This includes identifying all material risks, establishing appropriate strategies to minimise or eliminate the risk of hazards, putting in place “enhanced cybersecurity controls”, and having “robust procedures to mitigate hazards and work to recover [normal operations] as quickly as possible”.
Collaborative approach required
O’Neil’s attack on Optus in parliament on Monday was warranted, but it should not absolve the federal government and various cyber protection agencies of any responsibility for what happened.
A holistic and collaborative approach to cyber protection would have required the federal government and its agencies to have shared more information with businesses such as Optus about the scale of the threat they are facing.
Ever since the Russians hacked into the US National Security Agency in 2015 and stole encryption-breaking tools, criminals and state-funded hackers have had the weapons to break into just about every system in the world.
Businesses such as Optus are up against state-funded hackers in Iran, China, Russia, North Korea and some ex-Soviet territories, as well as criminal organisations.
It is not known if the NSA’s tools or their derivatives were used in the Optus attack.
Either way, the federal government and its cyber protection agencies ought to have been more proactive in helping businesses understand the effectiveness of tools in the hands of attackers and how to repel them.
Vulnerable to future breaches
Also, it ought to know that there are only about half a dozen companies in the world capable of providing adequate protection against the threats posed by those using tools capable of breaking into the NSA.
There should be a federal register of these companies and an obligation on business to pay for their services.
If the lack of investment in effective cyber protection by Optus is any guide, Australian business is extremely vulnerable to further breaches.
The wider concern among cybersecurity experts is that state-funded actors are building a “target bank” of stolen data about individuals and critical infrastructure that can be unleashed at some time in the future.
O’Neil’s immediate priority is to work on a stronger system of digital identification and compulsory two-step verification for individuals across all consumer-facing businesses.
Australia’s core problem with cybersecurity is that businesses such as Optus are wedded to meeting the bare minimum of regulatory compliance. The business was dutifully storing six years of data on customers, but in a way that made it vulnerable to being stolen.
Ideally, businesses will explore ways of getting ahead of their obligations under the act and seek out the absolute best protection available against cyberattacks.
Optus has responded appropriately in offering the 9.8 million customers who had their data stolen a free one-year subscription to Equifax’s credit monitoring service. That could cost it about $1 billion.
Also, it made clear it would offer to pay for people seeking to replace their driver’s licence or passport. The probability of a class action being successful increased with O’Neil’s comments in parliament.
