First, Optus’ mobile network goes down for 14 hours in a nationwide outage.
Days later, DP World is hacked and its port operations grind to a halt for days, leaving shipping containers piling up.
Weeks after that, Westpac customers were left unable to view or access their online accounts for 9 hours after a botched software update.
These outages at major Australian infrastructure and service providers — all occurring in the past month — at best inconvenienced millions and at worst created life-threatening situations, with some Optus customers reporting being unable to dial triple-0.
It was enough to bring Australians’ reliance on digital services into focus.
A Senate inquiry into the Optus outage is asking how, as a society, we can ensure reliable access to essential services.
But, why are we having these outages in the first place? Is it just the cost of living in the digital era?
Systems will go down
“We’ve generally done telecommunications so well that we as a society have come to expect that you can walk into any shop and pay with your phone,” Narelle Clark, CEO of the Internet Association of Australia, says.
“In reality, these things can and do go down periodically.”
There’s no silver bullet — in a hyper-connected world, services we rely on will occasionally fail.
How we deal with that reality, she says, comes down to a “cost equation and a risk equation”.
“We will incur higher costs to deliver services at that level of reliability, if indeed that’s what we really truly want as a society.”
This poses difficult questions about what we can’t live without, and who is responsible for making sure the infrastructure needed to deliver it is up to the task.
We have an act for that
For the most critical infrastructure, such as supply chains and communication networks, the government has a role to play in its resilience.
It legislated the Security of Critical Infrastructure Act (SOCI) to facilitate this.
The SOCI Act enables the government to undertake risk assessments of critical infrastructure, and issue directions to operators to address national security risks.
However, in 2021, the federal auditor-general found the Home Affairs Department’s management of the program wanting.
“[Home Affairs] does not have an established system to monitor existing critical infrastructure related compliance activity,” it wrote.
“Department records identify that compliance activities for only one category [of five] were finalised. The process was not completed for all assets.”
A case study in the report found that Home Affairs had failed to follow up with telecommunications carriers that had not engaged with the department.
This was said to be “due to resourcing constraints and other high priority tasks at the time”.
These criticisms are echoed by Narelle Clark. She is the CEO of the Internet Association of Australia, which operates internet exchanges that fall under the SOCI Act.
“Our concern with SOCI is that it imposes a whole lot of regulatory burden for very little payback,” she says.
“We’ve got a massive pile of paperwork to do that in reality distracts us from the actual work of securing our systems and infrastructure.”
Following the Optus and Medibank cyber attacks in 2022, Minister for Cyber Security Clare O’Neill flagged reforms to the SOCI Act to increase the government’s ability to intervene during cyber attacks.
When DP World, Australia’s second-largest port operator, was hit by a cyber attack last month, Home Affairs confirmed that all four affected ports were covered by the SOCI Act.
Despite evidence suggesting poor cyber security hygiene at DP World, Home Affairs would not provide any information about how SOCI would be used to create accountability for the incident.
The technical detail surrounding security incidents is often too sensitive to reveal to the public.
A Home Affairs spokesperson says the government “has been working closely with industry to develop effective rules to protect Australia’s critical infrastructure”.
Looking to alternatives
While the recent outages had disparate causes, the link between them is the lack of resilience they uncovered.
Resilience is about more than just security. It’s also about spreading the burden, removing bottlenecks and having redundancies in place.
Before the shift to digital communications, people caught in emergencies could rely on two-way radios.
Before the shift to online banking and digital wallets, people carried cash. Others would suggest that cryptocurrencies are the solution to single points of failure.
Ultimately, all of these technologies can play a part.
In the UK, the government has set minimal expectations on banks to “protect services for people and businesses wanting to withdraw or deposit cash”.
New York City has mandated that all physical retailers accept cash.
The same is not true in Australia, however, with many shops only accepting card payments.
Cash Welcome, an affiliate of the ATM industry association, made a submission to the Senate inquiry into the Optus outage recommending these requirements be implemented in Australia.
“The digitisation of the economy will likely result in more days when outages prevent Australians from making financial transactions,” Jason Bryce, Cash Welcome’s campaign coordinator, wrote.
“The cash system is essential national economic infrastructure that can’t be dismantled then turned on again when required.”