September 28, 2022
HENRY BELOT: Well, to get more on this issue, I spoke to the Shadow Minister for Cyber Security a short time ago. James Paterson, welcome to Capital Hill.
JAMES PATERSON: Thank you for having me.
BELOT: It's been almost a week since this massive cyber attack was alerted to Australian authorities. Do you understand this to be a basic attack as the Home Affairs Minister said, or is it what Optus have said, that it was a sophisticated attack?
PATERSON: It's a very good question that you ask and really we do need clarity from Optus and the government about this question. It cannot be that this goes unresolved, that this is either a sophisticated attack or a basic attack. It's really important and I think the government's in the best place to clarify that. How did this intrusion occur? What were the vulnerabilities that Optus had? And was it sophisticated or unsophisticated? Now I know that there are briefings being made available to the Minister which go to the merits of that, and the Minister has to carefully consider the sensitivity of any classified information in revealing that information. But I think Optus customers are entitled to know. Was Optus done over by a really sophisticated adversary who had a very elaborate way of getting into their system and masking their activity, or were they negligent in exposing the customer's data?
BELOT: Well, it can't be both. It's either sophisticated or it's basic. You mentioned the Home Affairs Minister, well informed by her intelligence agencies. Has somebody been misleading the public at a time of great concern and anxiety?
PATERSON: Yes, there must be one person who is misleading the public. It is either the government and the minister or it is Optus and the CEO. It cannot be that they are both telling the truth.
BELOT: And who do you believe is doing that?
PATERSON: Well, look, I am privy to some of the information that the minister has been presented to. I have received a briefing from our agencies. It's not my role as shadow minister to publicly reveal the details of that. I will defer to the government on that, on how they want to make that decision clear. Speaking generally, though, it is often the case when there is a cyber attack that companies claim that it was very sophisticated because that is a way in which they ameliorate the responsibility that they bear for it and try and minimise their responsibility. But the head of the Australian Cyber Security Centre, Abby Bradshaw, has said that in most instances when there is corporate failure, where there is an attack, it is often because they haven't done the basic things to protect themselves.
BELOT: Okay, so what should the response be? What should happen if this was sophisticated and Optus have been saying that it's basic?
PATERSON: Well, there would be very serious consequences if Optus is in fact telling the truth and Optus has accused the Minister of engaging in misinformation. That's a very serious accusation for a company to level against a minister of the Crown. And so I think it is incumbent on the Minister to hold a press conference to explain what the government knows, to reveal the facts to the public about what happened here, because it cannot be the case that it is both sophisticated and very basic. That has to be clarified. Optus customers are entitled to know.
BELOT: The ABC reported last week that human error was at least one factor behind this. Optus came out very strongly and said that was not the case. What do you understand to have happened there?
PATERSON: It is very often the case when these sorts of attacks happen that a human error plays a role and systems are not perfect and people are certainly not perfect. But a very large, very sophisticated company like Optus, which is our second largest telecommunications provider, which holds enormous amounts of sensitive information, should not be making any basic errors which lead to millions of customers' data being exposed. So, if those reports by your colleague Andrew Green are confirmed, then that
would reflect very badly on Optus and certainly very badly on the public comments that the CEO has made since then.
BELOT: Okay. So, you've been following this very closely, obviously listening to what we heard from the Optus chief executive, Kelly Bayer Rosmarin. What do you think of her conduct so far in this scandal?
PATERSON: Look, I don't really want to be a commentator on the CEO except to say that if it is the case that she has misled the public about the severity of this attack, if it is the case that she's misled the public about the level of protection that this data has had, she has said it was encrypted. She has said there was multiple layers of protection. That is difficult to believe given that it is out there on the internet freely available for sale. And I think there are very serious consequences which follow for her and for the company. But until we have the full set of facts, until a clear timeline is established, and until there is clear evidence out there, it's difficult for the public to make up their minds about who is telling the truth.
BELOT: Okay, let's turn our attention to the consumers who are, of course, implicated in this and what the government can be doing to help. You've called on the Department of Foreign Affairs and Trade to be paying for passports to be reissued. Why should taxpayers be footing the bill for the mistakes, it appears, of a private company?
PATERSON: I actually haven't said that. I've just said that it's incumbent on the government to ensure that the customers don't have to end up paying. I'd be very comfortable and very happy if Optus ends up paying the bill, but it requires the federal government, the Department of Foreign Affairs and Trade and the Foreign Minister, Senator Wong, to put that into motion. There are a number of state governments who've done this. The New South Wales Government, for example, has ensured that you can get a new driver's licence if it's been exposed and they've said they're going to send the bill to Optus. Great. That's a really good outcome. I'll be very happy to see the same thing happen for passports federally, because if you're a victim of the of this Optus attack and you feel you need a new passport, you want to get a new passport, you shouldn't be $200 out of pocket because you are a victim. The federal government should step in, make sure you can get it quickly and make sure it's paid for not by the victims but by Optus.
BELOT: We have a massive backlog, of course, in the passport office at the moment. How much pressure is this going to place on the visa application process, on the passport application process? Have you factor that into these calls?
PATERSON: Look, it depends on how many passports were affected and we still don't have that information from Optus or the government. We don't know if it is a smaller subset of the 2.8 million if most of the ID used was driver's licences, for example, or if it was a larger subset of that 2.8 million, it really these facts, basic facts need to be on the public record and it's not good enough for either the government or Optus to hide behind a police investigation
and providing information that customers need to secure their identity. They could be victims of identity theft if they don't know what steps they need to take to protect themselves.
BELOT: This data breach, I understand, goes back to 2017. So, it's many years of data. Should companies really be holding on to data over this many years? Do we need to re-examine that?
PATERSON: This is a really important issue. It's not clear to me that it was necessary for Optus to keep as much data as it did going back as far as it did, and certainly not to the detail that it did on some customers. It is true that when someone opens an account they are required to verify their identity. But it's not clear to me that, for example, a former customer who closed an account five years ago, it's still necessary for Optus to keep that data. But if Optus feels that it is necessary to keep that data, if they feel like they're legally required or it's necessary for business purposes, well then they should absolutely make sure it's protected, that it's encrypted, that it is not exposed to the internet in an insecure way. And it's very clear that they didn't do those things, given that we now know it's out there.
BELOT: James Paterson, thanks for talking to Capitol Hill.
PATERSON: Thank you.
ENDS
