IBM and Nextgen Networks locked in legal battle over Census debacle

IBM Australia has launched legal action in the NSW Supreme Court against Nextgen Networks and Vocus Communications over the companies’ respective roles in the troubled 2016 eCensus portal project.

In a legal action filed with the NSW Supreme Court late last year, IBM Australia alleges that Nextgen Networks and Vocus Communications were negligent and in breach of contract in relation to their work associated with the 2016 eCensus portal.

The court documents also reveal that IBM wants Nextgen Networks to pay for the settlement it reached with Australian Government over the Census troubles, alleging that Nextgen Networks is liable for the claim brought against IBM by the ABS.

While the value of the settlement has not been disclosed, it is understood to be worth millions.

IBM also wants Nextgen Networks, one of its suppliers for the eCensus project, to pay damages for its alleged breach of contract, and alleged negligence in relation to the Census project.

For its part, Nextgen alleges that Telstra, another supplier to IBM for the Census project, should be held responsible for IBM’s losses relating to the Census incident.

The legal action comes just as the dust from the fallout of the 2016 Census debacle seemed to start settling.

The incident on which case hinges occurred in early August last year, when the 2016 Census online portal failed to withstand a series of distributed denial of service (DDoD) attacks that hit on Census night, 9 August 2016.

Following the attacks, the website was shut down for 40 hours, stymying attempts by Australians to submit their 2016 Census information online.

IBM, which had been contracted by the ABS to develop, implement, and host the eCensus platform for the 2016 Census, subsequently faced intense scrutiny by the public and the government alike, with representatives of the company fronting up to a Parliamentary inquiry into the incident last year.

In October last year, IBM took aim at its upstream internet service providers (ISPs) for the Census project, including Nextgen Networks and Vocus Communications, over their roles in the incident.

IBM had developed a DDoS mitigation strategy, dubbed “Island Australia”, which involved the implementation of a geo-blocking system aimed at preventing internet traffic from international sources overwhelming the site.

“The geo-blocking arrangement involves blocking or diverting international traffic intended for the eCensus site before it reaches the site, while leaving the system free to continue to process domestic traffic,” IBM said in a submission to the government committee investigating the incident.

In its submission, IBM said that with its “Island Australia” approach, it had anticipated and planned for the risk DDoS attacks to the site, but that the geo-blocking mechanisms it had arranged were to be implemented by its upstream internet and networking service providers, which included Nextgen, Vocus and Telstra.

According to IBM, under its arrangement with the ISPs, if a DDoS attack on the eCensus site was attempted and was severe enough to warrant the implementation of the geo-blocking arrangement, IBM would direct Nextgen and Telstra to put “Island Australia” into place.

It was subsequently revealed that the DDoS attack which ultimately overwhelmed the infrastructure put in place by IBM was routed through a Singapore-based router understood to have been under the management of Nextgen Networks and Vocus.

It also emerged at the time that a failure in the configuration in one of two routers IBM was using to channel data traffic to the Census site from its two ISP partners ultimately led to a failed reboot after it was shut down following a data surge caused by the fourth DDoS attack, leaving the router inoperable for more than an hour.

During the inquiry into the incident, Nextgen Networks claimed that it had supplied IBM with a “standard internet service, and met all of its service levels on that product” and that it had, in fact, offered IBM an alternative DDoS protection option that was initially turned down.

“Although Nextgen strongly recommended to IBM to take up an internet DDoS protection option for the purposes of the 2016 census, it was declined by IBM,” the Nextgen networks said in its own submission to the inquiry.

IBM later questioned its own dealings with Nextgen and Vocus, with IBM engineer, Michael Shallcross, suggesting that the company’s efforts to instruct the two ISPs in the implementation of its geo-blocking DDoS prevention plan in the lead up to Census day, had failed.

“It’s apparent from the submissions brought by Nextgen and Vocus that perhaps the internal communications had not conveyed adequately the intent and instructions of and surrounding the implementation of Island Australia,” Shallcross told the senate committee investigating the incident.

