Tag Archive for: cloud computing

States vulnerable to foreign aggression embrace the cloud: lessons from Taiwan

Taiwan is among nations pioneering the adoption of hyperscale cloud services to achieve national digital resilience.

The island faces two major digital threats: digital isolation, in which international connectivity is intentionally severed or significantly degraded (for instance, if all submarine cables are cut), and digital disruption, in which local infrastructure, such as data centres, is inoperable.

To counter this, Taipei is shifting critical public systems and government data to global cloud platforms, and turning global cloud providers Microsoft, Google, and Amazon into partners in national resilience. But this reliance on foreign tech giants raises questions about sustained sovereignty in times of crisis.

Taiwan has learned from Ukraine’s digital survival before and right after Russia’s full-scale invasion in 2022. When threats to Ukraine’s physical and digital critical infrastructure escalated, the government in Kyiv rushed through amendments to its data protection law, permitting government data to be stored on public cloud platforms. This amendment allowed Ukraine to shift critical data and services to cloud infrastructure across Europe. So essential government functions, public services and important private sector functions remained available even when its local physical infrastructure was under siege.

Building on these insights, Taiwan in 2023 launched a four-year, NT1.34 billion ($65.7 million) plan to transition 18 critical civilian government information systems to the cloud in 2023. This includes services such as national health insurance, vehicle management and border control systems. The effort is intended to ensure continuity of essential digital services during disasters and emergencies and to enable swift operational recovery in the case of outages.

According to a press release, this involves ‘cryptographic splitting and data backup mechanisms’. Although details are scarce, the Taiwanese government is presumably distributing encrypted backups of critical national data offshore stored across various cloud providers and retaining exclusive access to the decryption key. As part of this effort, former minister of the Ministry of Digital Affairs Audrey Tang suggested Taiwan would conduct contingency drills that would involve rerouting operations to alternative locations, such as Japan or Australia.

While hyperscale cloud services offer resilience against cyber and physical threats, they prompt questions around data sovereignty and personal data protection: how can a government keep control over data and services managed through foreign commercial infrastructure? How can privacy laws be enforced when data is outside of a nation’s physical jurisdiction?

Taiwan has taken a pragmatic approach, allowing data-holding entities to use foreign cloud infrastructure as long as they can strictly adhere to Taiwan’s privacy requirements. For instance, in 2023 the Financial Supervisory Commission amended its rules to allow the financial industry to use foreign cloud platforms for some operations, provided they met information security regulations, particularly regarding de-identification processes and personal data protection.

Cloud providers are acutely aware of contentions around digital sovereignty and have responded by offering ‘sovereign hyperscale cloud’ solutions. These involve security controls specifically implemented to meet local regulations and requirements, such as restricting data access and management to security-cleared local personnel operating from their national jurisdiction. The Australian Department of Defence is one enterprise that intends to implement sovereign hyperscale cloud, alongside sovereign cloud from domestic cloud providers as part of its cloud strategy. The willingness of global hyperscale cloud providers to adapt their offerings reflects their increasing role in national security.

In Taiwan, the Ministry of Digital Affairs is taking advantage of this adaptability. They have worked to bring the three major cloud providers (Google, AWS, Microsoft) into Taiwan and are actively encouraging them to build local partnerships with the satellite communication vendors to create locally resilient systems that can switch to satellite communications during emergencies and prioritise essential data transmission. These measures are particularly important for a country that imports 98 percent of its energy and faces regular challenges from natural disasters, such as earthquakes and typhoons, as well as military and hybrid threats. By establishing redundant systems through cloud and satellite infrastructure, Taiwan can maintain critical government functions even when local systems are compromised.

Cloud providers face operational risks when supporting nations vulnerable to aggression. When AWS and Azure took over the hosting of Ukraine’s critical systems and data, their cloud infrastructure became a target of state and non-state cyberattacks. Yet this exposure provides valuable cyber threat intelligence, which is then used to improve security products, benefitting other customers.

