Sunday, 27 November 2016

Australian #CensusFail 2016 reports by both the Senate and Cybersecurity Special Advisor have been released


Following #CensusFail 2016 Prime Minister Malcolm Turnbull ordered a review of events by Cybersecurity Special Advisor, Alastair MacGibbon.

In what the media is characterising as an excoriating report, a mirror was held up to the Australian Bureau of Statistics – sadly one that it is unlikely to avail itself of given its current leadership.

DPM&C, Office of the Cybersecurity Special Advisor, Review of the Events Surrounding the 2016 eCensus (October 2016):

Not just communications, but engagement…

In most respects, the ABS had a well formed and prepared communications strategy and awareness raising campaign; but it was focussed on the wrong things. The communications problem they needed to address was not a low level of awareness of the Census, but rather, the introduction of a ‘digital first’ approach and the associated barriers to participation – concerns over security and
privacy.

The ABS failed to adapt its media and communications in response to the public relations storm that built up in the weeks prior to the Census regarding privacy and security in both mainstream and social media. Instead, ABS rigidly stuck to its plans, forgoing crucial opportunities to influence and drive the conversation around the Census. Processes for approval of campaigns, and changes to them, may need to be changed to promote agility.

On Census night, the ABS severely underutilised social media as a communications tool to keep the public up to date and informed of the incident. The ABS’s lack of timely and transparent
communications lost it trust because it opened the door to speculation. The continued slow updates and virtual absence from the media meant that ABS struggled to win back the trust of the public in the following days. Ministers must also be supported with clear and accurate advice, and senior executives must be equipped to understand and talk about cyber security as a matter of business
risk……

Reacting to public sentiment

…..The ABS announced public consultation regarding privacy via a media release issued on its website, with a submission period of only four weeks – 11 November to 2 December 2015 (just before Christmas).

The ABS received only three public submissions. Not only should this low response rate have indicated to the ABS that its public engagement on the key issue of privacy was inadequate, it also left a huge vacuum with regard to capturing public concerns. So the ABS missed an opportunity to identify how to evolve its communication plans developed following qualitative research in 2014 to address more up to date concerns.

As a result, the ABS was ill-equipped to manage the impact changes in the Census would have on a small but important segment of the population and their willingness to complete the eCensus online.

In January 2016, seven months out from the Census, the first articles raising concerns about privacy and security of data appeared in the media. More substantial rumblings began in March, with two main themes emerging:

• That the Census was intrusive and no longer anonymous
• The Census was vulnerable to hackers.

The ABS prides itself on the constant measuring of public sentiment and awareness using traditional survey techniques (see Figure 4, page 53). The Review concludes that these surveys contributed to a false sense of security and failure – still at time of writing – to grasp the significance and power of social media groundswells.

Major shifts in public statements regarding the security of the Census began the week prior to Census night, culminating in Senator Nick Xenophon and several other parliamentarians issuing warnings about security and privacy concerns and apparent implementation problems leading to a ‘debacle.’

Prior to the closure of the eCensus form, over 11,000 individual mentions (social and mainstream media) were published voicing concerns about the privacy and security of the eCensus. The closure of the eCensus resulted in 17,730 privacy related mentions, far outweighing mentions (1,200 total) of the technical issues experienced – i.e. what happened (see Figure 4).
This coverage created overwhelming ‘noise’ making it difficult for the ABS to remain on message.

The ABS’s planned communications were being drowned out. But rather than trying to adapt its approach to limit the impact the reporting had on the public sentiment toward the Census, the ABS stuck to planned messaging ignoring the public relations storm brewing around them.

The failings of the ABS to address issues of concern in the media extend to its use of social media. Analysis conducted on ABS Twitter and Facebook accounts shows that at no point did the ABS significantly change its planned posting schedule or content as a result of critical media reporting (shown in Figure 5, page 54) and of considerable online chatter around privacy (Figure 4). The ABS did change its social media advertising as well as engage posters directly on social media. But this was not enough.

The ABS’s virtual absence from the privacy and security debate is reflected in its social media crisis escalation matrix – the process designed to monitor, escalate  and handle social conversations. The matrix had two main flaws:

1. The ABS’s ‘qualifiers’ (thresholds that had to be met to raise concern) were too high. A ‘red level scenario,’ the highest categorisation for negative conversation, was enacted only if someone had 10,000 plus followers or a post had over 30 engagements.
2. The ABS’s response/action for a ‘red scenario’ was to hold all social media communications.

The ABS’s social media strategy was too restrictive and didn’t allow enough flexibility to respond to changing trends in media and social media. As a result, the ABS missed crucial opportunities to inform the conversation around privacy and security and the benefits of the digital first approach.

