One good thing about crises is that they provide opportunities to learn. We will be working through the consequences of the cyber attack on Optus for years.
A steadier government voice on the Optus mess has been Clare O’Neil, Minister for Home Affairs and Cyber Security. Last week she told Channel 9’s A Current Affair: “It’s really important that everyone enters this conversation with a little bit of humility. The truth is we are probably five years behind where we need to be with cyber security in this country and government is not immune from that.”
Few players come out of this crisis with reputations intact. The government’s handling has involved multiple ministers all separately racing to sheet home blame to Optus for what, frankly, is a shared responsibility.
Optus must carry the blame for what, on our current knowledge, looks to be a human not technological error exposing over 10 million customer records via inappropriate testing of an application program interface.
A knowledgeable cyber specialist told me a savvy 15-year-old could have achieved this hack. Time will tell if that is true, but we should be sceptical for the moment about online claims of responsibility. Optus carries responsibility for the cyber breach but setting the policy framework for cyber security is squarely a government task and managing the consequences of breaches is shared between the public and private sectors.
There is a lot of blame to be shared. While the Morrison government did strengthen national laws around the security of critical infrastructure, it unaccountably chose to exclude telecom-munications providers from the more stringent reporting and management rules set out in the 2021 Security of Critical Infrastructure Act. It was claimed existing telecommunications laws would “better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities”.
The Department of Home Affairs advises that telecommunications providers “must do their best to protect telecommunication networks and facilities they own, operate or use from unauthorised interference or unauthorised access”.
Home Affairs helpfully adds: “The term ‘do your best’ broadly means taking all reasonable steps to protect your networks and facilities from unauthorised access or interference.” So, the security of the IT backbone to the Australian economy and our wider social life rests on an injunction better suited to the Boy Scouts.
No one reading this article will be surprised to learn Optus resisted having the tougher measures of the Security of Critical Infrastructure Act applied to its sector. In November 2020, Optus made a submission to Home Affairs about the scope of the then SOCI bill: “Optus is concerned at the emergence of new and substantial regulatory risk in the form of the civil and criminal sanctions which arise from the specification and requirement to keep secure entire new classes of protected information. This will drive administrative and governance cost.”
Had the SOCI Act covered telecommunications providers Optus may well have taken steps to better manage the risk of cyber penetration.
The government will add that to Scott Morrison’s rap sheet, but in any crisis what really matters is what governments are doing right now to triage the situation and emerge in a stronger position.
The Albanese government’s approach to the Optus crisis is a mess. Let’s start from first principles: more than 10 million Australians, greater than half the adult population, have been affected.
Visiting the Home Affairs web page created to assist concerned Australians, one sees nine crests of commonwealth departments and agencies vying for attention. Readers are referred to no fewer than 15 further web pages where they can find information, register concerns, apply to change Medicare cards, driver’s licences and even apply for a Commonwealth Victims’ Certificate.
When I accessed the latter page on Sunday, the link took me to a copy of the advice page I had just left. Of course, there will be online teething problems, but the wider point is the government’s reaction drives people to a bewildering menagerie of web pages, forms (all asking for personal information) and patronising advice “to be on the lookout for increased scam activity”.
It is at least possible that, in its enthusiasm to sheet home the blame to Optus, the government has jumped the gun. On passports, for example, “on 30 September, the Prime Minister confirmed that Optus will cover costs for affected customers wishing to receive a new passport due to the breach”. Hold on a moment: could that extend to all 10 million affected Australians? Other than data for about 10,000 people that appeared briefly online, it is not clear what real as opposed to theoretical compromise has taken place.
The Australian Passport Office advises it is safe to use passports for travel, that others could not use an accessed passport number to travel or apply for a new passport. Opting to get a new passport, paid for by Optus “is a personal decision for you to make”. We have seen the Department of Foreign Affairs and Trade struggle to manage a Covid backlog of processing tens of thousands of passport applications. How will the department handle potentially several million applications?
Rule one of crisis management is: don’t create more crises. But in the absence of more detail about the real impact of the cyber breach, the government has set a very low benchmark for the public to demand cost-free responses.
Rule two of crisis management is about the need for clear and consistent communication. Here we should have heard more from key minister O’Neil – as of Sunday she has given only three interviews on the subject – and less from the bevy of other ministers racing to sink the boot into Optus, as though the government’s own cyber security is impeccable.
O’Neil’s broader assessment is “this is not the last cyber attack that we’re going to see, even in 2022 … we’ve got to lift the standards here”. She is absolutely right.
More Coverage
Rise of local terror demands better from our leaders
The scourge of anti-Semitism in Australia has become a runaway train that now demands a radically escalated counter-terror mindset from federal and state governments, police and spy agencies.
IOC finally finds a spine to protect women’s sport
Now that Thomas Bach is rapidly losing his grip on the IOC, gender ideology will soon be usurped by biological reality.