The blame-game continues over the census shutdown, with technology contractor IBM in a spat with its own sub-contractors.
As representatives prepare to face a parliamentary grilling about the August meltdown of the national survey, debate continues about who was at fault and why so-called distributed denial-of-service (DDoS) attacks were able to overwhelm the system.
IBM, which won a tender to develop and run the eCensus, says it deeply regrets the inconvenience to the Australian public and the government shutting down the system had.
But the company insists it anticipated and planned for the risk of DDoS attacks, using protection known as geo-blocking ("Island Australia" inside IBM) and Australians should have no reason to fear personal information was exposed.
Related reading
Census shutdown to cost taxpayers $30m
IBM says both the Australian Bureau of Statistics and the Australian Signals Directorate were aware it planned to use geo-blocking.
The fourth DDoS attack which struck the census website on the evening of August 9 was foreign-sourced and came when IBM had already directed NextGen that geo-blocking was to be put in place, it claims.
"Had NextGen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent this DDoS attack and the effects it had on the eCensus site," IBM says in its submission to a Senate committee.
The geo-blocking had been tested prior to census day and had been working, it adds.
Vocus denies the fourth DDoS attack caused the site to become unresponsive.
"The fourth attack comprised of attack traffic which peaked at 563Mbps which is not considered significant in the industry, and lasted 14 minutes ... such attacks would not usually bring down the census website," it says in its submission.
The cause was IBM workers falsely identifying normal traffic patterns as data exfiltration.
"Vocus was not informed of IBM's DDoS mitigation strategy, Island Australia or its specific requirements, until after the fourth attack."
Nextgen says it wasn't privy to "Island Australia" until July 20, just six days before the eCensus site went live.
IBM accepts the shutdown means it did not deliver its obligation to make sure the website was available 98 per cent of the time between 7pm and 11pm on August 9.
It also revealed there have been further DDoS attacks on the site, which have all been successfully defended against.
The prime minister's special advisor on cyber security Alastair MacGibbon, who is conducting a review of the events, hasn't yet finalised his findings.
But he has already concluded there was a failure in the geo-blocking service during the fourth denial-of-service attack.
Simultaneously a monitoring system indicated there was outbound traffic from the website, feared to be malicious and now known to be a "false positive".
"Those responsible for the denial-of-service attacks have not yet been identified," he says.
In its submission, the ABS says the attacks should not have been able to disrupt the system.
"Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future."
Representatives from the ABS, IBM and Mr MacGibbon will all appear before a parliamentary hearing on Tuesday in Canberra.
The chief statistician admitted to Senate estimates last week the shutdown cost taxpayers up to $30 million.
