September 27, 2022
Tuesday 27 September 2022
Interview with Peter Stefanovic and Peter Khalil MP, First Edition, Sky News
Subjects: Optus cyber attack
PETER STEFANOVIC: Back to our top story now. The Optus hacker has released the private data of up to 10,000 people.Joining us live now is Labor MP Peter Khalil and the Liberal Senator James Paterson. Good morning, gentlemen. First to you, Peter. First of all, your reaction to this?
PETER KHALIL: Oh, of course. Very concerning, Pete. The security breach, which we know the minister has pointed out, rests with Optus. We shouldn't be expecting this kind of breach of this nature from a large telecommunications company and we're obviously doing everything we can do to support Optus through the Australian Cyber Security Centre and the Australian Signals Directorate to provide that support. But also our law enforcement and other agencies are monitoring all of this and investigating it and making sure that, you know, especially if people try by some stolen credentials, that the full force of the law is brought to bear. So it is very,very concerning.
But I just got to say one important point. I've heard the opposition, a conga line of shadow ministers led by Peter Dutton, the opposition leader, including James Paterson, who's here with me today, who've been clutching their pearls, so to say, being critical of the Minister for Home Affairs, 'where is she, where is the response'. Let me tell you what the Minister of Home Affairs has been doing. She's been fixing up a problem that is partly of their making. The previous government, the Liberal government, decided to exempt telecommunication companies from the security of critical infrastructure laws. They made that decision. It enabled this attack. Now Optus is responsible, but of course you know that we live in a very dangerous neighbourhood. We all agree on that and that decision. And of course, the Minister for Communications was a former Optus executive, Paul Fletcher. So they left out the telcos because the telcos said, 'oh, we've got this, we can handle it'. But of course that has meant that they have left not only the door unlocked in this dangerous neighbourhood when there's a rise of cyber attacks and cyber criminals and so on. They've left it wide open. They've left the back door open and they've left the windows open.
STEFANOVIC: Okay, there's a bit to get through there and I will get your response to that, James. So first of all, back to this threat today. The threat, it seems,has been backed up with action with up to 10,000 people having had their data released. Now, the threat is that 10,000 every day will have data leaked. Your thoughts on that?
SENATOR JAMES PATERSON: Peter, this will be very distressing news for Optus users this morning. I've been contacted over the last week by many anxious and concerned Optus users who've been asking why has the company made a decision to expose them in this way? And Peter Khalil is right. Optus bears the overwhelming responsibility for this, but that doesn't exempt the Government from its responsibility and the public response, at least from the Government, has been slow. For three days after the attack, the Minister for Home Affairs made no public comment at all and her first public comment came at three quarter time with a grand final and in the form of three tweets. It took five days before the Minister made a media appearance on ABC yesterday, and the Minister has still not fronted a press conference to answer questions about what the government did and when it did it. Now, I have no doubt that the highly professional team in our intelligence agencies like the Signals Directorate, the Cyber Security Centre and the Australian Federal Police are working day and night and throughout the weekend to do everything they can. But the public needs to be reassured that the Government is using the powers that it has within its remit to address these issues. And until they hear the Minister say that she has done so, they don't know that.
Peter is actually not correct. The telecommunications industry is not exempt from the security of critical infrastructure legislation. I encourage him to go and read it and also to read the Parliamentary Joint Committee on Intelligence and Security's report into the legislation last year before it passed. The 11 sectors includes the telecommunications sector, and many provisions of that legislation do encompass the telecommunications sector, except where it is already regulated by telecommunications regulation. And in fact, the Communications Minister Michelle Rowland, has issued parallel regulations this year to mirror the provisions in the security of critical infrastructure legislation. So there are no gaps in the legislation. There is no instance where the telecommunications sector is not regulated. The only way in which the telecommunications sector is not covered by SOCI is if it is already covered by telecommunications regulation. So the intention of the Act, which I believe has been reflected in the law and certainly the recommendations of the committee,was to ensure that everyone is covered by a minimum standard and that if necessary, higher standards are applied to more sensitive industries. Now it'snot clear whether the Minister has applied all the powers available to her under the Act, and it's up to her to say if she has.
STEFANOVIC: Alright. Peter, should Optus just pay the ransom?
KHALIL: Well, hold on. Before I answer that kind of question, just to respond to James, the important word that he used or two were 'except for' and that was the point I was making. There was a decision made that the telecommunication companies, large telcos, would be exempt from SOCI, from the security of critical infrastructure—
PATERSON: Not true. That is not true. Have a look at the legislation Peter, they are not exempt.
KHALIL: Well no, they are not included by your very own words. [Inaudible]
PATERSON: Wrong, go and have a look at the legislation, they are included.
KHALIL: They are included under a different regime and a different set of legislation. You just said that they were they were covered by a different set of laws. Is that right?
