Skip to main content

Reflections on the Optus hack with Tom Uren

This month, CyRise Elevate was joined by guest advisor Tom Uren. Tom is Editor of Srsly Risky Biz (created in collaboration with the Risky.Biz podcast) – a weekly substack newsletter that features stories shaping cyber policy.

Based in Canberra, Tom is also a senior fellow at Australian Strategic Policy Institute, who spent 15 years at the department of defence in various roles. He has diverse expertise across internet and cyber issues and has published and researched international and domestic cyber issues including Australia’s Offensive Cyber Capability, the insecurity of the internet of things, and Chinese commercial espionage.

We invited Tom to talk about what threats and trends he is seeing in the industry. Below is an edited conversation from our Elevate session – where members of our community fired a bunch of questions at him… and, spoiler alert: – they were mostly about the recent Optus hack!

You cover a cyber security gamut on the Srsly Risky Biz newsletter. What interests you most at the moment?

There’s a few! Espionage and intelligence – how nation states are using cyber to advance their interests. Offensive cybersecurity – activities that degrade, deny, disrupt… eg, the stuff that breaks things. How nation states are trying to use cybersecurity capabilities… And most recently – the Optus cyber hack, and its implications for ID verification.

Let’s start with Optus. Would you agree there’s not much responsibility being placed on Australian companies to stop breaches currently?

I think that for a long time, governments have been reluctant to regulate, and so privacy and data protection are weak. One of the problems when companies get hacked is that most problems are borne by other people. So, while the companies share prices go down for a bit, and there’s a bit of reputational loss… six months later – it’s like nothing’s happened. There was no financial cost. It’s all the customers and stakeholders who bear the majority of costs.

So because companies don’t bear the costs they don’t invest as they should. I think that regulation that imposes fines, so that the costs are borne by the companies – encourage them to invest at the right level. That way, if there’s a breach – it’s both a reputational and financial loss.

For the longest time, when breaches like this happen – governments have been confused about the right thing to do. And the industry lobbies against strict regulation, because it’s expensive. It’s been hard to weigh the costs… like, ‘What’s the real economic cost of 10 million people losing their drivers licence?’. So that’s delaying stricter legislation. But when stricter fines are levied – the business community pays attention.

Another thing that’s happening is that ransomware has much larger costs on companies, and that also makes them pay attention. Sometimes a company only improves their posture on ransomware if a stakeholder in the company had been affected, even though the company themselves had not. Working on Srsly Risky Biz, I see how ransomware happens all the time – but often it has to have a direct impact on an internal stakeholder before change happens.

How pragmatic do you think authorities will be on implementing any new regulations?

I have mixed feelings about regulations. A lot of regulation attempts to do something but doesn’t succeed… and is just painful.

In the Optus case, I’m not certain they should be fined. But certainly what happened, it was an absolute clanger. They left an API exposed, so anyone could query for customer details. But it could be that Optus has mature cyber maturity processes and this was a bizarre one-off accident. In that case, I’d argue that they don’t deserve to be fined.

Typically, when you read about breaches, it often is ‘we knew we had a vulnerability, we didn’t patch it, and we ignored all the alerts’. That’s not yet clear if that’s the case for Optus, so it’s possible they don’t deserve fines.

But going back to the question – the level of education is low, so when you don’t know what you’re doing… you look for things that are verifiable and that might solve the problem.

Which do you prefer – principle-based (risk-based) regulation or standards-based?

Principles-based. I think what would be good is if you could say: assess this risk and make the decision. My view is that regulators don’t do that, because they don’t understand the situation themselves or how to articulate what would be sensible.

In Australia, should we be looking at what the US is doing – in terms of enforcing the reporting of ransomware payments – and potentially hold CISO’s responsible for failing to disclose breaches?

I think I like the idea of transparency. In terms of aviation regulations, for example – if you don’t know what is going wrong – then how can you fix it? Aviation has a really robust way to go from accident to root cause, to fixing it – and that, I think, is pretty absent in the cyber security space. That said, Aviation, I believe, is protected from legal cases when they are reporting errors.

