Suspect a DDoS attack? Double-check before you cry foul

Credibility of digital transformation-minded Australian government in tatters after social-benefits website implodes

security vulnerabilities such as hackers and cyberattacks
Thinkstock

The Australian government has been left red-faced, not for the first time, after admitting an alleged distributed denial-of-service (DDoS) attack — which hobbled critical social-welfare systems on the day after coronavirus shutdowns left almost 1 million people unemployed — turned out to be nothing more than a gross policy miscalculation.

Stuart Roberts, the federal minister for government services, admitted that the crash of the country’s Centrelink website was a “my bad” due to a gross underestimation of the expected demand for access to the site.

Amidst a flurry of admonition, reports suggested the website of MyGov, the digital front end to government agencies including social-security administrator Centrelink, had been dealing with 6,000 concurrent users last week but collapsed after being pummelled with what was later said to be up to 95,000 concurrent users.

Australians were queued outside Centrelink for hours — many for the first time ever — the day after harsh widespread government shutdowns meant to reduce infections of the COVID-19 virus destroyed hundreds of thousands of hospitality jobs after pubs, social clubs, restaurants, churches and other non-essential businesses were closed for an indeterminate period of time.

The number of people on the government’s Jobseeker unemployment benefits is expected to grow from 700,000 to as many as 1.7 million as the coronavirus shutdowns bite business hard in the next few months.

Will the ‘digital’ Australian government never learn?

Even as recriminations flew — opposition government services minister Bill Shorten weighed in, arguing that the MyGov site “has once again crashed despite demand being entirely foreseeable” — the events dredged up the disastrous spectre of the country’s 2016 Census, which was the first to be held online and was sabotaged by a massive DDoS attack.

Forensic analysis of that attack suggested the responsible government authority, the Australian Election Commission (AEC), had decided not to opt into a DDoS protection service from outsourcer IBM Australia — leaving it wide open to what turned into a 40-hour site outage.

IBM ended up paying $30 million in compensation amidst the finger-pointing after the disaster, but government cyber security advisor Alistair MacGibbon warned in an audit that the event was “a serious blow to public confidence in the Government’s ability to deliver on public expectations.”

More than three years later, the MyGov outage suggests the government has learned little from that experience — a theme that has been playing out in federal and state agencies for many years.

“People are worried about paying their rent and what’s going to happen to their family,” opposition leader Anthony Albanese tweeted. “They shouldn’t be worried about whether a government website is even going to work. We’ve got to do better than this.”

Keeping government’s digital transformation on track

Chronic missteps like these are hardly a ringing endorsement for a government that has spent years pushing aggressively towards cloud-led digital transformation.

With poor planning tainting yet another major social-services initiative, the government will have to work harder than usual to restore credibility around its Digital Transformation Strategy 2018-2025 — which is pegged on becoming a “world-leading digital government” by 2025, with Centrelink overseer Services Australia a key instrument for delivery.

“Recent evidence would suggest that Australians don’t trust their government with their data,” observed associate professor Michael Cowling, an ICT lecturer with the CQ University School of Engineering and Technology. He warned that Australians have a difficult “existing social contract” with the government that is tainted by their “implicit distrust”.

The tenuous relationship was recently highlighted when more than 1 million Australians recently opted out of the government’s My Health Record e-health initiative, he said. It’s an example that the government faces an “uphill battle” convincing Australians to trust the integrity of their digital transformation.

Robert’s department also weathered the scandal of its illegal ‘Robodebt’ system, which clawed back often improperly-calculated debts from social-services recipients.

Lessons from the Centrelink failure for CSOs

Having failed to smoothly manage the government’s support of the largest employment drop in Australia’s history, Robert is trying to claw back credibility around the site, which has been provisioned with more bandwidth and is reportedly handling peak demand better now.

The MyGov site handled more than 3.2 million logins in the last 20 hours, he tweeted, requesting patience as the government dealt with the “immense” challenge of dealing with “extraordinary demand”.

Among the many lessons from this fiasco is a warning for CSOs not to jump to conclusions when dealing with unexpected service issues. Although cyber criminals are regularly causing disruption for all manner of reasons — denial-of-service volumes in Australia have become so bad that DoS-fighting firm Prolexic opened a data-scrubbing centre in Melbourne last year — ensure your forensic analysis considers all options, including simple system misconfiguration or arbitrary capacity limits, before jumping to conclusions.

Better alignment and co-ordination between your security operations group and the development team — a specialisation called devsecops — has rapidly grown in importance by helping avoid misunderstandings and unmet expectations. If the company is planning new policies, products or services, those business units must work closely with security and operational staff to ensure all parts of the technology business are operating in lockstep — and that there are no surprises come go-live.

Robert’s knee-jerk assumption that the outage was caused by a denial-of-service attack wasn’t completely unfounded: Government cybersecurity agency the Australian Cyber Security Centre (ACSC) warned in February that Australian organisations were being threatened with denial-of-service attacks unless they paid ransoms.

However, none of the threats had actually led to payment of ransoms, the ACSC said while offering guidance for dealing with denial-of-service attacks and advising organisations that “well-prepared organisations should be able to operate effectively despite these threats and any potential DoS.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies