A decade after the last census disaster, the security of this year’s count is at risk

Preparations for this year’s census have been hit by warnings that key cybersecurity vulnerabilities remain unresolved, after a scathing review of plans for the national survey warned it must close critical gaps before millions of Australians go online in August.

An audit released on Wednesday found the Australian Bureau of Statistics had strengthened aspects of its cyber defences but had left important work late after failing to take a sufficiently broad view of risks across its wider technology systems.

In blunt findings, the Australian National Audit Office said: “To be ready for the 2026 Census, the ABS must address key remaining cybersecurity vulnerabilities by ensuring critical activities will be completed in time.”

The auditor warned the ABS’s response had required “deployment of significant cybersecurity experts for an extended period beyond that originally anticipated” after vulnerabilities emerged later than they should have.

The findings reopen questions around census resilience almost a decade after the 2016 online census failure, when the digital form was shut down after a number of distributed denial-of-service attacks as part of a deliberate attempt to sabotage the national survey. The form could only be restored 40 hours later. A DDoS is a cyberattack in which hackers attempt to crash a system by flooding it with bots – or Trojan – accounts.

This year’s census, due to take place on August 11, will be the most digitally dependent yet. The ABS expects 85 per cent of Australians to complete the form online, with the $726 million program also introducing access through myGov and expanded use of artificial intelligence.

The audit found the ABS identified and assessed cyber risks, but its governance arrangements did not always give senior decision-makers the clearest picture of emerging threats.

Among the findings, oversight committees were not always receiving “the most up-to-date or accurate information on cybersecurity risks”, while updates were sometimes incomplete and inconsistencies emerged between strategic and operational risk assessments.

The report also delivered a broader criticism of planning inside the federal government agency, finding there had been “insufficient consideration” to cybersecurity planning because preparations did not fully address risks across the entirety of the ABS. The audit noted similar concerns had been raised in a previous review into the 2021 census.

In one of its most critical observations, the auditor said earlier action “would have better positioned the ABS to identify and address these issues sooner” and was essential to maintaining confidence that its systems could “effectively detect and prevent malicious cyber activity before and during” the census.

The audit made four recommendations: strengthening risk management, bringing forward cyber advisory arrangements, improving security architecture oversight and tackling vulnerabilities stemming from the bureau’s broader technology environment. The ABS agreed to all four.

In its response, the ABS said it “continuously reassesses cyber threats and risks, prioritises controls for critical systems, actively adjusts sequencing and investment as vulnerabilities emerge” and remained confident “we will be ready to deliver the 2026 Census”.

“The ABS will continue to prioritise these improvements and allocate appropriate resources to support their successful delivery,” it said.

Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.