The deepening integration of technology in national security and digital resilience introduces new dynamics to the relationship between states and global technology providers. These companies are no longer just technology providers; they are custodians of critical national assets. This shift demands a mature framework of collaboration: one that considers tech companies as potentially essential partners in national resilience, including as part of the digital supply chain. This inherently comes with mutual commitments centred around trust, accountability, oversight and responsibility that are sustainable during times of crisis.

Taiwan’s integration of hyperscale cloud into their national resilience strategy shows how nations can leverage leading global technological capabilities while maintaining oversight over their critical systems and sensitive data. This model may well define strategic autonomy in an age where digital resilience depends on foreign-provider infrastructure.

Cloud and 5G convergence is a national security imperative

The convergence of cloud computing and 5G technology is set to revolutionise Australia’s digital landscape, transforming how the nation communicates, operates and defends itself. While this technological leap promises great benefits, it will also bring security challenges that could, left untreated, undermine our national interests. To capitalise on the potential of these innovations while protecting national security, the government must act strategically and decisively.

Cloud computing has already reshaped industries by offering on-demand access to computing resources, enabling faster innovation and improved efficiency across sectors. With the rollout of 5G, this transformation will accelerate.

Next-generation 5G networks promise faster speeds, higher capacity and ultra-low latency, facilitating real-time communication and processing across various applications.

Together, the cloud and 5G will provide the foundation for breakthroughs like the internet of things (IoT), artificial intelligence, and smart infrastructure. These advancements will offer enhanced connectivity, real-time data processing and an ability to analyse massive amounts of data in previously impossible ways. They will transform everything from healthcare and manufacturing to transport and urban planning, improving decision-making and optimising resource use on a national scale.

This digital revolution is not without its risks.

The expanded reliance on cloud infrastructure and 5G networks creates a significantly larger attack surface for cyber adversaries. These technologies are integral to energy, transport and communications services. A successful cyberattack could have devastating consequences, compromising national security, economic stability and public safety.

The complex and interconnected nature of cloud and 5G ecosystems, which involve multiple vendors and international supply chains, makes them vulnerable to exploitation. Weaknesses in these systems could be abused to disrupt services or access sensitive data.

Additionally, as Australian organisations increasingly move their data to the cloud, concerns about data sovereignty and privacy arise. Securing sensitive information from foreign surveillance and ensuring that Australia’s data remains under its control is crucial in an era of geopolitical competition in cyberspace.

China’s growing dominance in cloud and 5G technologies presents a particular threat. As China expands its influence in global technology markets, it can embed vulnerabilities or backdoors into critical infrastructure. Given the Chinese government’s track record of exploiting technology for strategic advantage, Australia must carefully scrutinise any technology from Chinese companies. This digital influence could give China leverage over global supply chains, leading to espionage, intellectual property theft and the disruption of critical services.

To counter this growing digital influence, Australia must diversify its technological partnerships, reduce its reliance on Chinese-made technologies and work closely with like-minded nations, particularly its Five Eyes allies.

The Australian government must adopt a proactive, whole-of-government approach to address these national security challenges.

First, it must develop and implement a comprehensive cybersecurity strategy addressing the challenges that cloud and 5G technologies pose. This strategy should focus on securing critical infrastructure, protecting supply chains and ensuring data sovereignty. The government should also develop and enhance its cybersecurity capabilities, ensuring that the country can respond to emerging cyber threats quickly and effectively. This includes strengthening threat intelligence, vulnerability assessments and incident response capabilities.

Collaboration will be crucial in managing these risks. The Australian government should foster closer collaboration between industry, academia and international partners. As part of its ongoing work within the Five Eyes intelligence-sharing alliance, Australia should continue to engage in joint initiatives to strengthen cybersecurity frameworks, share threat intelligence and develop common standards for securing cloud infrastructure and 5G networks. These partnerships will ensure that Australia is not alone in confronting cyber threats.

The private sector also plays a central role in securing critical infrastructure. Public-private partnerships should be encouraged in order to enhance cybersecurity resilience across industries, ensuring that businesses can handle the evolving cyber threat landscape.

