Experts are questioning what role global cloud service providers can continue to play in key government and defence markets in light of Australia’s tough new data sovereignty standards.
Given how dependant their business model is on “follow-the-sun’’ support based in multiple centres around the world, it is unclear how the tech titans can adapt to a future defined by the federal government’s new Hosting Certification Framework, and Australia’s ambition for greater self-reliance in a time of increasingly uncertain global relationships.
The security flaws inherent in follow-the-sun practises cannot be ignored, and are not easily mitigated. This has long troubled many insiders in agencies including the Australian Signals Directorate, the Australian Cyber Security Centre and Defence. Nonetheless global cloud players have continued to argue that follow-the-sun is a manageable threat even as evidence mounts of Australian government data sovereignty being put at risk or actually compromised, says critical cloud infrastructure expert Carl Jackson.
“Government has been asked to accept the assurances of these foreign-owned service providers at face value, but many lead agency experts in cybersecurity continue to monitor this risk and have become ever more concerned,’’ says Jackson.
A scenario commonly discussed in this regard is a cloud support engineer in a Non Five-Eyes country who has access to a protected Australian government data set that could fetch many times his or her annual salary if sold on the dark web.
Federal officials have identified incidents of federal agency email services being routed via relay servers in China, in breach of their contractual obligations. It brings into question whether all the undertakings on Data Sovereignty by the tech titans can be trusted.
These concerns led to the drafting of the Hosting Certification Framework (Framework) under the auspices of the Digital Transformation Agency, with the aim of helping agencies to mitigate supply chain and data centre ownership risks, and to source appropriate hosting and related services.
Jackson says the risks to data sovereignty posed by offshore IT support have been a reality for many years, although there has been little or no transparent disclosure of them.
“So it comes as a great relief to many people working in this space that the issue has now been formally addressed and spelled out in black and white for all federal government public servants,’’ he says.
“From June 2022, all ISM Protected government or Defence data must be handled under the guidelines of the Framework, which presently only recognises five approved secure cloud service providers.’’
This exclusive group of approved providers includes secure cloud specialists Vault Cloud, where Jackson serves as Defence and National Security BDM, and which guarantees all its clients support by security-cleared Australian citizens based in Australia.
A series of disputes between Canberra and the US-based tech titans in recent years have centred around diverse issues ranging from taxes to journalism laws and online advertising.
These conflicts have resulted in threats to withdraw or restrict services to Australia, and helped foster a growing realisation that Australia can not afford to rely on foreign entities when it comes to critical services and infrastructure. The handling of Protected, Secret and Top Secret government data is a case in point.
Australia’s Secretary of the Department of Home Affairs, Mike Pezzullo, explained the deep concerns about the global cloud providers’ approach to business that led to the new Framework when addressing a Senate Estimates hearing earlier this year.
“How they make their money is frankly by moving data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity,’’ said Pezzullo.
“And that’s a perfect illustration of the tension here between the private commercial interest and the public interest.’’
Sharp criticism has come from Minister Stuart Robert who recently publicly confirmed the long-running breaches of Australian data sovereignty by multinationals with his demand that “routes that go through exchanges such as Shanghai Telecom” cease immediately as required under the Framework.
Even if these firms do undertake to abide by the Framework, says Jackson, how can Australian Government officials transparently validate that they no longer rely on follow-the-sun support or routing via untrusted nations, given how fundamental it is to the very DNA of their business models.
“In the past these companies have simply continued with their global business practices and did not disclose to government that they were not complying with data sovereignty rules,’’ he says.
“How can you trust a company’s assurances if you’re aware they have been misleading you for years?”
