The Australian Bureau of Statistics (ABS) took no chances with PwC Australia, to whom it outsourced the build of the 2021 Census, efforts that led it to “rattle” the census security setup “pretty hard” and find vulnerabilities in PwC’s code prior to go-live.
The bureau’s IT security advisor Craig Lindenmayer told the recent AWS Canberra Summit 2022 that ABS had taken onboard the advice of former Australian Cyber Security Centre (ACSC) head Alastair MacGibbon in the way it approached vetting of PwC’s work.
“PwC were doing … their [own] legwork, but as my friend Alastair MacGibbon likes to say, we need to trust but verify the work of our service providers,” Lindenmayer said.
“I'm glad we did because PwC did some great work, but we still found vulnerabilities in their system that needed rectification before we could go live. So you need to do that legwork.”
The process behind the 2021 Census, built by PwC Australia and run on AWS cloud infrastructure, is already extremely well-documented, including the security testing regime it was subjected to.
As documented, the Australian Cyber Security Centre, the ABS and private sector firms participated in a combined “nine major source code security reviews”, 20-plus pen testing exercises, the launch of “the largest DDoS test ever conducted in Australia”, and “20 independent security risk assessments to cover all census systems”.
However, little has previously been said about what any of these assurance activities found.
Asked to clarify what vulnerabilities were found in PwC’s census code, Lindenmayer was non-specific, though indicated they were somewhat hard to identify.
“You find all sorts of vulnerabilities,” he said. “Imagine the OWASP Top Ten, that's the sort of thing we were looking for, except I guess with a very fine-toothed comb by the point we had ACSC looking at the code.
“We were finding very-hard-to-find vulnerabilities that only sophisticated threat actors would find, but it's typical web application security vulnerabilities.”
On MacGibbon’s advice, the ABS also targeted the 2021 Census Digital Service or CDS with some surprise pen tests.
“We did some penetration testing events that were unannounced, which was a surprise to my friends in PwC,” Lindenmayer said.
“We didn't get through anything, but gee, we rattled the door pretty hard and gave them a bit of a scare.”
The large-scale security testing efforts that went into the 2021 Census came after the high-profile failure of the 2016 Census, which was partially the result of a distributed denial-of-service attack, and partly due to the way the Census was architected.
The ABS was criticised for ineffective oversight of the work of former outsourced service provider IBM, which appears to be why successor, PwC Australia, came in for particular attention and scrutiny this time around.
The 2021 Census was hailed a success.
"When it got to Census night, our security teams had a really quiet night which was just what I was looking for," Lindenmayer said.
"We had staff working with us, who had worked with us all the way through, from the Australian Cyber Security Centre, who were there and primed on Census night. They were bored out of their brains."