In addition to promoting international and industry collaboration, the Australian government must strengthen its domestic technological capabilities. This includes investing in Australian-owned cloud services and 5G solutions not subject to foreign influence or control. By diversifying its technological partnerships and building homegrown capabilities, Australia can reduce its exposure to foreign vulnerabilities, particularly from China, and ensure a more secure and independent digital infrastructure.

Finally, public awareness and education on cybersecurity should be a priority. The government must ensure that all sectors of society, from government agencies to private businesses and individuals, understand the risks associated with cloud and 5G technologies and are equipped to protect themselves. National cybersecurity awareness campaigns and training programmes should be expanded to ensure that the Australian public, both as consumers and as part of the workforce, are equipped with the knowledge to recognise and mitigate cyber risks.

The convergence of cloud and 5G technologies offers Australia an unprecedented opportunity to enhance its national security and technological capabilities. However, it also introduces risks that require immediate and sustained attention. By adopting a proactive and comprehensive approach to cybersecurity, strengthening international partnerships and investing in domestic capabilities, Australia can secure the benefits of this digital revolution while safeguarding its sovereignty and national security.

The time for action is now—Australia cannot afford to wait as these technologies reshape the future of global competition and security

Mitigating Australia’s cloud-computing risks is still work in progress

The appeal of cloud computing is undeniable. It provides remarkable scalability, cost-efficiency and agility, qualities that attract government and business. However, for all its benefits, there are also risks, not least of which is maintaining sovereignty over Australian data.

The Australian government is working on mitigating the risks but needs to do more. Further necessary measures include improving cloud-computing regulation and encouraging development of entirely Australian services.

Data sovereignty is the principle that information is subject to the laws and regulations of the country in which it is collected and stored, ensuring that individuals and organisations maintain control over their data within national boundaries. It’s important because, as former prime minister Malcolm Turnbull said, ‘Data is the new oil. It’s the currency of the digital age, and we need to make sure that it’s controlled by Australians for the benefit of Australians’.

Relying on foreign cloud providers raises serious concerns about who ultimately controls our data and the systems that host it.

Some foreign governments can use extraterritorial law to compel cloud service providers to disclose data, even contrary to Australian law. Furthermore, foreign governments may pressure cloud providers to manipulate or disrupt services—for example, in war.

Debates around data sovereignty have persisted in Australia for nearly a decade, reaching a peak around 2020 during the COVID-19 pandemic. In response to this debate, hyperscalers—as the largest cloud services, such as Oracle, Amazon Web Services, Google Cloud and Microsoft Azure, are known—have invested time and resources to reshape the foundational elements of cloud infrastructure. They are now implementing technical controls designed to prevent offshore data replication and restrict transmission of telemetry data containing personally identifiable information beyond national borders.

The Australian Hosting Certification Framework aims to establish robust guidelines and standards for secure domestic storage and management of sensitive data. However, its weaknesses include limited enforcement mechanisms and a lack of comprehensive coverage for all data types, leaving potential gaps that malicious actors could exploit.

Even with strong contracts and data residency requirements, risks of unauthorised access, data breaches and foreign surveillance remain. This erosion of data sovereignty undermines our ability to protect sensitive information and uphold our legal and regulatory frameworks.

The Australian government must be fully aware of where its and its citizens’ data is stored, who has access to it, and the safeguards to protect it. Cloud providers often struggle to reconcile these requirements, which is arguably affected by governments’ lack of understanding of cloud technology and its technical strengths and weaknesses.

Until 2020, Australia relied on the Certified Cloud Services List of products that the Australian Signals Directorate (ASD) had certified. However, ASD struggled to keep pace with demand for certifications, keeping products on the shelf and reducing competition between firms that could supply the government. Although the list has been replaced by the Infosec Registered Assessors Program (IRAP), the problem of slow processing may persist due to a shortage of IRAP assessors.

