Home Affairs boss Michael Pezzullo has suggested the Optus breach, while driving much discussion about cyber security policy, isn’t necessarily a good model for policy debates.
Speaking at the Australian cyber security conference yesterday, Pezzullo said he didn’t “want to, in any way, diminish or downplay the significance” of the Optus incident or of the consequences it has had on people.
“I don’t want to downplay that at all,” he said.
“But in terms of the risks that we’re trying to manage, there are regrettably, I have to say, more catastrophic, more consequential and darker scenarios that can very easily be painted that could well unfold.
“I hope I’m not proven right tonight.”
Pezzullo noted that while the “Optus matter” is being used at a ministerial level to speak about cyber security policy issues “generally”, it isn’t necessarily representative of the threats that the government and agencies needed to be prepared for.
He said that while critical infrastructure laws that give the government some power to intervene in certain attacks had passed the previous parliament, “the hack of Optus was not that.”
“The things that are potentially coming at us that could potentially take the grid down, that could affect our water systems, our traffic management systems, our logistics, warehousing, medical health infrastructure are far darker in terms of their impact on society than the still very, very desperately sad situation that many people find themselves in as a result of their sensitive personal information now being out there as a result of the access into the Optus system,” he said.
The Optus incident, he said - mirroring language from Home Affairs Minister Clare O’Neil - came from a more “basic” place.
“On the Optus incident itself, Optus itself is conducting some diagnostics, some forensics, so I think it’s fair to say that they need to come to a view about what exactly happened and, obviously, we’ll come to our own assessments,” Pezzullo said in a question-and-answer session following his talk.
“You would have to say that whatever’s happened, some basic control has had to have failed for so much data to have been exfiltrated in the way that it was.
“But I’m not going to get into any further commentary on that.”
Asked whether the government was susceptible to the same type of incident, Pezzullo said he would “like to think not, but I don’t want to hold myself hostage to fortune.”
He indicated substantial ongoing work addressing cyber security in the delivery of government services.
“We’ve got 190 accountable agencies within the Commonwealth,” he said.
“Whenever you add an accountable entity, whether it’s in a large private corporation or a large Government enterprise, you do create those gaps and seams.
“We’re working tirelessly to patch and remediate as best we can.”
Pezzullo also said cyber incident response could learn from emergency disaster response more generally, especially in the area of “consequence management”.
He said the Optus response had been a good example of consequence management, with a key focus on assisting those impacted to be able to change credential documents and ward off potential fraud threats.
“Ms O’Neil has made it very clear both in the public comments, but certainly in the directions that she’s given to me, that she really wants us to think hard - not just off the back of Optus, because there are lots of other cases that we can look at around the world - about how we do consequence management, which we do increasingly better in the physical world, where we’re getting exposed to changing climate or extreme wet weather events with greater frequency,” he said.
“We have to think about cyber a bit more like climate.
“Yes, the initial incident has to be looked at. The initial incident has to be remediated. It has to be patched and has to be dealt with, but the work then doesn’t finish.
“There’s this long tail which goes to some of those other areas … around consumer data, digital identity, replacement of credentials where that’s relevant etc.
“So, Ms O’Neil has made it very clear as Minister that she wants more work and more effort put into consequence management beyond the strict cyber incident management.”
