Cyber crises are hardly unusual. But when government computer systems fail, the social, political and financial impacts are wider than ever.
That’s a lesson the Australian Government has learned over recent months with a litany of IT problems which have plagued the public service.
First there was confirmation in April of a major cyber-attack on the Bureau of Meteorology, allegedly from China. The intrusion, which infected the Bureau’s entire computer network, was designed to steal sensitive information and will reportedly cost hundreds of millions of dollars to fix.
A few months later saw the humiliating disaster of the failure of IT infrastructure supporting the Australian national census, followed more recently by prolonged outages at the Tax Office, which prevented companies submitting end of year returns and making payments. Plus, at a State Government level, the computer glitch which led to Victorian high school students receiving their exam results five days ahead of schedule. Then the Victorian Government accidentally releasing personal details of almost 9,000 licensed gun-owners.
To top off a tumultuous few months now comes the stupendously badly-managed and badly-explained program of computer-generated “robo-letters” from Centrelink demanding money from more than 200,000 supposedly over-paid welfare recipients.
Columnist Jason Wilson seemed to be hyperventilating when the Guardian described scandals like the Centrelink debacle as “revealing the structural rot at the heart of our democracy.” But they do highlight that government cyber crises are very different from crises in the corporate sector.
For example, following the CEO sex scandal at Seven West Media, investors chose to dump the stock, and the company’s market value fell by almost $100 million. And after the fatal accident crisis at Dreamworld, patrons reportedly stayed away in droves.
By contrast, most people have very little choice about their interactions with government departments and some – such as filling out the census or paying taxes – are legally mandated. So it’s not unreasonable to expect that Government computer systems will be held to a higher standard of performance. Sadly, that appears not to be the reality.
When Prime Minster Malcolm Turnbull unveiled his $230 million Cyber Security Strategy, aimed at beefing up the nation’s defences against online assaults on individuals, businesses and governments, it was reported he was “trying to break down the risk-averse attitude of the bureaucracy.”
In the wake of the Centrelink crisis, Paul Shetler, the man handpicked to lead Government’s digital transformation, was even more blunt. He said it was symptomatic of a culture of blame aversion within the bureaucracy, not risk aversion. Shetler, who resigned in November, said successive IT failures, were “not a crisis of IT” but a “crisis of government.” Speaking on ABC 7.30 Report he added: “One of the biggest problems is that the Government just does not feel comfortable with modern technology. It doesn’t know how to use it. It does things that everyone else has stopped doing, and is dependent on vendors to tell them what to so.”
It is a depressing assessment, but not one which should give the corporate world any comfort. Government cyber crises may garner massive headlines, community protests, and generate opportunistic and unhelpful political commentary. But the private sector is equally vulnerable and, unlike the government, doesn’t have limitless access to the public purse. Just ask some of the shareholders who have had to pay the price.