The government must carefully consider the broader implications of its policies. If the process remains cumbersome, businesses may choose to take their operations elsewhere.

The ASD stresses this need for transparency in its cloud security guidance:

Transparency is essential to building trust in cloud services. Agencies should clearly understand the security controls implemented by cloud service providers and their ability to meet the agency’s security requirements.

Recognising the shared challenges of data sovereignty, members of the Five Eyes intelligence alliance are collaborating to forge a unified approach. They are sharing information on threats and vulnerabilities, developing secure cloud technologies and promoting interoperability among national cloud infrastructures. By working together, the Five Eyes nations—Australia, Canada, New Zealand, Britain and the United States—enhance their collective resilience against foreign interference while preserving their individual sovereignty.

Australia must augment the Five Eyes’ efforts with a comprehensive strategy to protect its data sovereignty and control in the cloud.

First, it needs to strengthen its legal and regulatory frameworks to address the challenges that cloud computing poses. This includes clarifying data ownership and access rights, enhancing data-breach notification requirements and establishing clear guidelines for cloud service providers operating in Australia. It is important to note that hyperscalers and the Australian government continue to work together to address the challenges of cloud computing in standards-setting bodies.

The government should also continue promoting development of sovereign cloud solutions owned and operated by Australian entities. This will ensure that our data remains within Australian jurisdiction and under our control.

Third, continued investment in cybersecurity capabilities is vital. We must invest in advanced cybersecurity technologies, threat intelligence and workforce development to counter evolving cyber threats.

Finally, international cooperation is not just beneficial; it’s essential. Australia should continue its commitment with Five Eyes partners and other like-minded nations to establish common standards and frameworks for data sovereignty and cloud security. This collective effort will help foster a more secure and resilient global digital ecosystem.

As Australia continues to navigate the complexities of a digital future, the challenge of data sovereignty must be a priority.

A sovereign Australian government data framework

The federal government set an example for state and territory counterparts in early June when it announced that all relevant government data under the Digital Transformation Agency’s hosting certification framework will soon need to be stored only in either ‘certified assured’ or ‘certified strategic’ data centres.

The government’s move follows concerns about the acute data challenges confronting the Australian public sector, including data sovereignty, supply-chain vulnerabilities and cybersecurity threats. The challenge once faced by Australian governments was completing their digital transformations; now, it’s about figuring out how to adequately protect government systems that are hosted in the cloud.

More and more countries are addressing these data and digital issues through policy and regulation. Data localisation and targeted government procurement of digital goods and services are two ways governments may seek to secure their data, and the systems and infrastructure that rely on it.

Data localisation means keeping data within Australian borders—not just when it’s stored, but also when it’s processed. Targeted or sovereign procurement means not just selecting contractors that are operating in Australia but selecting those that aren’t subject to the legal influence of foreign jurisdictions.

But these policies are often condemned in international trade law circles as discriminatory trade barriers. Government policy claiming to pursue the legitimate objective of data protection may be accused of promoting data protectionism in disguise. With Australia continuing to push ahead with trade liberalisation and wishing to maintain its reputation for honouring its international trade obligations, government data challenges will need to be addressed through balanced and proportionate measures.

I argue in a forthcoming report that a level of digital sovereignty is required for securing and developing Australia’s national interests. The report also finds that Australia retains the regulatory autonomy under international trade agreements to adopt digital sovereignty measures that balance its liberalised trade agenda with its national interests.

The federal government now requires relevant government data to be hosted only by certified data companies. This is data at the ‘protected’ level or data belonging to whole-of-government systems.

This two-fold classification is a recognition of two realities. First, the threats posed by failure to protect government data are very different to those for other types of data. Second, there are particular vulnerabilities inherent in hyperscale cloud systems, where information belonging to various agencies is hosted together.

An inability to monitor, control and protect overseas data centres is an overt practical risk of using foreign clouds. It means uncertainty about the operational reliability of overseas data centres. Physical attacks, shutdowns, blackouts, natural disasters and regulatory interference are less able to be managed far away.

