The Prime Minister's special adviser on cyber security has told the Senate the denial of service attacks on the census website were small and predictable and should not have brought it down on census night.
Malcolm Turnbull now has the report Alastair MacGibbon conducted on behalf of the Prime Minister to determine "which heads will roll and when" as a result of the debacle.
"They were indeed small attacks," Mr MacGibbon told a Senate committee on Tuesday. "The attacks were around three gigabits per second. To have some comparison, it's not uncommon now to see attacks of 100 gigabits per second, and some of the attacks against some of the internet infrastructure such as domain name servers are up to 1000 gigabits per second.
"There was a massive difference between the size of the attacks on the Bureau of Statistics' census website and the ones that are encountered routinely by corporations and governments."
While the bureau had contracted IBM to defend its sites against attacks, its behaviour after awarding the contract was similar to that of a homeowner who employed a builder but then rarely went on site to check how work was progressing, he said.
The bureau's back-up plan to protect the site if denial of service attacks couldn't be overcome was logically flawed.
Labelled "Island Australia", it was to ask IBM to block traffic from overseas. But the password reset facility IBM used was hosted offshore and relied on traffic coming in from overseas to give Australians that password, suggesting it hadn't been properly thought through.
Larger failures were that IBM was unable to implement Island Australia in any event and that ABS staff misread a report they thought suggested census data could have been leaving the system as a result of hacking and decided to shut the system down.
IBM was for many hours unable to restart it because it had incorrectly coded a router connecting to Telstra, so that when it was turned off the coding "fell out", turning it into a "dumb unit" that had to be recoded.
Had the router been turned off and then turned on again as a test, the error would have been discovered.
"Had the router been properly configured, and had the router when it had been turned off fired back up again, then we wouldn't have a problem," Mr MacGibbon said. "But the most significant problem was really the misinterpretation of the traffic on the load monitoring system. We wouldn't have had the problem if the people monitoring the system had properly monitored the system, which was functioning oddly."
Millions of Australians were unable to complete the census on census night as a result of the shutdown and were locked out of the site for two days.
Mr MacGibbon delivered his report to Mr Turnbull on October 14.
IBM Australia managing director Kerry Purcell told the hearing no IBM staff had been dismissed as a result of the failure of the census website and none had been disciplined.
IBM had offered to pay the extra costs the ABS incurred as a result of the outage, estimated by the ABS to be $30 million. It is in "commercial negotiations" with Secretary of the Treasury John Fraser.
Mr MacGibbon also criticised the closeness of the bureau to IBM, saying there was a degree of "vendor lock-in", where the ABS saw IBM as a natural partner because it had worked with it in the past.
A representative of Capability Driven Acquisition, the company that advised the ABS on hiring IBM, said several other potential bidders had told it there was little point in competing against IBM because it would win the contract.
The bureau's chief, David Kalisch, told the committee he would have considered an open tender had "IBM not been able to satisfy the ABS that it could deliver".
One of many "learnings" the bureau had taken from the experience was that it might be worthwhile running the next census in-house and that the slogan "Get Online on August 9" may have contributed to the problem.
Mr Kalisch defended the bureau's decision to retain the names submitted with this year's census and revealed that in the past no one who declined to submit their name had ever been prosecuted.
A former head of the bureau, Bill McLennan, told the the hearing that in his time the bureau had received legal advice telling it that it lacked the power to compel people to provide names.
In The Age and Sydney Morning Herald