendar days so that you must respond to this
notice by 21 October 2016.

If you do not provide your agreement then the consultation period will end
on 14 October 2016.

Kind Regards

FOI Contact Officer

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

The [3]ABS Privacy Policy outlines how the ABS handles any personal
information that you provide to us.

References

Visible links
1. mailto:[email address]
2. http://www.abs.gov.au/
3. http://www.abs.gov.au/privacy

Dear Wolfgang Hertel,

Thank you for reminding me that I'm supposed to be requesting documents rather than asking for questions to be answered.

I have narrowed the initial scope of my FOI request. I request the following.

HIGHEST PRIORITY:

- Email correspondence created or received by ABS staff between the 8th of August 2016 to at least the 15th of September 2016 containing the words "malicious", "hack", "hacked", "Russia", or "China"

MEDIUM PRIORITY:

- A graph of aggregated (i.e anonymised) web request counts to the ABS web servers, between June 2016 to at least the 15th of September 2016

- A graph of aggregated (i.e anonymised) web request byte counts to the ABS web servers between June 2016 to at least the 15th of September 2016

Note: These graphs already exist within the ABS' web team's or their NOC's (Network Operations Center) server monitoring systems. As such, this should take minimal time to retrieve

LOW PRIORITY:

- Statement of Work, and Master Service Agreement, between the ABS and ABS’ DDoS Mitigation provider(s)

Again, thank you.

Sincerely,

Alfie John

Emily Covington, Australian Bureau of Statistics

Dear Mr John

In response to your correspondence to the FOI Contact Officer on 13
October 2016 where you had narrowed the initial scope of your FOI request,
the first part of your request is likely to be very large as the scope is
all ABS staff and there is no restriction on time period. Therefore we
recommend that you narrow your request by (1) specifying a date range and
(2) specifying specific staff or areas (e.g. IT staff, Census staff).

As per an earlier email sent to you on 10 October 2016, we need your
agreement today (14 October 2016) in order to extend the consultation
period to 21 October 2016 (7 calendar days), otherwise the consultation
period will end today.

Kind Regards

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

References

Visible links
1. mailto:[ABS request email]
2. http://www.abs.gov.au/

Dear Emily Covington,

"we need your agreement today (14 October 2016) in order to extend the consultation period to 21 October 2016"

Yes, please extend the consultation period.

Yours sincerely,

Alfie John

Emily Covington, Australian Bureau of Statistics

1 Attachment

Dear Mr John

Thank you for confirming your agreement to extend the consultation period.
The consultation period will now end on 21 October 2016.

Kind Regards

FOI Contact Officer

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

The [3]ABS Privacy Policy outlines how the ABS handles any personal
information that you provide to us.

[4]Inactive hide details for Alfie John ---14/10/2016 10:13:33 AM---Dear
Emily Covington, "we need your agreement today (14 OctobeAlfie John
---14/10/2016 10:13:33 AM---Dear Emily Covington, "we need your agreement
today (14 October 2016) in order to extend the consult

From: Alfie John <[FOI #2302 email]>
To: Emily Covington <[email address]>,
Date: 14/10/2016 10:13 AM
Subject: Re: Your FOI request

--------------------------------------------------------------------------

Dear Emily Covington,

"we need your agreement today (14 October 2016) in order to extend the
consultation period to 21 October 2016"

Yes, please extend the consultation period.

Yours sincerely,

Alfie John

show quoted sections

Danielle Gillett, Australian Bureau of Statistics

1 Attachment

Dear Mr John,

In response to your revised FOI request received on 14 October 2016, I
wish to advise you, as required under Section 24AB of the Freedom of
Information Act 1982 (FOI Act) that I consider a practical refusal reason
exists under Section 24AA of the FOI Act..

I have set out my reasons in the attached letter.

(See attached file: FOI 201617-42 Response.pdf)

Should you have any questions regarding this please feel free to contact
the ABS FOI Contact Officer on: 02 6252 7203 or email:
[1][ABS request email]

Kind Regards

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [2][ABS request email]   (W)  [3]www.abs.gov.au

The ABS Privacy Policy outlines how the ABS handles any personal
information that you provide to us.

References

Visible links
1. mailto:[ABS request email]
2. mailto:[ABS request email]
3. http://www.abs.gov.au/

Dear Australian Bureau of Statistics,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Australian Bureau of Statistics's handling of my FOI request 'ABS preparedness of 2016 Census from DDoS attacks and exfiltration of user submitted data'.

Unless I have received the wrong information, it is my understanding that each FOI request is allocated 5 hours to gather the requested resources. If the estimated time to gather the requested resources is over the 5 hours, a refusal is made.

It is of my opinion that the MEDIUM and LOW parts of my request should take no time at all as there is nothing to censor, and nothing needs to be generated as the resources already exist in their requested form.

As for the HIGHEST PRIORITY section, a quick search of the ABS email store would also take no time to gather.

In my opinion, the longest time to process my FOI request would be in the censoring of any personally identifying information that is not of the public interest. Now unless there were so many internal emails about hacking (which suggests an even bigger problem), this would in no circumstance that I could conjure, take the allocated time for the request. This is why I am requesting an internal review of my FOI request.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/a...

Yours faithfully,

Alfie John

Danielle Gillett, Australian Bureau of Statistics

Dear Mr John,

I refer to your email of 14 November 2016 in which you sought an internal
review of the decision made under the Freedom of Information Act 1982 (FOI
Act) relating to your FOI request (ABS reference FOI 201617/42).

Your request was received by the ABS on 14 November 2016 and the 30 days
statutory period for review commenced from that date.

You will be notified of the outcome of this review in line with statutory
time frames.

Kind Regards

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [1][ABS request email]   (W)  [2]www.abs.gov.au

The ABS Privacy Policy outlines how the ABS handles any personal
information that you provide to us.

References

Visible links
1. mailto:[ABS request email]
2. http://www.abs.gov.au/

Danielle Gillett, Australian Bureau of Statistics

1 Attachment

Dear Mr John,

In response to your request for an internal review on 14 November 2016,
please find attached the formal response from the ABS.

Should you have any questions regarding this please feel free to contact
the ABS FOI Contact Officer on: 02 6252 7203 or email:
[1][ABS request email]

(See attached file: FOI 201617-42 - Internal Review Decision.pdf)

Kind Regards

FOI Contact Officer 

Australian Bureau of Statistics 

(P) (02) 6252 7203 

(E) [2][ABS request email]   (W)  [3]www.abs.gov.au

The ABS Privacy Policy outlines how the ABS handles any personal
information that you provide to us.

References

Visible links
1. mailto:[ABS request email]
2. mailto:[ABS request email]
3. http://www.abs.gov.au/