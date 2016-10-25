(Recasts on IBM compensation, adds ABS comments)
By Byron Kaye
SYDNEY Oct 25 International Business Machines
Corp said on Tuesday it plans to compensate the
Australian government for a "malicious" cyber-attack that shut
down a national census, but blamed two domestic internet
providers for the security lapse.
IBM was the lead contractor for the five-yearly Aug. 9
household survey by the Australian Bureau of Statistics (ABS)
which went offline that day after four distributed denial of
service (DDoS) attacks, caused by the website being flooded with
clicks.
The breach embarrassed a government which has sought to
impress voters with its cybersecurity credentials and plans to
trial online elections. The census is already
controversial because of privacy concerns.
"I am confident we'll be able to achieve some kind of
outcome in the very near future," IBM Australia and New Zealand
managing director Kerry Purcell told a Senate inquiry into the
matter, without discussing terms of the negotiations.
He added that IBM was helping a police investigation but
declined to say who he suspected was behind the attack.
He said that the attacks were launched through a router in
Singapore and blamed Australian ISP Vocus Communications Ltd
, a subcontractor of Nextgen Networks Pty Ltd, for
failing to shut it down.
"We had repeated assurances from the ISP that the
appropriate protocol was in place," Purcell said.
In a written submission to the inquiry, IBM said its
preferred anti-DDoS measure, which it calls "Island Australia",
involves "geoblocking", or getting the company's ISPs to shut
down offshore traffic coming into the country.
In a written submission to the inquiry, Nextgen said IBM
told it about "Island Australia" six days before the census
website went live in July, and that IBM declared a test of the
strategy four days before the census a success.
It said Nextgen followed IBM's instructions, but noted that
IBM rejected Nextgen's offer of additional anti-DDoS detection
measures.
Vocus said in a submission that it told Nextgen the week
before the census that it "did not provide geoblocking" and that
"Vocus was in fact requested to disable its DDoS protection
product covering the e-Census IP space".
It did not specify who gave that instruction.
ABS chief statistician David Kalisch said he was confident
IBM could deliver on its A$10 million ($7.63 million) contract
based on "the comments and exhortations that IBM had made to the
ABS about the importance of this work" beforehand.
($1 = A$1.3)
(Reporting by Byron Kaye; Editing by Nick Macfie)