PATERSON: Peter, they are covered both by SOCI, and by telecommunications sector regulation.
KHALIL: Oh both? Well you were just saying except for when they are covered by the other set of laws. Anyway, we're getting into some fine detail here. Where I do agree with James and what he did say correctly too is that our agencies,the ASD, Australian Cyber Security Centre and AFP and other security agencies are working around the clock. And this sort of political criticism of the Minister, when she has been working around the clock, as he would know, when attacks like this happen, they can be at least initially very complex to work out what's going on. In this case, this has been a pretty simple hack, at least not a very complex hack. And obviously the anger that people have towards Optus for not preparing themselves and being properly protected for that from the cyber security attacks is a critical point in all of this debate. But the Government is doing everything it can to––
STEFANOVIC: What makes it a simple hack?
KHALIL: Well, as I said, it is not a sophisticated hack––
STEFANOVIC: But what makes it a simple hack?
KHALIL: Well, I'm not a computer expert or a cyber expert like some others, but there are different levels of complexity. And the Minister herself had pointed out that it wasn't necessarily a complex security hack on the 7:30 Report last night.
STEFANOVIC: So should Optus just pay this ransom to stop more private information from being released?
PATERSON: Peter, can I jump in quickly on this issue of whether it was a simple or sophisticated attack? Because this is a really important point. On the 7:30 Report last night, the Minister for Home Affairs effectively accused Optus of misleading the public when Optus has said this is a sophisticated attack and she said in fact it's a very basic attack. Now I'm aware of the facts that led the Minister to reach that assessment and I agree with her assessment and it is appropriate if she believes that Optus has misled the public for her to be very candid with the Australian public about that. So I welcome her comments.However, what she hasn't yet done is explain to the public the facts that she's aware of which has led her to make that assessment and I think the Australian people deserve to know, within the appropriate bounds without revealing any classified intelligence information, of course. Optus users in particular are entitled to understand if it is the case that Optus is misleading them about the severity of attack. That's a very serious accusation for a federal minister to make and it's important that it's substantiated.
STEFANOVIC: And that seems like a fair enough point to argue against the Home Affairs Minister, Peter?
KHALIL: Well, look, the Minister has been very, very clear in her statements.And I dispute James's characterisation. She's been on the 7:30 Report once all of the information and the issues have been sorted through and been briefed by all the detail that she's had to go through since this attack. She's been open and clear on the 7:30 Report, which no disrespect to Sky, is a pretty well watched program and has been out there as well in parliament [inaudible].
STEFANOVIC: I'm just running out of time. There's a couple of quick questions I want to get to. So, should Optus just pay the ransom to stop more private information from users from being made public and used against them?
KHALIL: Look, I'm not going to answer that kind of question. This is not a––
STEFANOVIC: But why not? I mean, if there's been a simple attack here. Shouldn't they just pay it and get it over and done with?
KHALIL: But this is not a question that the government or the opposition or the parliament has to be responding to. This is obviously a matter for Optus, but my personal view would be in my experience that you don't reward this kind of behaviour. Obviously, some of these issues, I don't know all the details, I haven't been fully briefed, but my personal view would be that you would not be rewarding this kind of criminal behaviour.
STEFANOVIC: Okay. Just to follow on here. James, the Telecommunications Act dates back to 1979. The world, as you know and as we all know, a very different place now. Does this prove that protection laws are out of date and need to change?
PATERSON: Well, certainly the Act commenced then, but it would have been amended two dozen, if not three dozen times since then to keep pace with technology,including it's been recently reviewed by the Intelligence Committee last year we did make some recommendations about it. Of course, the opposition is very open to supporting any constructive proposals that the government has to change the law. We will provide bipartisan support for any sensible changes that the governments bring forward.
My concern is, though, that those changes, as important as they might be and as necessary as they might be, are not going to provide much comfort to the 10 million Optus users. What they want to know is what steps the government has taken already to protect them under the powers they already have. And the Minister herself has praised the former government for its passage of that security of critical infrastructure legislation. In public interviews, she's recognised how world leading that is. And when Peter and I were in the United States recently, it was repeatedly raised with me how important that legislation is and how jealous the Americans are that we have those powers. But the powers are only good if they're actually used, and that's the test that the minister has to meet today and explain.
KHALIL: Can I just say just quickly in response to James. The minister has also, and I agree with James,there is a real need for substantial reform, she's outlined that and that includes investigating where cyber security requirements we currently have in place are fit for purpose, particularly for telcos and other companies. So there is an intention to work across the parliament in pursuing this and I'm really pleased to hear that the opposition is keen to work in a constructive way because we do have to get these laws up to scratch and fit for purpose.
STEFANOVIC: Peter and James, a nice extended chat there. Appreciate your time that we've got to go, but thank you. We'll talk to you again soon.
ENDS
