Australia’s current director general of security, Mike Burgess, warned policymakers, including present-day attorney-general Mark Dreyfus, of the critical dangers associated with mandated mass data hoarding, including how it would create a prime target for hackers, in potent evidence provided in 2015.

As the government on Thursday rushed to get new regulations in place to allow data sharing between banks and hacked organisations from which customer data has leaked into the wild, the prophetic previous warning from the now head of the Australian Security Intelligence Organisation and who was the former Australian Signals Directorate chief has resurfaced, raising serious questions about current security risk settings.

In 2015, in his role as chief information security officer at Australia’s largest and formerly government-owned carrier, Telstra, Burgess gave evidence to the Parliamentary Joint Committee on Intelligence and Security that regulations requiring carriers to harvest and centrally store customer metadata was essentially creating a new high-value target — or honeypot — for hackers.

Concentrating risks

While the data is different to that stolen from Optus in its epic 10 million victim hack, the evidence cited by Burgess clearly shows there were grave concerns at the time that enshrining data hoarding in regulatory requirements would ultimately end very badly.

“The issue here is that now we are advertising that, for a customer of Telstra, there is a whole range of data, depending on what services they have, that for two years we can make available upon lawful request,” Burgess said in 2015.

“If I were that way inclined as a hacker, you would go for that system, because it would give you the pot of gold as opposed to working your way through our multitude of systems today to try to extract some data.”

At the time, much of Australia’s internet, technology and telecommunications stakeholders were fighting tooth and nail against requirements pushed by the Australian Federal Police that would force carriers and internet service providers to retain and store customer metadata for two years in case it was needed under warrant at a later date.

Telstra was vehemently opposed to the idea, on a number of grounds ranging from cost and operational imposts to the creation of potent new national security and criminal hacking threats, which Burgess systematically detailed.

Concerns on the record

Significantly, the carrier and Burgess opted to openly voice their concerns and put them on the record rather than give their evidence on camera.

“Recognising that the data is of interest to law enforcement and security agencies, it would also be of interest to other people. The internet is a very busy place for those who choose to do harm—malicious activity,” Burgess said.

“The key factor here, though, is that we would be providing a system that actually allows Telstra to collect, process and make available that data to the agencies upon lawful request, and hackers would take advantage of that. If I was after that information, I would go to the system that could provide that easily.”

The then-Telstra security chief also detailed his concerns about centralising retained data in pools, including how to secure that data.

“They are just like everyone else: they will go for the least effort to extract that data,” Burgess said of the hackers. “Because of that, we would have to put extra measures in place around that point of aggregation to make sure that that data was safe from those who should not have access to it.”

They would, because I would: know your adversary

When Burgess was pressed by Philip Ruddock, who was attorney-general between 2003 and 2007, as to what made centralising data such a big issue, Burgess was explicit about the risks being created.

“I know that because if I were in a foreign intelligence service wanting to hack Telstra’s network, this new proposed system would be where I would go,” Burgess said of the then theoretical metadata retention capability.

With Optus’ name up in lights, and its customer data now in the wild, it’s not hard to guess what’s keeping Telstra’s current chief information security officer, Narelle Devine, or its former one, awake at night.

Whether the current regulatory changes being pushed through that allow for greater data sharing to mitigate fraud make a difference remains to be seen.