When public discourse was rising on the issues, the ABS should have been on the front foot addressing these concerns. Key spokespeople should have been conducting interviews, issuing media releases and engaging on social media to drive the conversation and shape the debate.

While the ABS did eventually start engaging in the mainstream media, it was too little, too late. And on the whole the ABS steadfastly stuck to its communications plans, allowing the media, and subsequently the public, to take the lead role. The ABS failed to insert itself in the conversation and underutilised mainstream and social media as a vehicle to shape the debate around the benefits of a digital first approach.

Recommendations for the Australian Bureau of Statistics

• The ABS should engage an independent security consultant for a wide-ranging examination of all aspects of their information collection and storage relating to Census data – from web application through to infrastructure and policies and procedures.

• The ABS should ensure future significant changes to personal information handling practices are subject to an independently-conducted privacy impact assessment and are supported by broad ranging consultation.

•  The ABS should adopt a privacy management plan to enhance its capability to identify and manage new privacy issues.

• The ABS should assess and enhance existing ABS privacy training for staff.

• The ABS should develop a specific strategy to remove the current state of vendor lock-in.

• The ABS should strengthen its approach to outsourced ICT supplier performance management to ensure greater oversight and accountability.

• The ABS should draw upon the lessons it takes from the Census experience to help to guide and to advocate for the cultural change path it is following.

• The ABS’s decision in August to assemble an independent panel to provide assurance and transparency of Census quality is supported and the resulting report should be made public.

•The ABS should implement a targeted communication strategy to address public perceptions about Census data quality.

The ABS should report monthly to their Minister outlining progress against the above recommendations

Also following #CensusFail the Australian Senate Standing Committees on Economics conducted an inquiry into the preparation, administration and management of the 2016 Census by the Australian Bureau of Statistics.

Its final report 2016 Census: issues of trust made these recommendations:

Recommendation 1
4.81 The committee recommends that all future Privacy Impact Assessments
relating to the census, are conducted externally with the final report published on
the ABS website 12 months in advance of the census to which it relates.

4.82 Following the release of a PIA recommending changes to future censuses,
consultation across the Australian community should be undertaken by the ABS
with the outcomes clearly documented on the ABS website no less than six
months before a future census.

Recommendation 2
4.83 The committee recommends that the ABS update its internal guidelines to
make clear that consultation requires active engagement with the nongovernment
and private sector.

Recommendation 3
5.46 The committee recommends that the ABS publicly commit to reporting
any breach of census related data to the Office of the Australian Information
Commissioner within one week of becoming aware of the breach.

Recommendation 4
6.89 The committee recommends that the Australian Government commit the
necessary funding for the 2021 census in the 2017–18 Budget.

Recommendation 5
6.90 The committee recommends that the ABS conduct open tendering
processes for future census solutions requiring the participation of the private
sector.

Recommendation 6
6.91 The committee recommends that the ABS give greater attention to
intellectual property provisions in contracts that include licensing and royalty
arrangements.

Recommendation 7
6.92 The committee recommends that the 2021 eCensus application be subject
to an Information Security Registered Assessors Program Assessment.

Recommendation 8
6.93 The committee recommends that the ABS take a more proactive role in
validating the resilience of the eCensus application for the 2021 census.

Recommendation 9
6.94 The committee recommends that the Department of Finance review its
ICT Investment Approval Process to ensure that projects such as the
2016 Census are covered by the cabinet two-pass process.

Recommendation 10
6.95 The committee recommends that the Australian Government provide
portfolio stability for the ABS.

Recommendation 11
6.96 The committee recommends responsible ministers seek six-monthly
briefings on the progress of census preparations. These briefings should cover
issues including, but not limited to, cyber security, system redundancy,
procurement processes and the capacity of the ABS to manage risks associated
with the census.

Recommendation 12
6.106 The committee recommends that the ABS consider establishing a
dedicated telephone assistance line for people who require special assistance in
completing the census.

Recommendation 13
7.28 The committee recommends that the maximum value of fines and any
other penalties relating to the census be explicitly stated.

Recommendation 14
7.29 The committee recommends that the Australian Bureau of Statistics
develop a clear communications strategy outlining the outcomes for
non-compliance with the census, including resolution processes and the value of
possible penalties.

Recommendation 15
7.57 The committee recommends that the Australian Government provide
sufficient funding for the ABS to undertake its legislated functions to a continued
high standard.

Recommendation 16
7.58 The committee recommends that the responsible minister act as a matter
of urgency to assist the ABS in filling senior positions left vacant for greater than
6 months.

No comments: