Optus first made contact with the federal government’s cyber protection agency on Wednesday last week to report a large-scale data theft. But it said it was not a live attack. The company told the Australian Cyber Security Centre that it had already closed the open “window” that the thief had climbed through.
That window was a piece of software that allows two different computer systems connected through the internet to talk to each other, called an application programming interface. It was clear from the outset that this was a straightforward breach.
IllustrationCredit:Jim Pavlidis
So when Optus claimed publicly that it was a “sophisticated attack” that had penetrated layers of encryption, the government’s experts privately were aghast. Independent experts scoffed publicly at the Optus claim; some argued that it wasn’t even a hack, more like shoplifting unprotected goods than safe-breaking.
It was just the beginning of the frustration that led the Minister for Cybersecurity, Clare O’Neil, to declare this week that the government was “incredibly angry” with Optus.
As the breadth and depth of the breach started to emerge, the case quickly was handed to the elite cyberwarriors in the centre’s parent agency, the Australian Signals Directorate.
Fearing that it might be the first in a wave of attacks, ASD worked with Optus and other telecommunication companies to check for other vulnerabilities. But even with the best efforts of their best people, it was two days before ASD was able to make a fundamental judgment about the source of the breach: Was the attacker acting for the government of China or Russia or another hostile power, or was it a criminal effort to make money? The answer to this question would decide the response.
Minister for Home Affairs and Minister for Cybersecurity Clare O’Neil.Credit:SMH
It was only last Friday night, September 23, that the director-general of ASD, Rachel Noble, was confident enough to tell Anthony Albanese in a secure phone call that it was not a state-based attack.
The government had not said a word publicly, guided by a rule of the cybersecurity fraternity – anything you might say in the first 36 hours after discovering an attack is likely to be wrong and would need to be corrected.
On Friday, Optus confessed publicly that the personal information of 9.8 million customers had been taken from its database, most of the country’s adult population. It was the biggest cybersecurity failure in Australian history.
On Saturday, O’Neil and Albanese coordinated the government response in phone calls with half a dozen other ministers. They worked through the weekend with hundreds of officials across a range of departments.
While ASD and the Federal Police worked on trying to trace the culprit, other departments were activated to prevent the misuse of those 9.8 million people’s personal details to access all sorts of systems.
For instance, Treasurer Jim Chalmers activated the financial system regulators to protect bank accounts, Foreign Minister Penny Wong was tasked with protecting the passport system, Health Minister Mark Butler the health system, and so on.
On the same day, O’Neil and Albanese spoke to the Optus chief executive, Kelly Bayer Rosmarin. O’Neil urged her immediately to clarify with all Optus customers exactly what information had been taken. A week later, Optus has yet to fully do so.
O’Neil, a Melburnian and therefore inevitably a footy fanatic, had planned to go to the AFL grand final on Saturday. She cancelled, making do with issuing a generic good luck tweet, as she worked on the Optus problem. On the same day she tweeted her first public response to the Optus breach.
Credit:Justin McManus
Opposition leader Peter Dutton later complained that “Clare O’Neil has basically been missing in action on this issue,” and that she “found time to tweet about the football and about all of that, all the while people were being put in a vulnerable position”.
The purported thief publicly demanded a $US1 million ransom from Optus. He or she would release the details of 10,000 Optus customers every day until it was paid.
The first batch was published on the web openly on Tuesday, exposing a fact that Optus had failed to mention – that the thief had taken thousands of customers’ Medicare card numbers.
The government’s immediate concern was to stop this treasure trove from being used as the basis for wholesale identity theft – the details could be used by any criminal to apply for credit while masquerading as one of the victims, or apply for a job, or apply for government benefits.
When the supposed thief withdrew the ransom demand and wiped the details of the 10,000 from the web, apparently panicking – “too many eyes. We will not sale data to anyone” – it didn’t solve the problem.
The personal information of those 10,000 people already had been copied from the web for exploitation. So on Friday the Federal Police announced Operation Guardian to “focus on key measures to help shield affected customers”.
A task force would be monitoring online forums, the internet and dark web and working with the private sector to detect criminal activity.
The episode in general has energised the Albanese government to fix a range of regulatory gaps that the Morrison government had left behind.
For instance, Clare O’Neil expressed outrage that the only penalty Optus might be liable to pay under existing law is $2.1 million for breaching the Privacy Act, whereas if it had done the same thing in Europe it would be liable for hundreds of millions in fines.
Attorney General Mark Dreyfus has committed to an urgent review of the Privacy Act to better protect personal data. Companies should check drivers licences and passports to verify identity, he said, but there was no case for recording and keeping the data. Companies needed to stop looking at customer data as an asset and realise it’s a liability, he said.
The government felt under-equipped to require Optus to treat its customers fairly. The government had to pressure it into offering its customers the services of a credit agency, and to pay the cost of passport replacements for people whose details have been compromised, for instance.
The Morrison government commissioned a 2019 review into identity theft – the Wilkins report. It found that half a million identity documents were stolen or lost each year. On average, individuals spent 23 hours dealing with 37 different organisations to try and overcome the effects. It recommended a new agency to coordinate protection and recovery from identity theft, as Tom Burton reported in the Australian Financial Review this week. But the Morrison government shelved the report and did nothing.
Clare O’Neil lamented that Australia is “five years behind with cybersecurity laws and 10 years behind on privacy”. She intends to conduct a thorough review of cybersecurity law, turning the crisis into an opportunity to make Australia a world leader.
Prime minister Albanese leads a press conference following a national cabinet meeting on Friday. Credit:Alex Ellinghausen
The government’s management of the crisis has been remarkable. Not only because it’s been relatively effective and purposeful. But because of everything else going on around it.
The government this week managed to put before parliament the legislation for four of its election commitments – cutting the price of medicines under the Pharmaceutical Benefits Scheme, repealing the cashless debit card, cutting the cost of childcare for 96 per cent of families, and creating a National Anti-Corruption Commission.
At the same time, it managed the Optus crisis. And delivered a solution to another crisis that burst upon it after taking office – the looming shortfall in gas supplies across eastern Australia. The Resources Minister, Madeleine King, cajoled and coerced the three big gas corporations into guaranteeing that they’d meet all supply needs. They signed the guarantee this week.
And simultaneously, Albanese this week has been cementing relationships with US Vice-President Kamala Harris, Japan’s Prime Minister Kishida Fumio and India’s Narendra Modi, among others.
To calmly manage major crises with one hand while simultaneously introducing major reforms and running the day-to-day business of government with the other is an impressive demonstration of political ambidexterity. It’s been rare in recent Australian experience.
The secret to the government’s success? Albanese delegates to his ministers and trusts them to do their jobs. Scott Morrison was an obsessive centraliser and micromanager. Albanese operates as the chairman of the board rather than chief executive. Bob Hawke set the model, and Albanese is setting out to emulate it.
One of his adages: “You can’t run the government from the prime minister’s office.” A government runs well when all parts of it are running well.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.
Most Viewed in Politics
From our partners
Source: Read Full Article