ITP Techblog

Like a Greek tragedy, official reports into Government IT failures often reveal a fatal flaw which has doomed the project from the outset. The Budget 2019 botch up, where information was accessed online before the official announcement, is no exception. In this case the 'fatal flaw' appears to have been a complete and utter lack of oversight of the project by anyone in Treasury with any senior authority.

As Rob O'Neill writes in the NBR today: "Last week, the State Services Commission's report into the Budget 2019 'hack' at Treasury revealed a host of governance and perhaps structural failures, not least in the lowly worth seemingly given to the CIO in particular, and to the corporate services function in general."

The 35-report makes for the kind jaw-dropping read that you get when an inquiry is led by a competent professional - in this case independent director Jenn Bestwick - who just lays it all out there in its full awfulness. So that you find yourself wondering aloud on almost every page just how the whole shemozzle could have gone so far.

Here's a quick summary:

In 2014 the Treasury owned and operated Central Agencies Shared Services (CASS) issued an RFP for a new web hosting platform that would include the development of 5/6 agency websites. None of the RFPs met the tender pricing so it was decided to modify the scope. And that is where the problems began. In doing so they removed the 'Budget Day Scenario' (BDS) - the online publication on Budget Day of budget documents - from the project.

Over the next two years the project was deployed by the vendor, and the websites came online. The last deployment was the Treasury website because this was considered the most complex. It was late getting started - mid-2017 - and so it was again decided to leave out the BDS. Then, a few weeks out from Budget Day in 2018, it was discovered that the way they had previously managed publication of the documents wouldn't work with the new website. Instead, it was decided to create a "vaulted clone" (an online replica of the site) and swap it over with the existing site when the Budget went live at 2pm on the day.

There was the risk that because the live site and the cloned site shared the same index, that a person searching for terms beforehand could access the headline and "snippet information", but this would be followed by an Error 404 script so they would not be able to see the whole document. They got away with it in 2018 but, as we know, not in 2019.

When bits of the Budget were made public ahead of Budget Day, it raised a media storm, which the Treasury Secretary at time, Gabriel Makhlouf, compounded by claiming it was a "hack" - and the circumstances around that have been well canvassed.

While Makhlouf was dealing with the media fallout, the IT team was seeking an explanation from vendor - but it turned out they were in hot seat. When the vendor was told about the cloned site and shared index (which they had no previous knowledge of) they advised that the link should be removed and then, within an hour they re-indexed the clone site so that it would be ready to go live a couple of days later. Until then the IT team had never asked the vendor for advice about re-indexing the cloned site.

In the media release that accompanied this report, State Services Commissioner Peter Hughes cited four points from the Inquiry - the series of technical decisions, governance and oversight falling short, risk management process not good enough and security concerns not escalated.

But, as O'Neill points out in his article today, the buck stops at the top when senior management are not engaged with operational matters. The situation is neatly summed up on page 20 of the report:

"The vulnerability in this area was further exacerbated by a reported organisational belief that work on core business operations is less valued or important than policy work or other core economic or fiscal functions of the Treasury and therefore not prioritised."

If you work in IT and that sounds like your organisation, then you might want to send a copy of the report to your CEO. But be sure to read it first, it is quite the drama.