Well, no.
While Optus has recently run scenario planning on an outage that could take out a single state – its recent tests included the loss of Western Australia and South Australia – nothing like the total shutdown we saw last week had been war-gamed.
“We didn’t have a plan in place for that specific scale of outage. We have high levels of redundancy, and it’s not something we expect to happen,” Optus’ managing director of networks, Lambo Kanagaratnam, said. “For us to lose 90 routers in one outage is not something we contemplate.”
The gap in planning showed clearly on the day of the outage. As Bayer Rosmarin ran through the timeline of the morning in detail, the biggest lesson she was willing to own up to was that not enough of its people had virtual E-SIMs that would have allowed its people to switch to alternative networks faster, and so improve their communications.
“You had insurance for yourselves, but your customers didn’t. Do you think that’s a problem?” Greens senator and committee chairman Sarah Hanson-Young asked.
But Bayer Rosmarin defended her decision not to personally appear in the media, or send spokespeople out to do that same, saying she “prioritised the team’s actual crisis response”.
The Optus media team, she said, decided it could essentially rely on the media to keep customers updated – she even went so far as to thank the fourth estate for its hard work on the morning of the outage.
“It’s actually unusual for a CEO to appear at all during an outage because the public would expect that my focus is on working with the teams to resolve the issue,” Bayer Rosmain insisted.
But Hansen-Young, Grogan and Liberal senator Hollie Hughes pressed Bayer -Rosmarin on that decision, with the latter asking why it was left to Communications Minister Michelle Rowland to go out on radio to reassure the nation that Optus was working on things.
Bayer Rosmarin insisted the Optus communications response was effective. “Our teams did the best they could with the channels that were available to them. It is frustrating when you have an outage of that magnitude, and you’re unable to provide clarity. So I fully appreciate how frustrating it was for all our customers.”
Hughes was having none of it. “Isn’t that the problem? You provide a service to over 10 million people and not just individuals, government agencies, emergency services, businesses, and all they got for ours was a couple of lines that said, ‘sorry, our services are out, we’re working on it.’ You’ve got to understand surely that that just is not good enough.”
Hanson-Young also asked about the apparently contradictory statements between Optus and SingTel over who was responsible for the outage. Bayer Rosmarin said SingTel had approved the original Optus statement, and the follow-up statement from SingTel was merely a clarification.
“They needed to clarify a statement that they’d already signed off on?” Hansen-Young said. “For a communications company, the communications are pretty lousy. Both at the time of the crisis, and in the aftermath.”
Both Bayer Rosmarin and Kanagaratnam insisted the company that after a week of forensic investigations and detailed discussions with its technology partners, Optus has put in protections that will ensure the outage previously thought impossible will not happen again. But the Optus boss had to be pressed by both Hanson-Young and Grogan into finally – finally – conceding that not putting a public face to the company’s initial statements on the outage was “less than ideal”.
“I think that’s a great suggestion, and we will, of course, take that on board,” Bayer Rosmarin said.
Grogan then went to the heart of the question facing Optus: following an outage that the telco never believed possible, and a response that has been so heavily criticised, are the telco’s risk management processes sufficiently robust?
Bayer Rosmarin insisted they are, arguing that Optus has been so scarred by the “very real lived experience as a company” of last year’s cyberattack
“We as a company completely understand the implications that come from one of those risks eventuating, and we’ve put in the hard work to recover from that once before. So there is nobody in the company who would have wanted something like this to happen again. Not just because we have risk management processes and strategies to go through, but because we have a lived experience of it as well.”
But herein lies the problem for Bayer Rosmarin and indeed the broader Optus management team.
While Bayer-Rosmarin actually performed pretty well in front of an intense session were her interrogators often seemed keen to provoke the sort of clash that looks good on the nightly news – even sharing a joke with the committee when she needed to check something on her phone – the question of whether Optus learnt enough lessons from that hack remains.
If the cyberattack was so scarring – and it clearly was – why didn’t Optus at least do scenario planning on the sort of large-scale network failure that occurred? Why wasn’t something as simple and obvious as the critical incident team having E-SIMs taken care of? Why wasn’t the media communications plan as fine-tuned as a Ferrari?
Why wasn’t the lived experience that Bayer Rosmarin referred to more evident?
Nationals senator Ross Cadell, who demonstrated deep telco technical knowledge during his time as interrogator, finished the day with the question that will hang over Bayer Rosmarin.
“Given you didn’t know the weakness in the network, given you haven’t responded to the customers well, given you haven’t reflected your staff’s attitude, isn’t it a time for new leadership at Optus?”
Bayer Rosmarin, who earlier told the committee she hadn’t read The Australian Financial Review report suggesting she is considering her position as CEO, danced delicately around that one, too.
“Well thank you Senator, I will take that on board.”