A series of all-out ministerial sprays and accusations against Optus from the prime minister down, stemming from the carrier’s failure to reveal that Medicare numbers were snatched in a massive data breach has sent political trust in the company spiralling to a new low.
Now there are questions reverberating in security circles about the implications for Optus’ current and future Defence contracts.
With the post-election Defence Strategic Review currently in train and actively scoping for dud projects and deficiencies, the Optus hack and overt loss of government faith in its management could not come at a worse time for the company, as cabinet keeps its options wide open.
Optus currently provides dedicated Defence (and media) bandwidth through its C1 Satellite, launched in 2003, with the lifespan of the so-called ‘hot bird’ recently extended for more than a decade under a $400 million deal.
More precariously, Optus is also party to a joint bid for the massive JP9102 next-generation satellite-replacement program, estimated to be worth between $6 billion and $8 billion, with the ‘big bird’ rebuild supposed to deliver a next-generation constellation of heavy, high-power satellites.
Team AUSSAT
Part of “Team AUSSAT” (which also includes Raytheon and Thales), Optus revealed its JP9102 pitch a year ago amid substantial fanfare and stiff competition from the likes of Boeing and Northrop Grumman.
Optus CEO Kelly Bayer Rosmarin last year described the bid as “a unique proposition being the only team with an unrivalled history of owning and operating satellites in Australia, by Australians, for Australians — drawing synergies from two partner companies with their exceptional pedigrees in building and delivering world-class Defence capabilities.”
However, the Singaporean ownership structure of Optus has never been uncontroversial in national security circles, chiefly because of the uncomfortable situation of a foreign government outside the Five Eyes signals intelligence club owning a supposedly sovereign domestic military communications asset.
There is also a strong precedent for Defence shredding contracts over information security breaches and disclosure failures.
OPSM’s parent company Luxxotica Australia was relieved of its duty as the Australian Defence Force’s optometry provider in 2014, after it sent claims information overseas in breach of its $33.5 million contract.
Judgment call
The severe breakdown in relations between Optus’ current management and the government, and the way the security breach has been handled and disclosed, has also made seasoned observers uneasy about the company’s culture and soundness of judgement.
On Wednesday, the prime minister tabled a letter from foreign minister Penny Wong to Optus’ CEO, and thus its board, telling them the company would have to pay the cost of the reissuing of passports to those people whose details were compromised.
This was a calculated rebuke to produce a conspicuous loss of face for Optus.
The successive pile-on by ministers to declare Optus a privacy- and information- security pariah corporation amounts to an ultimatum to SingTel’s parent, Temasek, to publicly discipline its local division or risk gradual public sector excision.
Optus is facing similar reputational loss across states and territories, where long queues of breach affected people looking to rollover their drivers licences formed outside government service centres.
There is also debate about whether a person claiming to be the hacker and demanding a million-dollar ransom is the actual perpetrator of the hack or an opportunistic imposter, and whether the sudden withdrawal of the ransom demand and claim they deleted the stolen data indicated an amateur extortionist.
The problem for Optus is that there is still likely worse to come.
Footprints in footprints
Three different sources familiar with cyber operations have told The Mandarin that more than one threat actor may well have used the exploited vulnerability that led to the disclosure, opening the possibility Optus may not know what it’s lost or has been compromised.
The prospect that more than one hacker was using the same hole in Optus’ systems significantly deepens the implications of the cybersecurity failure; it means other more skilful and potentially state intruders could have been through the carrier’s systems without being detected.
Prima facie it’s criminal; beyond that, it’s almost certainly highly compartmentalised.
This is regarded as a highly aggravating factor.
A known element of cyber espionage tradecraft is the more sophisticated or state-backed actors exploiting existing holes, which lets them avoid detection and cover their digital footprints. It’s footprints in footprints and thereon.
The appeal of using other people’s exploits is that the cover or false flag of another hacker’s hole allows more sophisticated operators to remain undetected for longer, and obfuscate exfiltration. The muddying of attribution is a bonus.
Lots of cats could have slipped through a half-open window, even if only one was spotted, it was suggested.
Gronks vs Sophists
The fact that Optus currently has a sensitive and long-running Defence satellite on its books will only raise the political stakes and the blood pressure of key stakeholders.
The persistent attacks in parliament and media by the government directly calling out Optus’ non-disclosure of the presence of Medicare numbers amount to a declaration of broken trust in the carrier’s incumbent Australian management and potentially Optus’ overseas owner, SingTel.
A key fissure is Bayer Rosmarin’s reference to the hack being “a sophisticated attack”, which in cyber diplomacy terms equates to de-facto state-backed actor attribution, most frequently attributed to China.
The “sophisticated attack” reference is understood to have badly irked policymakers and agencies alike who try to tightly control such language, and was forcefully shut down by home affairs minister Clare O’Neil on the ABC’s 7.30 Report with Laura Tingle.
“It wasn’t,” O’Neil said bluntly, before spending the next 48 hours in the media criticising Optus’ security proficiency and characterisations.
The incident has been referred to the Australian Federal Police, indicating the Australia Signals Directorate believes the incident identified that triggered the breach notification is essentially a criminal matter.
The AFP has launched Operation Hurricane to find the unsophisticated perpetrator, roping in the Federal Bureau of Investigation.
The investigation could be protracted and complex, the AFP warned, just before the first Chalmers Budget.
Operation Hurricane is unlikely to blow over anytime soon.
:
Any feedback or news tips? Here’s where to contact the relevant team.