[LINK] Optus and Telstra networks to be classified as vital infrastructure

Karl Schaffarczyk karl.schaffarczyk at gmail.com
Tue Nov 14 16:27:52 AEDT 2023


This article mentions adding Optus and Telstra to the Security of Critical
Infrastructure Act. This will be interesting, especially seeing how much
they might want to weasel their way out of the obligations imposed.

I wonder what the tipping point for Voda/TPG/iiNet group is? In terms of
fixed lines, they'd be punching well above their weight too.

Karl




https://www.thenewdaily.com.au/news/2023/11/13/telecommunications-networks-vital


*Optus and Telstra networks to be classified as vital infrastructure*

New legislation forcing Optus and Telstra to perform mandatory risk
assessment and reporting will only work if the companies embrace the
changes wholeheartedly, according to a governance expert.

The move comes as Optus on Monday finally revealed the cause of the 12-hour
outage that left 10 million users without access to mobile communications
or internet, causing havoc across the country.

First reported by the Australian Financial Review, the Albanese Government
will bring forward legislative changes to hold the telecommunications
sector to the same standards as essential services like hospitals and
energy suppliers.

Rob Nicholls, associate professor in regulation and governance at the UNSW
Business School, said the changes won’t stop breaches or outages occurring
unless they are embraced on a company-wide level.

“Will it stop these kinds of issues that we’ve seen? Probably not,” he said.

“Will it reduce the risk of those? Yes, and that’s why it’s in place.”

Optus on Monday said a software upgrade was to blame for the outage.

“At around 4.05am Wednesday morning, the Optus network received changes to
routing information from an international peering network following a
routine software upgrade,” the company said.

“These routing information changes propagated through multiple layers in
our network and exceeded preset safety levels on key routers which could
not handle these.

“This resulted in those routers disconnecting from the Optus IP Core
network to protect themselves.”

The outage will be the focus of several investigations, and the federal
 government intends to change the Security of Critical Infrastructure Act
(SOCI Act) when the 2023-2030 Australia Cyber Security Strategy is released
later in November.

Nicholls said the SOCCI Act and the changes “aren’t a useless bit of
bureaucracy”.

“It is there to make the businesses think have we done everything we’re
we’re supposed to,” Nicholls said.

“It should end up with a disgruntled yes of course we have, but if in
making enquiries within the business you suddenly find out that you
haven’t, then you fix it and report it.”

Calls for change

Home Affairs Minister Claire O’Neil said the telecommunications network is
vital to Australia’s national security, economy and everyday lives.

“Telcos should be held to at least the same standards as other critical
infrastructure,” she said in a statement.

“Our telcos must be prepared for major vulnerabilities, have risk
management plans in place, and build backups to maintain essential services
when things go wrong.”


Experts called for legislative action after the Optus outage last week.
Photo: AAP

Nicholls said the legislation will require telecommunication companies to
report in the same way the defence force or electricity companies have to.

“You really want legislation that sets out some principles, and the
regulator or bodies crystallise those into more pragmatic action,” he said.

“You don’t want to be jumping at shadows, you want legislation to be more
principles-oriented.”

The SOCI Act was introduced in 2018, but telecommunications companies were
exempt from mandatory reporting because of previous changes in 2017.

O’Neil said the telecommunications industry has since called for a
streamlined approach to setting national security standards.

“We’re committed to working closely with telcos and other industry
stakeholders to get this right,” she said.

“Together, government and industry can build strong defences around our
telco networks so that we can become a world-leading cyber-secure nation by
2030.”

Other efforts

The Albanese government is also introducing obligatory reporting for
businesses affected by ransomware incidents due to a 45 per cent global
surge in the first half of 2023 compared to 2022.

O’Neil said ransomware is the most disruptive cyber threat in the world
today.

“Our first step must be getting the right supports in place for businesses
and citizens so that it can become an easy decision to not pay ransoms, and
to build a picture of what’s really going on so we can tackle it head-on,”
she said.

“We know tens of millions of cyber attacks are attempted every year, we
don’t have that picture of which companies and industries are targetted and
when, and how many ransom demands are actually paid.”

The Australian Signals Directorate estimates that ransomware incidents cost
Australia $2.95 billion each year, and the cost for Australian businesses
has risen by 14 per cent from 2022 to 2023.

O’Neil said businesses are strongly discouraged from paying ransoms to
cyber criminals because there is no guarantee that access to information
will be restored, or it won’t be sold or leaked online.


More information about the Link mailing list