Over the last two years, Optus has led innovation in the telco sector in exactly one field – brand management. Unfortunately, the innovation has mostly been for the benefit of other telcos, though not exclusively.
The starting point for accountability has to be the board of directors. The board should have had a better plan for managing cybersecurity risks.
Similarly, the board should have included “complete network failure” in its risk register (we should at least presume they did) and ensured an effective mitigation plan was in place. That plan should have included a communication plan, just as it should for cyber breaches.
There is a simple saying in business that in times of crisis, leaders generate clarity. Consumers regularly state that communication about likely restoration time is more important than the restoration itself.
Optus distinguished itself by its lack of communication during and after the event. They have posted no media release about the event.
We can only imagine the event inside Optus, where all the internal communications and executive mobiles were out of action.
The chief executive Kelly Bayer Rosmari resorted to WhatsApp to call the ABC. This belated appearance apparently followed a very blunt message from Communications minister Michelle Rowland two hours earlier (and four and a half hours into the event) to communicate with customers.
Repeating the failure to communicate with customers suggests that Optus hasn’t been taking full advantage of the wisdom Gladys Berejiklian could provide on the topic.
However, despite the suggestion that the former Premier might replace the current CEO, shareholders, regulators and customers must look one level higher at the Australian board and its chair, Paul O’Sullivan.
The first explanation offered on the FAQs: “The outage was the result of a cascading failure from a network event.”
This could describe anything, but the leading candidate among pundits is a Border Gateway Protocol error that overloaded the Optus network with routing requests. This could have been just a result of simple human error.
That information has been updated to state: “The Optus network received changes to routing information from an international peering network following a software upgrade. These routing information changes propagated through multiple layers in our network and exceeded pre-set safety levels on key routers. This resulted in those routers disconnecting from the Optus IP Core network to protect themselves.”
This doesn’t tell us which network made the software upgrade, though the implication is it was the international peering network. It is hard to understand how these changes resulted in an increase in traffic to Optus.
There is an old technique of marketing managers in the shampoo industry who are behind their target to get the factory to make the hole in the container a little bit larger. Customers wind up squeezing a little more on their hands and thus needing to buy another bottle sooner.
Telcos can use similar tactics. OTC in Australia developed the international audiotex(t) service to address an international traffic imbalance.
When owned by Cable & Wireless, Optus ignored rules established to protect consumers in the 1900 premium services market and appeared to be complicit in increasing traffic scams.
It has now been revealed that the “international peering network” was operated by parent company SingTel. A task for the review ordered by Minister Rowland is to ensure that the trigger for the event wasn’t some misguided attempt to increase internet transit revenue.
In suggesting that this be investigated, we are not asserting that it was the cause. (As a short aside in response to Optus saying “As a rule, we don’t usually name third parties in media responses”, someone at Optus needs to check on the definition of “third party” because Singtel isn’t one).
As Mark Stewart, Research Fellow at the Centre for Defence Communications and Information Networking at the University of Adelaide noted on Scimex:
Network Instabilities resulting from changes to the routing information are a well-known and predictable problem, which are commonly associated with software updates.
A major telco should have a disaster recovery plan which is more sophisticated than your average corporate network. At a minimum, they should have had a plan to revert the changes, or remotely reboot their systems. The statement from Optus in no way clarifies how this event was exceptional, or what preventative measures they had in place to mitigate the impact.
The other telcos must be getting furious with Optus. The AFR reports that the critical infrastructure legislation on cybersecurity will now cover telcos.
Home Affairs minister Clare O’Neil reportedly previously criticised the Coalition for not including telcos through a “sweetheart deal” with then Communications minister (and former Optus executive) Paul Fletcher.
There have already been calls for further regulation, including a suggestion of mandated roaming in these circumstances.
While this might be feasible for parts of a network, particularly in lightly loaded regional areas, providing it for the whole country is not feasible. Telstra and TPG networks scale their network infrastructure for the traffic demands they face; roaming would make it hard for anyone to communicate.
Capitalism promises that corporations will protect shareholder investments and provide them with returns on those investments by delivering services that consumers want and will pay for.
How that promise is realised is premised on boards, the representatives of shareholders, ensuring that management has satisfactory plans and executes against those plans.
Since Berle and Means wrote The Modern Corporation and Private Property, the principal/agent problem has been well understood.
The principal (shareholders) want management (the agent) to manage the corporation in their interest. Executive bonuses are supposed to ensure this alignment.
Unfortunately, half-yearly (or quarterly) results drive the modern corporation. It is extremely hard in these environments to see how well the corporation manages its risks. Executive compensation, consequently, is also driven by short-term outcomes.
Shareholders are not the only stakeholders whose interests need to be considered. The government, as representative of the Australian people, also has interests. Those interests include cybersecurity and the provision of services by critical infrastructure.
One way to impose these interests is by regulation that creates fines for failures or requires compliance with specific rules. These rules and regulations are the government (the principal) making demands on shareholders (the agents).
There are alternative ways, and these need to be considered as solutions to the disease of short-termism, not just in telcos but all corporations, private or listed. The government can and should directly regulate the nature of executive bonus schemes and ensure that these cannot be paid out in any instance of widespread customer detriment.
They also need to be regulated to include genuine long-term components for the most senior executives; rather than taking the form of options with a notional strike price, these should be genuine deferred compensation that is payable based on company performance after ten years, irrespective of when the executive left.
Some will argue that it is unfair to require an executive’s compensation to depend on the performance of those who came after them.
But that is entirely the point. It ensures executives undertake the long-term strategic planning and risk management that the company needs.
That policy innovation could make a real difference to corporate governance in Australia. Without it, we will only see more corporations trying to outdo the latest innovation in brand management from Optus.
Do you know more? Contact James Riley via Email.