Telstra says Digicel sweep found malware 'resident' in systems

Telstra said a cyber security sweep of recently-acquired Digicel turned up “multiple instances of malware resident in its systems”.

Addressing the National Press Club yesterday, outgoing CEO Andrew Penn said the sweep was part of due diligence on the Pacific-based telco, which the government mostly funded the purchase of.

The sweep bore similarities to activity that Telstra conducted after taking ownership of Pacnet in 2015.

Back then, Pacnet suffered a data breach as the acquisition was being finalised, but the extent was not clear until after finalisation occurred.

“We had done due diligence six months before we completed the [Pacnet] acquisition, however you do not usually get to directly access the systems and network environment of a company you are looking to acquire before you own it. You have to rely on the vendor’s representations and warranties,” Penn said.

“So, the day after we took over Pacnet, our cyber team went in and did a deep end to end scan and sure enough identified multiple instances of malware resident in its systems. 

“We have also just completed the acquisition of Digicel in partnership with the Australian federal government … and yes, we identified multiple instances of malware resident in its systems. 

“Fortunately, our cyber team is very experienced, and we are able to clean the networks and systems of any companies we acquire before we connect them into our own networks. 

“However, you would be surprised how many companies do not do this and find their entire business is then infected by malware that has got into the company from a business they have acquired.”

Penn used the speech to foreshadow findings from an annual report of the government’s industry advisory committee on cyber security, which he chairs.

The report will call out a range of cyber risk areas and activity that need government and policymaking focus.

In particular, it will push the government “to substantially lift the level of cyber security resilience across its own operations” and harden its systems against attackers.

“Government needs to be a role model in its own operations, in adopting the Essential Eight maturity model and improving the security of increasingly digital government service delivery,” Penn said.

“The Cyber Hubs that have been established to lead this, coordinated by the government’s Digital Transformation Agency, need to be given more teeth and their work needs to be accelerated.”

Penn also said that implementation of the government’s 2020 cyber security strategy needed attention, to ensure that it resulted in meaningful change.

“It is the committee’s view that the current framework of evaluation and measurement is not yet sufficient for a program of this scale,” Penn said.

Outside of Australia, Penn said the biggest risks were with supply chains and diverging global technology standards.

“The simple fact is that if our future is going to be defined technologically, our access to, and the resilience of, our technology systems is now an issue of national importance,” Penn said.

He particularly called out access to 5G radio equipment and semiconductors. 

The semiconductor shortage globally has hit telco operators hard, both in their ability to source networking equipment, as well as consumer devices used in the provision of services.

Penn was also concerned that “geopolitical rivalries” are threatening global standardisation efforts.

“There is a real risk that this could drive a bifurcation in global standards around things like the internet, mobile phone technology and privacy standards,” he said.

“Two sets of global standards would mean competing internets, satellite and telecommunication networks, hardware, and operating systems. 

“The costs – in every sense – would be enormous and it would put an end to a globalised value chain with all its many benefits in terms of cost, innovation, and compatibility. 

“This is a significant challenge for Australian policymakers – and their international peers. It will require skilful diplomacy that is perceptive around governance and standards-setting processes. 

“It will require careful navigation of complex geopolitical, technical, and economic landscapes and tensions. And it will require a reimagining of how policies are set within technology frameworks.”