New legislation forcing Optus and Telstra to perform mandatory risk assessment and reporting will only work if the companies embrace the changes wholeheartedly, according to a governance expert.
The move comes as Optus on Monday finally revealed the cause of the 12-hour outage that left 10 million users without access to mobile communications or internet, causing havoc across the country.
First reported by the Australian Financial Review, the Albanese Government will bring forward legislative changes to hold the telecommunications sector to the same standards as essential services like hospitals and energy suppliers.
Rob Nicholls, associate professor in regulation and governance at the UNSW Business School, said the changes won’t stop breaches or outages occurring unless they are embraced on a company-wide level.
“Will it stop these kinds of issues that we’ve seen? Probably not,” he said.
“Will it reduce the risk of those? Yes, and that’s why it’s in place.”
Optus on Monday said a software upgrade was to blame for the outage.
“At around 4.05am Wednesday morning, the Optus network received changes to routing information from an international peering network following a routine software upgrade,” the company said.
“These routing information changes propagated through multiple layers in our network and exceeded preset safety levels on key routers which could not handle these.
“This resulted in those routers disconnecting from the Optus IP Core network to protect themselves.”
The outage will be the focus of several investigations, and the federal government intends to change the Security of Critical Infrastructure Act (SOCI Act) when the 2023-2030 Australia Cyber Security Strategy is released later in November.
Nicholls said the SOCCI Act and the changes “aren’t a useless bit of bureaucracy”.
“It is there to make the businesses think have we done everything we’re we’re supposed to,” Nicholls said.
“It should end up with a disgruntled yes of course we have, but if in making enquiries within the business you suddenly find out that you haven’t, then you fix it and report it.”
Calls for change
Home Affairs Minister Claire O’Neil said the telecommunications network is vital to Australia’s national security, economy and everyday lives.
“Telcos should be held to at least the same standards as other critical infrastructure,” she said in a statement.
“Our telcos must be prepared for major vulnerabilities, have risk management plans in place, and build backups to maintain essential services when things go wrong.”
Experts called for legislative action after the Optus outage last week. Photo: AAP
Nicholls said the legislation will require telecommunication companies to report in the same way the defence force or electricity companies have to.
“You really want legislation that sets out some principles, and the regulator or bodies crystallise those into more pragmatic action,” he said.
“You don’t want to be jumping at shadows, you want legislation to be more principles-oriented.”
The SOCI Act was introduced in 2018, but telecommunications companies were exempt from mandatory reporting because of previous changes in 2017.
O’Neil said the telecommunications industry has since called for a streamlined approach to setting national security standards.
“We’re committed to working closely with telcos and other industry stakeholders to get this right,” she said.
“Together, government and industry can build strong defences around our telco networks so that we can become a world-leading cyber-secure nation by 2030.”
The Albanese government is also introducing obligatory reporting for businesses affected by ransomware incidents due to a 45 per cent global surge in the first half of 2023 compared to 2022.
O’Neil said ransomware is the most disruptive cyber threat in the world today.
“Our first step must be getting the right supports in place for businesses and citizens so that it can become an easy decision to not pay ransoms, and to build a picture of what’s really going on so we can tackle it head-on,” she said.
“We know tens of millions of cyber attacks are attempted every year, we don’t have that picture of which companies and industries are targetted and when, and how many ransom demands are actually paid.”
The Australian Signals Directorate estimates that ransomware incidents cost Australia $2.95 billion each year, and the cost for Australian businesses has risen by 14 per cent from 2022 to 2023.
O’Neil said businesses are strongly discouraged from paying ransoms to cyber criminals because there is no guarantee that access to information will be restored, or it won’t be sold or leaked online.