It was reported that Australia’s census was attacked back in August. The Census Bureau reported on Twitter that they were attacked and their site was down from a DDoS attack. They had to take measures to let people know there would be no fines leveraged from folks unable to complete their online census:
The cyber security adviser to the PM said this was imminently predictable. Nobody has said for certain what the motivation was other than it was “hackers” who did this. I’m not sure I would agree that someone having the skill of a hacker these days is required to launch a DDoS attack. We’ve illustrated for many years how easily someone can rent a botnet for as little as $10 an hour to launch sophisticated DDoS attacks.
What would it have looked like had it been launched by hackers with a motivation? If someone wanted to disrupt the census to change the allocation of funds for a city, town or village, could that change the budget for education? We’ve seen a rise in false information filing in the USA with fraud being committed for IRS Tax Return filings. Could this be possible to disrupt or change budgets with false information?
What if the attackers were using DDoS as a smoke screen to distract the people managing their site while they actually find vulnerabilities? Could a data loss have happened while they were busy working to restore service? Personal data is key for hackers to exploit other systems for financial gains. How valuable would the census data be for accelerating financial fraud?
DDoS prevention and DDoS mitigation isn’t the only thing that would have been needed in order to have assuredness of data integrity and data confidentiality. Because an IP address is not a valid identifier, how do they know unique users were the ones filing the online forms? Device fingerprinting and anti-bot technologies could have given them greater visibility into the users of the system. From all of the articles published on this, I’ve not seen any methodologies or data that would suggest they have the tools to know whether or not the data integrity is there.
This last weekend in the United States, a city municipality was taken hostage when their light rail system was compromised for ransom. We’ve seen many instances of governments paying this kind of ransom as well as healthcare and other sectors. What if the data was lost from the census or encrypted with malware? Could the next attack on a census result in something similar? What would the implications be if the census data was encrypted for a ransom?
Perhaps the lesson to learn from this is to make sure you know what to ask for in your contracts with your application service providers. Is DDoS protection enough? What about application layer protection and anti-bot technologies?