Prime time cyber: is government really match-fit for massive online events?

By Julian Bajkowski

August 1, 2017

It took just minutes for the torrent of scorn to build into a brand-sinking prime time tsunami.

As hundreds of thousands of Australian of Game of Thrones fans piled onto pay television platform Foxtel’s internet driven streaming service, a volume choked outage rendered screens across the country blue with an error message that soon became the currency of a national backlash.

After several months of building anticipation, customers who’d paid a premium to access the latest instalment of world’s biggest fantasy drama at the same time as everyone else in the globe — but instead got a static apology — didn’t hesitate to dump on how pirates were getting a better deal than subscribers.

By morning what should have a triumphant story on record viewer numbers was instead leading bulletins as the latest epic internet crash, up there with #CensusFail, a phenomenon that brutally demonstrated Australia’s growing (un)popular contempt for online outages.

takedown.gov.au

Nowhere is public  contempt being felt more acutely than in government, where customers simply don’t get the chance to unsubscribe. As the last Census demonstrated, when the state compels your participation and it doesn’t work first time, reputation and jobs are on the line.

There’s a kicker too. With major international events like the 2018 Gold Coast Commonwealth games heavily dependent upon online channels being ‘always up’ for everything from ticketing to streaming live events there’s a major honeypot factor for miscreants and malware merchants. 

Events like the 2014 FIFA World Cup demonstrated, those intent on doing digital damage are increasingly attacking entities associated with major events, ranging from sponsors to the web properties of participants, as the online firefight that occurred during the Croatia vs Brazil revealed. The bigger the event, the bigger the exposure, especially when attention is the currency of the prime time buzz factor.

Game of groans

Ask the average person in the street about key events in government that affect their daily lives and the chances are their answer will be something like tax time, elections and major policy changes that directly impact their circumstances.

Today electronic and digital interactions with government aren’t just a novel new option anymore, they’re largely the default option and increasingly one that is being mandated under ‘digital by default’ directives.

But below the surface of everyday transactions, there’s persistently rising pressure to keep systems up-and-running as literally tens of millions of users hit internet enabled websites, portals and services — often simultaneously.

And as traffic has increased, especially for ‘cornerstone’ national events like Census, it hasn’t always been plain sailing, especially when downed government assets can become trophies for hackers.

It’s not fair and it’s not forgiving, but the blunt truth is that Twitter and Facebook have become an unrivalled outbound call centre of contempt during periods of mass online interaction and the reputational damage it can wreak speaks for itself.  

Today, there are crucial infrastructure strategies agencies need to put into place to keep their heads above water. The days of throwing the chief information officer under a bus are gone.

King tides: how not to get swamped

Nowhere is the pressure to maintain uptime more intense than around big fixtures events — both regular and special — when government services need to ‘scale-up and stay-up’ to satisfy basic demands.  

Take tax time. It’s a truism that only tax agents really mourn the passing of the voluminous paper ‘Taxpack’ questionnaire that sent you so cross-eyed it usually took at least a few goes to get it right.

It’s now accepted that electronic lodgement is the way to go, and taxpayers are overwhelmingly happy for it. Except when it doesn’t work and nobody outside the agency really cares about the bit of kit that didn’t work.

The implicit contract that underpins the public’s goodwill is based on convenience and ease of use, both of which are  predicated the promise of ‘always-on’ availability. This applies right across government.

Again, it’s the crucial symbiosis between performance and security rather than one coming at the expense of the other.

Popularity its price

When people can’t log-in or access the information they need during peak-times, Twitter erupts, sentiment and departmental reputations track south and call centres and switchboards glow.

Even when legitimate traffic surges knock over online assets, it only takes minutes for unverified claims of a takedown by attack to start circulating.

In reality, no technical explanation ever washes away the stain of #fail, as many agencies have recently learned the hard way.

Of course high-traffic government systems are prime targets for hostile actors, as illustrated by attacks on the Bureau of Meteorology confirmed by the Australian Cyber Security Centre and attributed “to a foreign intelligence service.”

The trend hasn’t escaped industrial-grade web content distribution providers like Akamai that have spent decades bulletproofing global online events like the FIFA World Cup, Olympic Games as well as the world’s biggest media companies and global brands.

“From our extensive work with governments, we are seeing that site-availability is no longer at an acceptable standard. Governments are under pressure from citizens to deliver a singular digital experience — irrespective of the channel or service they are attempting to consume,” says Akamai’s head of government in Australia, Jonathan Schilling.

“The experience of using banking or other online services should be identical to the experience of lodging your tax return, submitting Census Data or renewing your licence.”