There are also risks of foreign interference by overseas governments and private actors, which are often legal in nature. Foreign agencies can exercise authority over cloud and data companies that are legally subject to foreign jurisdictions.

Australia’s proposed bilateral agreements with America under the US CLOUD Act is an oft-cited example. Under that law, a US-based company can be asked by US authorities to relinquish access and control over data regardless of where the data is located.

Other vulnerabilities relate to weak points in the distributed supply chains of multilayered cloud systems, or the security defects of large-scale cloud providers that house multiple tenants’ data simultaneously.

Importantly, accepted technological principles that emphasise security processes over data location don’t account for other, non-cybersecurity-related risks. Data stored outside Australia may be stored in countries with political, social and economic interests that don’t necessarily align with Australia’s national interests, or by providers with obligations to such countries. Foreign facilities and personnel may not be subject to the same legal, regulatory and physical controls as domestic suppliers operating onshore.

So digital sovereignty concerns are intensifying because of the inherent risks associated with hosting government data in foreign clouds, and the threats that those risks pose to Australia’s national interest.

It’s this combination of urgent risks and threats that gives Australia sufficient latitude under international trade law to introduce proportionate, tailored digital sovereignty measures for the public sector rather than data protectionism.

Cybercrime and commercial cyberespionage against private citizens and enterprises are serious issues in their own right. But the consequences are potentially much graver when they affect government data.

Australian defence and intelligence agencies continue to rely more heavily on cloud computing and other emerging digital technologies to carry out operations. And digital technology is part of Australia’s offensive and defensive cyber arsenals.

This dependence on digital technology is expanding even more rapidly in critical infrastructure sectors, where cloud technology and various cyber–physical systems are being used to control infrastructure. Recent remote attacks on power plants, refineries and gas pipelines have highlighted some dangerous vulnerabilities.

Measures designed to afford competitive advantages to domestic businesses may be seen as merely protectionist. However, the line between building stronger domestic digital sectors for industrial policy purposes and securing an adequate level of strategic autonomy is quickly fading. The widespread integration of digital technologies and their central role in government and other critical sectors has illustrated the legitimacy of protecting or promoting domestic capacities.

The federal government’s tightening of its certification framework is a welcome acknowledgement of these risks and legitimate policy concerns that remains to be embraced by governments at the subnational level.

However, there is now an opportunity for all Australian governments to improve on the federal approach. Companies certified under the current framework don’t need to be Australian owned and controlled or even have their operations exclusively in Australia.

A better approach, and one that’s commensurate with the risks, would be much stronger provisions to ensure that data hosts are Australian owned and based.

The personnel and supply-chain assessment procedures and strict requirements that limit changes in ownership and control under the current framework may be sufficient to maintain Australian government control over its own data. But as they currently stand, the existing arrangements fall short of a truly sovereign framework for government data.

Building digital government services for peak demand

Early in the Covid-19 pandemic, the myGov website was overwhelmed when worried Australians attempted to access the service. In 2016, the online census system was taken offline on census night after problems arising from a small distributed denial-of-service attack (one designed to overwhelm a website with fake traffic).

With the 2021 census coming up on 10 August, we decided to examine what lessons could be learned from these failures, especially the problem of coping with unexpected digital demand. This thinking is captured in a short ‘explainer’ report ASPI’s International Cyber Policy Centre has released today.

The traditional model of government digital service delivery has tried to predict demand and then build a system that’s the right size to cope with it. Ironically, this seemingly sensible approach is destined to fail. There’s a better way to build such services.

A failure to forecast demand correctly is costly and results in either service failure (when real demand is greater than forecast) or expensive overcapacity (when real demand is less than forecast).

Different types of government services will have different expected patterns of demand.

Services such as Centrelink and Medicare might be expected to have relatively constant demand, although with some seasonal and holiday variation over the year. The Taxation Office has a peak quarter, but also significant ongoing activity throughout the year. Some services, such as the census and the electoral roll can reliably be expected to have large peaks in demand at a predictable time.

