Chanticleer
Optus’ planning failure will hang over Kelly Bayer Rosmarin
CEO Kelly Bayer Rosmarin told a Senate inquiry that Optus never believed an outage of the scale it suffered was possible, raising questions about risk management.
The Senate hearing into the Optus network outage on November 8 was a reminder of the oldest business lessons in the book: it’s not the mistake you make, but how you handle the clean-up.
On Friday, Optus chief executive Kelly Bayer Rosmarin gave the clearest explanation we’ve heard so far about the cause of the outage: a sudden and unexpected shutdown of 90 routers across Optus’ mobile and data networks, which was triggered by upgrades to an international peer network operated by Optus’ parent company, Singapore Telecommunications.
Optus chief executive Kelly Bayer Rosmarin faced a Senate grilling on Friday. David Rowe
As Bayer Rosmarin repeatedly stressed, Optus builds in redundancies to quarantine such an outage to part or parts of the network, rather than the whole shebang. But these failed in a totally unexpected way, eventually forcing Optus to conduct what Bayer Rosmarin described as a “brute force resuscitation of the network”.
There were, quite rightly, questions from the Senate committee about the strength of the redundancies Optus thought it had in place. But there was an underlying acceptance that these things do happen, as unfortunate and unpalatable as they are. The committee’s main focus was on how Optus responded to the outage.
It was Labor Senator Karen Grogan who asked the killer question of the day: Had Optus ever planned and prepared for a mass network outage like the one that occurred?
Well, no.
While Optus has recently run scenario planning on an outage that could take out a single state – its recent tests included the loss of Western Australia and South Australia – nothing like the total shutdown we saw last week had been war-gamed.
“We didn’t have a plan in place for that specific scale of outage. We have high levels of redundancy, and it’s not something we expect to happen,” Optus’ managing director of networks, Lambo Kanagaratnam, said. “For us to lose 90 routers in one outage is not something we contemplate.”
The gap in planning showed clearly on November 8. As Bayer Rosmarin ran through the timeline of the morning in detail, the biggest lesson she was willing to own up to was that not enough of its people had virtual E-SIMs that would have allowed them to switch to alternative networks faster, and so improve their communications.
“You had insurance for yourselves, but your customers didn’t. Do you think that’s a problem?” asked Greens Senator Sarah Hanson-Young, the committee chairman.
Bayer Rosmarin defended her decision not to personally appear in the media, or send out a spokesman to do the same, saying she “prioritised the team’s actual crisis response”.
The Optus media team, she said, decided it could essentially rely on the media to keep customers updated. She even went so far as to thank the fourth estate for its hard work on the morning of the outage.
“It’s actually unusual for a CEO to appear at all during an outage because the public would expect that my focus is on working with the teams to resolve the issue,” Bayer Rosmarin insisted.
But Hansen-Young, Grogan and Liberal Senator Hollie Hughes pressed Bayer Rosmarin on that decision, with Hughes asking why it was left to Communications Minister Michelle Rowland to go on radio to reassure the nation that Optus was working on things.
Bayer Rosmarin insisted the company’s communications response was effective. “Our teams did the best they could with the channels that were available to them. It is frustrating when you have an outage of that magnitude and you’re unable to provide clarity. So, I fully appreciate how frustrating it was for all our customers.”
Hughes was having none of it. “Isn’t that the problem? You provide a service to over 10 million people, and not just individuals, government agencies, emergency services, businesses, and all they got for hours was a couple of lines that said, ‘sorry, our services are out, we’re working on it’. You’ve got to understand, surely, that that just is not good enough.”
Hanson-Young also asked about the apparently contradictory statements between Optus and SingTel over who was responsible for the outage. Bayer Rosmarin said SingTel had approved Optus’ original statement, and the follow-up statement from SingTel was merely a clarification.
“They needed to clarify a statement that they’d already signed off on?” Hansen-Young said. “For a communications company, the communications are pretty lousy. Both at the time of the crisis, and in the aftermath.”
Both Bayer Rosmarin and Kanagaratnam insisted that after a week of forensic investigations and detailed discussions with its technology partners, Optus has put in protections to ensure the outage previously thought impossible would not reoccur.
But the Optus boss had to be pressed by both Hanson-Young and Grogan into finally – finally – conceding that not putting a public face to the company’s initial statements on the outage was “less than ideal”.
“I think that’s a great suggestion, and we will, of course, take that on board,” Bayer Rosmarin said.
Grogan then went to the heart of the question facing Optus: following an outage that the telco never believed possible, and a response that has been so heavily criticised, are the telco’s risk management processes sufficiently robust?
Bayer Rosmarin insisted they are, arguing that Optus has been so scarred by the “very real lived experience as a company” of last year’s cyberattack.
“We as a company completely understand the implications that come from one of those risks eventuating, and we’ve put in the hard work to recover from that once before. So, there is nobody in the company who would have wanted something like this to happen again. Not just because we have risk management processes and strategies to go through, but because we have a lived experience of it as well.”
But herein lies the problem for Bayer Rosmarin and indeed the broader Optus management team.
Bayer Rosmarin performed pretty well in front of an intense session where her interrogators often seemed keen to spark a clash that looks good on the nightly news, even sharing a joke when she needed to check something on her phone.
The speed with which she’s been dragged before parliament raises a fascinating question: should we now expect the boss of every utility company to face this sort of questioning in the future, or is Optus a special case?
Nonetheless, the question of whether Optus learnt enough lessons from that hack remains.
If the cyberattack was so scarring – and it clearly was – why didn’t Optus at least do scenario planning on the sort of large-scale network failure that occurred? Why wasn’t something as simple and obvious as the critical incident team having E-SIMs taken care of? Why wasn’t the media communications plan as fine-tuned as a Ferrari?
Why wasn’t the lived experience that Bayer Rosmarin referred to more evident?
Optus clarified on late on Friday that it had a “comprehensive incident management plans and responses, including crisis management plans and procedures if an event escalates in severity” and “procedures that supports crisis or catastrophic scenarios” that are regularly reviewed and tested.
Fair enough. But did they work?
Nationals Senator Ross Cadell, who showed deep technical knowledge in his interrogating, finished the day with the question that will hang over Bayer Rosmarin.
“Given you didn’t know the weakness in the network, given you haven’t responded to the customers well, given you haven’t reflected your staff’s attitude, isn’t it a time for new leadership at Optus?”
Bayer Rosmarin, who earlier told the committee she hadn’t read The Australian Financial Review report suggesting she is considering her position as CEO, danced delicately around that one, too.
“Well, thank you, Senator, I will take that on board.”
Introducing your Newsfeed
Follow the topics, people and companies that matter to you.
Find out moreRead More
Latest In Telecommunications
Fetching latest articles