Oz auditor: Number of times failed government biometric project met a milestone = None
Nope, never. We think buying nothing cost us AU$34m, but nobody's sure
How much IT can you buy for AU$34m (£18m, $24m)? None at all, if you're the Australian Criminal Intelligence Commission in the market for a biometric system.
The Australian National Audit Office (ANAO) this week released its report into ACIC's failed biometric identification system (BIS) project which failed last year, and determined that: "None of the project's milestones or deliverables were met."
While giving the all-clear to the project's procurement process, the ANAO said "the subsequent administration of the BIS project by CrimTrac and ACIC was deficient in almost every significant respect".
FACE/OFF: Australian Criminal Intelligence Commission bins NEC-built biometrics projectREAD MORE
BIS was designed to replace ACIC's existing fingerprint database and to add facial recognition capabilities. It was being implemented by NEC until ACIC pulled the plug in June 2018. As the ANAO report noted, on the same day ACIC put the project on hold (termination came later), NEC issued a media statement in which it said "the BIS Solution was ready to be handed over to ACIC for System Acceptance Testing".
It emerged in Senate hearings that although the project's costs blew out (reported at the time to be more than AU$80m, or around £44m/$57m), it wasn't on a "watch list" the Digital Transformation Agency is supposed to maintain of at-risk projects worth AU$10m (c. £5m, $7m) or more.
While clearing the procurement process, the ANAO noted that two "critical requirements" had been overlooked in system design: the first being the protection of the biometrics of people using assumed identities (for example, police undercover operatives) and those under witness protection.
A requirements-gathering process handled by PwC overlooked these, meaning they were also missing from the 2015-issued tender. The error wasn't discovered until February 2018, by which time the ACIC CEO warned his board it would cost around AU$10m to support the assumed identity and witness protection requirements.
How did that happen? The ANAO said: "In August 2018, ACIC confirmed that the lack of specific AI requirements in the contract was an oversight."
Wait, we need a UI spec?
Those weren't the only requirements PwC missed: there was no user interface specification in the BIS project, and the ANAO report quotes from an internal email saying: "Consequently there are, at last count, 15 data elements missing from the BIS... browse screens" that were in BIS's predecessor NAFIS (the National Automated Fingerprint Identification System).
The project was cancelled before anyone had time to tackle the UI problems.
The ANAO was also critical of the project's financial management: the agency's corporate finance department had "no responsibility for management of the financial aspects of the BIS project; neither did the project team have a dedicated financial or contract manager".
As a result the agency couldn't give the ANAO a definitive figure for how much it spent on the project.
The auditor also identified a mystery payment to NEC: "ACIC made a 'goodwill' payment of $2.9m to NEC which was not linked to the achievement of any contract milestone. ACIC was not able to provide details of how the quantum of this payment was calculated."
One other lesson in the ANAO report seems to be that it's risky to run big IT projects at times of corporate upheaval.
The BIS procurement was launched by one of ACIC's predecessor agencies, CrimTrac – which on 1 July 2016 was merged with the Australian Institute of Criminology and the Australian Crime Commission.
Partly as a result of pressures arising out of the merger, and partly as a result of undefined "workplace culture" problems, three BIS project managers abruptly left their jobs in the eight months between June 2017 and February 2018. ®
Sponsored: Becoming a Pragmatic Security Leader