Australian telcos will soon follow other critical infrastructure operators in having to submit a yearly statement on risks and mitigations to the government.
The Department of Home Affairs revealed Monday that it, together with the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA) have been working with industry to “co-design a harmonised security regulatory framework for the telecommunications sector”.
“This includes the development of a bespoke telecommunications RMP,” Home Affairs said in a submission [pdf] to the Optus outage inquiry.
RMP stands for risk management program [pdf] and is a key obligation on critical infrastructure operators that are subject to the Security of Critical Infrastructure (SoCI) laws.
Telcos are exempt from SoCI, in part because they have their own sector-specific security laws with which to comply.
But the government recently indicated it planned to bring telcos under SoCI.
This would have two impacts on the sector: it would give the government intervention powers on serious cyber incidents, and it would also force telcos to map out risks and mitigation strategies.
Home Affairs’ submission shows that the risk mapping work is reasonably advanced and is progressing even without telcos being formally brought under SoCI.
While the capability is being developed ahead of time, legislative change may be needed to enforce it.
“The RMP obligation, once turned on for the telecommunications sector, would uplift core security practices, and ensure responsible entities adopt a holistic and proactive approach towards identifying, preventing and mitigating risks from all hazards,” Home Affairs said.
An RMP would force all telcos to have processes “to detect and respond to threats, such as deep network issues, as they are being realised, and to have “robust” mitigation and recovery measures.
“As the Optus outage has demonstrated, risk is more complex than ever and consequence management cannot be limited to a single vector,” Home Affairs stated.
“The loss of services, regardless of the cause, resulted in significant impacts on a business and personal level, and caused huge consumer distress.
“The government is considering possible avenues to ensure legislative levers are sufficient to manage these consequences.”
Optus outage
Home Affairs’ submission details some early confusion around government response mechanisms to the outage, as it was unclear for a long period of time whether or not the incident was cyber security-related.
Department officials first made contact with Optus via the encrypted messaging service Signal to offer incident response assistance.
At some point - mid-morning by Optus’ own chronology - the telco ruled out a cyber incident as the cause, and told the government the cause was “unspecified technical issues”.
The Cyber and Infrastructure Security Group in Home Affairs led the government response, but the National Cyber Security Coordinator “remained engaged to ensure coverage in case the information about a cyber attack changed.”
“It should be noted that at the time of the outage, neither Optus nor the department were able to categorically rule out a cyber attack or other malicious action being the cause of the incident,” Home Affairs said.
“At the time of writing this submission, the department has not received any further information that would rule out any malicious action as the cause.”
Optus went on to brief Commonwealth, State and Territory officials “on what it knew about the incident” at 2pm AEDST.
“This included some technical detail of the fault that was causing the outage, although a number of details remained unclear,” Home Affairs said.
Home Affairs said it “cannot rule out” the possibility that Optus could face a future investigation over its compliance with the Telecommunications Act.
In particular, under Part 14 Section 313(1A), licenced carriers “must 'do their best' to protect their networks and facilities from unauthorised access and interference”, Home Affairs said.