Now, IBM Australia is alleging that Nextgen Networks did not meet its contractual obligations under the agreements it had struck with IBM in relation to the DDoS prevention strategy for the Census project, thus allegedly breaching its contract with IBM.

“Nextgen confirmed to IBM that Nextgen had the ability to execute the Island Australia protocol, and that its “upstream provider” (being Vocus) would be able to implement the Island Australia protocol,” the court documents stated.

Page Break

IBM alleges that, despite Nextgen's assurances, the spike in data traffic on the monitoring dashboard of the eCensus system at the time of the DDoS attacks resulted from Nextgen Network’s failure to implement the “Island Australia” protocol and a failure to stop internet traffic originating from outside of Australia from accessing the eCensus site via the Singapore link.

“In supplying the Nextgen eCensus Internet Service, Nextgen did not provide the Nextgen eCensus Internet Service with the reasonable care and skill of an experienced and leading provider of network services,” the documents said.

As a result of the alleged failure by the ISPs to implement the “Island Australia” protocol and stop international traffic to the site, according to the documents, IBM breached its Census Day Service Obligation to the ABS, becoming liable to the Commonwealth of Australia for the obligation breach.

“IBM has incurred additional costs and expenses,” the documents stated. “IBM has suffered damage to its reputation, damage to its goodwill and loss of business.

“But for the breach by Nextgen of the Professional Skills Warranty: the eCensus site would not have been materially affected as a result of the fourth DDoS attack,” the documents alleged, referring to the attack which ultimately overwhelmed the system.

IBM’s pleadings in the case allege that Nextgen is obliged to indemnify IBM against the payment of the “Confidential Settlement Sum” with the government and its related costs and expenses, alleging that the "ABS claims arose as a result of the breaches of contract by Nextgen”.

In court documents responding to IBM’s claim, filed with the NSW Supreme Court on 24 March, Nextgen Networks denied the bulk of IBM’s allegations, in turn alleging that IBM itself is largely to blame for the losses suffered as a result of the Census incident.

“Nextgen did not intend to cause the loss suffered [by] IBM and did not fraudulently cause the loss suffered by IBM,” the documents stated, alleging that IBM suffered losses partly as a result of its “failure to take reasonable care”.

“IBM declined the DDoS protection offered by Nextgen,” the company alleged. “IBM relied on a method of DDoS protection that could not protect the eCensus site from domestic DDoS sources or all international DDoS sources.

“IBM did not design its system for use in connection with the eCensus site with adequate capacity to withstand a relatively minor DDoS attack," it stated.

Nextgen also suggested that IBM allegedly failed to exercise “reasonable care” in undertaking the testing of its geo-blocking plan.

The court documents submitted on behalf of Nextgen also reiterate the issues IBM faced when trying to restart the routers that had been feeding data to the eCensus site after they were shut down following the fourth DDoS attack.

Nextgen Networks asserts that, when IBM tried to restart the routers, the Nextgen router restarted successfully, whereas the router managed by Telstra did not.

The telco alleges that the Telstra link did not restart because either IBM had incorrectly configured its setting or incorrectly identified the cause of the failure of the router facing the Telstra link to restart.

Additionally, the company alleges that the fourth DDoS attack on the eCensus site was made up of a combination of traffic from domestic and international traffic from both its own link, as well as Telstra’s link.

Turning the focus away from itself, Nextgen alleges that Telstra failed to exercise “reasonable care and skill” in the provision of its internet services to IBM, in that “Telstra failed to put in place adequate measures to protect against a DDoS attack, including as a result of its failure to adequately implement IBM’s geo-blocking plan”.

As such, Nextgen alleges that IBM suffered losses as a result of Telstra’s breach of contract and negligence, and that Telstra should be held partly liable to IBM for the losses resulting from the fourth DDoS attack traffic reaching the eCensus site via the Telstra link.

Vocus Communications’ response to IBM’s legal claim mirrors that of Nextgen Networks, alleging that “Telstra owed IBM a duty of care in tort to take reasonable care in the provision of internet services to avoid causing IBM loss”.

The case continues.