Great expectations: getting digital content to deliver consistently

It’s fair to say that user expectations of online government have never been higher. Conversely, tolerance of underperformance has never been lower.

This isn’t just for transactions like payments, notifications, applications and forms we now expect to be auto-populated. It’s the whole box-and-dice and increasingly includes interactive calculators, rich media, video, live chat and real-time support.

Digital services that are ‘better, faster, cheaper’ means hundreds of millions of dollars in savings in moving away from content delivered by paper and post are now being banked.

Today, government campaigns uniformly end with a call-to-action to ‘visit’ or ‘find out more at’ a website. But as Census demonstrated, campaigns and events don’t always go to script.

“From our experiences in this space, customers are looking well beyond product or platform capability and delving deeper into the supporting services,” Schilling says.

“There’s also been a massive culture shift post Census 2016. Agencies need to know that if something goes wrong, web availability assurance providers like Akamai will respond in real time. Departments are also looking to harden-up and pre-prepare their web assets by increasing resilience planning and stress testing using drills and load simulations.”

And when it comes to large events, especially international summits, conferences and major sporting events the likelihood of criminal or state sponsored interference is dramatically increased. Even national elections are now in the frame.

It’s not a matter of if, but when malicious actors will come, cautions Schilling.

Surviving the unexpected

If last year’s Census taught us one thing, it’s technical failure just isn’t an option in the public’s eyes. When a whole nation is sent online, everyone still expects normal transmission. Again, this goes for all agencies.

It’s worth this: has there been sufficient reinvestment of digital cost savings into bolstering digital delivery? And what are the new priorities?

An easily overlooked risk in digital government is adequate and effective attention to ensuring robust content delivery infrastructure and services to ensure online government is match-fit for major events and peak loads.

Often agencies know they need to boost online availability to absorb traffic volume and obviously have some influence over traffic flows. Today that’s BAU.

But there are also powerful external factors beyond government control – like media coverage, adversarial politics and social activism – that are impossible to plan for. Even so, they can still effectively be hedged against.

This is where having the rapid scalability, extra headroom, resilience, technical and analytical proficiency of a world-class content delivery network comes into play.

“At Akamai we are seeing more complex requirements from our government customers as they evolve and broaden out their online services. At a minimum, citizens expect secure online experiences without any degradation or impact on their experience,” Schilling says.

Profiling pitfalls

A common pothole for digitised government and business alike is prioritising the right amount of web delivery ‘grunt’ so that it comfortably absorbs rapid rises or fluctuations in load or demand.

This shouldn’t play second fiddle to look-and-feel or more cosmetic concerns. Design thinking, user journey mapping and the slickest most intuitive interfaces can all come to nought if speed and load times drag or services become unavailable.

As digital and web service delivery becomes increasingly commoditised by the cloud, it’s easy to look at averaged speeds or uptime statistics that only seem to feature the number 9 constantly repeated after a decimal point and too many zeroes.

What really needs to be asked is how a proposed solution will perform under unanticipated load spikes — hostile or friendly — and how quick and resilient it will be to respond and recover from a sizeable hit, like a denial of service attack (DDoS).

What needs to be looked at is the proven effectiveness, experience and skill that can be brought to bear when a response to an issue or incident is needed. Will a provider operate as a cohesive team and immediately do what it takes to nuke emerging problems as they arise. Or will it be a SLA discussion?

Akamai’s Schilling says agency leaders shouldn’t shy away from asking tough questions.

“Don’t be afraid to put claims to the test,” Schilling says. “Consider the remediation, clean-up and reputational costs and weigh these against what are often quite marginal savings.”

No such thing as a normal day

Planned online events like Tax Time, Census or policy and service delivery changes are one test for content delivery platforms, but there’s growing evidence of greater volatility in daily traffic.

A sudden stock market plunge or major insolvency might trigger sharply increased online loads for regulators, especially when the number of customers affected is large.

Major incidents, whether they are natural disasters or weather events or IT security incidents ranging from data breaches to virus or and zero-day exploits can all send floods of legitimate traffic to authorities as people look for authoritative advice.

Similarly unexpected changes to traffic management stemming from accidents on major roads to public transport disruptions now routinely send people scurrying onto their smartphones for online advisories to try and figure out how to get home.

Even seemingly innocuous government content can be instantly hammered should a minister publicly joust with a major celebrity over whether or not their pets ever cleared quarantine coming off the private jet.

Johnny Depp might not have a Twitter account yet, but millions of his fans do – and they’ll be the ones to hit a re-tweeted hyperlink to an agency, regardless of whether their traffic is anticipated or not.

 

About the author
Subscribe
Notify of
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments