Tag Archive for: Optus

Australian network resilience and the importance of diversification

The Optus telecommunications network failure followed closely by the cyberattack on DP World, one of Australia’s largest port operators, painfully demonstrated modern society’s dependence on its digital backbone. When critical infrastructure fails—through malicious means or human or technical error—the ensuing havoc is costly, life-threatening, and potentially catastrophic to our inter-connected network of systems. These events demonstrate how monopoly or dependency within or between sectors may offer short term benefit while creating long-term vulnerability. We cannot afford to advance technologically without ensuring parallel gains in resilience, security, and reliability.

Unsurprisingly, diversification remains the best way to inoculate against the worst of the potential scenarios. Identifying the best combination of technologies is far more pressing than arguing which technology is superior to another, especially when malign actors possess the means to contest our interests across all domains (land, air, sea, space, and cyber). The network failures highlight that the resilience of Australia’s communications architecture is an immediate concern magnified by the vulnerability inherent in 95% of internet traffic facilitated by submarine cables.

Cautionary examples involving China and Russia amplify concerns. In February, Taiwan saw Chinese vessels damage in close succession the two undersea cables connecting its main Island with the Matsu Islands, producing what has been referred to as an ‘invisible blockade’. In October, two subsea telecommunications cables and a gas pipeline in the Baltic Sea were damaged, with Russia and China the suspects. Finnish authorities recovered the anchor of the vessel involved and determined that the culprit was a Chinese ship, but the vessel is also linked to the Russian company, Torgmoll.

The vulnerabilities and risks for Australia and the region are multi-faceted and have triggered prudent actions to expand, harden, and diversify the communications network architecture. Prime Minister Anthony Albanese’s visit with US President Biden on 25 October yielded commitments from both nations to enhance digital connectivity through expanded commercial subsea cable systems in partnership with Google/APTelecom/Hawaiki Nui; to improve telecommunications diversity and resilience through initiatives like Open Radio Access Networks (Open-RAN); and to increase advanced technology and space cooperation. These initiatives not only promise improved network resilience but also offer infrastructure and capability investments that contribute significantly to the public good of Pacific Islanders—an arena where China has made a strong investment.

Related is the critical importance of immediately expanding Australia’s ability to transmit and receive unprecedented quantities of extremely sensitive data. Investment supports defence collaboration on AUKUS pillars, facilitates data-driven advanced military capabilities (like the F-35 joint strike fighter) and processes (such as precision long-range fires), and expanded data-centric simulations and exercises. Complementing the primacy of submarine cables, space-based and near-space-based network capabilities will be critical to this.

Development of next generation military satellite communications is underway with Defence Project JP-9102 Phase 1, now with Lockheed Martin as the preferred bidder. This will see up to four large military communications satellites in geosynchronous orbit (GEO), as well as multiple ground stations across Australia, a new integrated satellite communications management system, and two new satellite communications operations centers. Initial operating capability is planned for 2027.

The Australian Space Agency has released its Communications Technologies and Services Roadmap 2021-2030 that incorporates investment in the development of small satellite technologies as part of proliferated low-earth orbit (‘pLEO’) constellations, development of both RF and optical satellite communications, and quantum enabled communications. The roadmap embraces the development of satellite communications network management tools to ensure cyber-resilient multi-band and multi-network tools, and sophisticated ground segments with reconfigurable networks.

Critical for Australia is a sovereign owned and controlled military satcomm capability complemented by a commercial sector with locally built, launched, and controlled satellite constellations. Investment in large, proliferated LEO-based constellations of satellites—for defence or civil use—is vital. Relying on a few large, complex satellites as a sole space-based communications provider is as risky as relying purely on submarine cables for global connectivity.

By investing in the ‘small, cheap and many’, Australia can best support local small to medium enterprises within our commercial space sector and leverage rapid innovation cycles. Rather than billion-dollar satellites which take years to build and which are difficult to upgrade in orbit, small satellite technologies can better exploit innovation through multiple generations of design, and can be launched at low cost.

Reusable launch is making accessing space cheaper, and on-space logistics for refueling, repairs and upgrades will see the cost of using space fall further. These launch vehicles also allow rapid augmentation of satellite capability, or reconstitution of capability lost to enemy action. Furthermore, large constellations of small satellites in LEO are less exposed to space weather than a small number of large satellites in GEO.

Add the potential for high altitude pseudo satellites (HAPS) that are effectively solar-powered uncrewed air vehicles able to fly for weeks in ‘near space’ (from 18km to 100km above the earth’s surface) and have the potential to serve multiple roles including emergency communications.

The provision of space-based internet, such as that provided by SpaceX’s Starlink and Amazon’s Project Kuiper, and more traditional satellite communications, is now well established. Tech trends suggest future mobile phones will be directly integrated with satellite communications to provide an ‘always connected’ approach irrespective of the presence, or lack of, terrestrial microwave communications towers. The growth of satellite mega-constellations providing broadband access will continue and will complement the large volume data exchanges via submarine cables.

Given known vulnerabilities and diverse threats to critical infrastructure, there’s no perfect technology to provide Australia’s required levels of capacity and resilience. The answer is to embrace diversification and invest in the right combination of communications infrastructure from the ocean floor to the furthest satellite. Australia’s digital architecture will derive its future strength through multiple technology paths and an ability to quickly augment and reconstitute lost capability.

New approaches needed to prevent another Optus-level data breach

Last week’s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017.

Although details of the extent of the hack are still emerging, there are already important lessons we can draw—beyond the usual cliches such as ‘Data breaches are a matter of when, not if’, and the generic advice to change passwords and patch systems that get recycled after every major cyber incident.

Although Optus has been clear that no financial details or passwords were stolen, the biggest concern is the leaking of customers’ names and dates of birth, matched with details like driver’s licence or passport numbers—the sort of information needed to pass a standard 100-point ID check, and hence the perfect ingredients for fraud, scams and manipulation.

In the short term, the onus is on Optus to inform the affected individuals, who then need to monitor their accounts and credit activity. In the bigger picture, Home Affairs Minister Clare O’Neil is expected to announce reforms requiring banks and other institutions to be notified more quickly about breaches so they can safeguard customers’ accounts. We will never stop 100% of cyberattacks 100% of the time, so this could be a good step forward to improve the ability of our economy and society to recover from such incidents.

But what more could be done to reduce the risk of such breaches occurring in the first place and to limit the immediate impact when they do occur?

Best practice is for organisations to store only the data they actually need and delete it as soon as it’s no longer needed. Angry Optus customers have questioned why the company kept such sensitive person information for so long. However, telecommunications companies operating in Australia are required to verify the identities of those they provide services to, as part of regulations to prevent many other types of crimes. That obligation means they also need to keep records of such checks for audit purposes, typically for seven years.

If such data needs to be held, how can it be made more secure? The standard response of armchair commentators is to recommend encrypting the data, which Optus claims to have done. That didn’t seem to help. This is unsurprising if, as it has been suggested, the attacker got authorised access to a standard application programming interface to the data, known as an API. In order to be useful, the API would probably have been set up to automatically decrypt the requested data before sending it out to the requestor.

Encryption does secure data if it’s set up correctly, but the data must be decrypted for practical use. Encrypting data on your laptop is useful if you physically lose it, but in normal use it conveniently automatically decrypts everything for you as and when you need it. Similarly, encrypting data on a server in a data centre may provide protection against someone physically accessing the equipment and directly stealing the data, but not necessarily against an attacker who gains authorised or unsecured access through an online service.

Another approach could be to mandate that particularly sensitive information be kept in separate systems that require additional layers of authorisation to access. Thanks to the regulations for online payments (known as PCI-DSS), that already happens with credit card numbers, which probably explains why Optus is confident the attacker didn’t get access to customers’ payment details. Arguably, similar protections should apply when driver’s licence and passport numbers are being stored.

An even better answer could be introducing innovative approaches that allow companies to verify customers’ identities without collecting or storing their personal information. One such solution that already exists is the Australian Digital Identity system, to which the government committed more than $250 million in funding in the 2020–21 budget. Customers sign up with an accredited identity service provider, such as myGovID, which verifies their identities against official government sources. They then use this verified digital identity to prove who they are to ‘relying parties’.

One example already in operation is obtaining a tax file number online, where the Australian Taxation Office (the relying party) communicates with myGovID, which in turn uses a phone app to verify the physical presence of the individual. The customer chooses which data gets passed to the relying party, which then has the assurance of a verified customer identity without needing to directly obtain any personal details.

There are still many barriers to achieving broad uptake of the systems. In particular, security and privacy safeguards and responsibilities need to be clarified, since identity service providers would become high-value targets. More work is also needed on a proper legislative framework, acceptable governance arrangements and a charging framework.

The previous government published draft digital identity system legislation in late 2021 that would help stimulate the necessary debate needed on this subject, but the incoming government hasn’t progressed it yet. Perhaps this incident will provide the encouragement needed to take on this thorny subject and find a way forward that could genuinely stop a repeat.