Do you think the Optus data has really been deleted?

I think it has – but I don’t know. If I were an Optus customer, I would work on the assumption that it could be breached. I wrote a story comparing it to Australia’s Equifax, where a Chinese organisation stole 140 million peoples data from a credit reporting company, including at least some licence data. And that, as far as I know, has never appeared on the internet anywhere.

This one was different in that the Optus hacker immediately threatened to leak it and leaked some. But in another sense it may well be the same. The Equifax data could appear on the web tomorrow. There’s a looming threat that could remain… but I suspect it’s not going to turn up.

What do you actually see, policy change in near future, if any?

I think they will implement tougher fines – in terms of privacy legislation. The idea of informing banks was probably a good one. Banks may try to find that data anyway. I don’t know if they would buy it – but I think they would try to find out who is in that leak. Just to make it easier, if there was a mechanism to tell them whose ID was compromised. In Australia we don’t have many banks – so they’re big and very capable.

I think the Optus breach has implications for the government identity matching services. One possibility is that these kinds of leaks or breaches become more common, and so that kind of erodes the usefulness of id numbers for identity verification. So that pushes ID verification towards facial recognition technologies… but I don’t think it will happen anytime soon. But it seems the government and Clare O’Neil want to be seen to be doing something, and I do agree that the privacy legislation is a bit weak.

If you’re looking to change regulation, it makes sense to start with critical infrastructure. At least last time I looked, we hadn’t gotten it bedded down… in that there was a bill that had passed, that makes critical infrastructure more accountable, but the regulations were up to each vertical. It is complex: electricity, water, gas, banks, fintech… there’s not one standard that can work across everything. Which makes sense – and so it will take time – but so you want to bed down critical infrastructure first.

And then possibly apply that across other areas of the economy. That makes sense to me, but won’t necessarily happen. I guess I’d call that the supply side of regulation. And then if you make the demand side penalties higher… that gives companies more incentive just to look at the problems in the first place.

How would you describe how the threat landscape has changed from the perspective of senior management?

A few weeks ago I had a piece that listed all the things that happened in the last month. It’s quite a crazy list – a couple governments hacked, a couple of critical infrastructure, in other countries that had been ransomware, various teenagers had just managed to compromise very big companies.

To me, what’s happened is, there’s this kind of arms race that’s going on between the standard techniques companies and enterprises use – and the standard techniques that hackers use to break into them. One of the big ones is the rise of techniques to bypass Multi-Factor Authentication – prompt bombing. That has been known about for a long time, but it seems like every criminal now knows that you can do it and you don’t even have to do smart stuff.

I think MFA has been quite good a control – but now we’re realizing it’s not that good if hackers are savvy, and users aren’t smart with it. Perhaps organisations have relied too much on MFA being effective.

How do you manage the stress of your job?

My job isn’t that stressful. Sometimes I don’t know what I’m going to write about. Deadlines help.

How do you try to influence people?

I like talking to people and asking questions. Telling stories. Laying out a vision of what the world should look like. Like – the world is changing in XYZ way, and therefore we should do XYZ. Also, you can get good leverage from not just talking to the top person, but working their stakeholders.

What’s a book everyone should read?

Not sure it’s for everyone – but I liked Hilary Mantel’s Wolf Hall, about Thomas Cromwell.

What’s a podcast we should all listen to? (Other than Risky Business!)

I like Odd Lots Bloomberg podcast, it’s about economics and the way the world works.

[Note from Tom: Oh, and I forgot at the time but my absolute favourite is 99% Invisible, which is about how the world is designed.]

What’s a band or artist you listen to?

I like 90s stuff. Red Hot Chilli Peppers old stuff. Blood Sugar Sex Magik is a favorite.

Thanks Tom for chatting with us at CyRise Elevate.

Connect with Tom: LinkedIn | Twitter | SRSLY RISKY BIZ newsletter

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.

Tom Uren Sketchnote