Emergency services can expect very large spikes in demand, but they don’t know when they’ll occur or how long they’ll last. Being able to satisfy this demand and provide information to citizens during a crisis is an overriding priority for these types of services.

In the case of the census, there’s a long lead time and a set start time, and it only needs to be available for a predetermined amount of time.

However, even ‘good’ forecasts—forecasts that correctly predict regular peak demand— can’t correctly predict demand in a crisis. This was evident in the myGov failure early in the Covid-19 pandemic, but it seems unreasonable to expect every government service to be built to handle the demands of a possible once-in-a-century event like a global pandemic.

The hard truth about needing to correctly size a service to meet demand is that it is guaranteed to fail in the face of an unexpected crisis—which is when we’d most like a service to be working.

Fortunately, there’s a better way that uses technology to avoid having to make upfront guesstimates about expected demand.

‘Cloud’ services provide capacity that can vary gracefully with demand. They can manage ‘peaky’ workloads that are expected to vary by orders of magnitude and have a proven track record in coping with highly variable demand. They are used, for example, by online gambling sites to handle the demand of the Melbourne Cup and by video game companies to handle online concerts with over 10 million concurrent users.

In addition to the benefits that come with handling unexpected demand, the use of cloud services would allow more efficient and effective use of the public service’s scarce cybersecurity expertise. These skills are spread across various departments and are focused on maintaining and securing each department’s separately built and maintained systems. This involves duplication of effort and silos of expertise that can’t be applied broadly across the public service.

The government’s 2020 cybersecurity strategy notes that pooled delivery can make better use of cybersecurity skills by encouraging the use of ‘secure hubs’. Building services across a common infrastructure would develop a depth of expertise and allow the building blocks of capability to be shared beyond a single service.

The government has also formally recognised that cloud services offer the best model for efficiently handling uncertain demand in its secure cloud strategy. There are likely budgetary, skills and cultural issues that need to be addressed so that critical government services don’t fail when we need them most.

What Australia’s intelligence community wants for Christmas: a secure private cloud

Christmas sometimes brings presents you don’t expect—this year, for me, an excitingly titled ‘Request for expressions of interest’ that appeared on AusTender is one of them. It’s about Australia’s peak intelligence agency, the Office of National Intelligence, beginning an essential, radical and rapid shift into cloud applications and services at the highly classified top secret level of capability. That’s big news.

It’d be interesting but not so important if this approach were just about ONI, but it’s not. The AusTender documentation says the aim is for all 10 agencies that make up Australia’s national intelligence community to be part of a highly secure private cloud.

This is a recognition of two things by ONI—and no doubt by the prime minister (whose portfolio includes ONI) and cabinet’s National Security Committee. The simple power of cloud services and software is essential for Australia’s intelligence agencies if they are to remain capable actors in today’s technological environment. And a secure private cloud across the 10 agencies maximises the ability to combine their top secret, secret and open-source datasets. Both things were at the heart of the ASPI report John Coyne and Albert Zhang wrote with me back in May.

That shows a foundational understanding that Australia’s intelligence agencies can only retain their ability to give the Australian government ‘insight advantages’ over others by combining the unique classified datasets collected by agencies with open-source data everyone else can access. Doing this involves using new analytic tools and techniques to complement the expert human analyst approaches that are common across the intelligence world.

The request from ONI puts this pretty simply, saying, ‘The NIC is seeking to accelerate its ability to transpose and extract relevant data from complex data sources. It sees common toolsets for data filtering and manipulation to extract relevant useful information as a force multiplier.’ It later notes that the private cloud will need to use robust cross-domain processes to shift data—and applications—from the ‘low’ unclassified side to the ‘high’ side to work with classified data and applications.

Conceptually, ONI understands that the advantage of any private cloud approach comes in part from aligning it to the ‘public cloud’ services and approaches used much more widely. That’s because it allows interesting software applications and other innovations developed in the wider world to be moved rapidly into the intelligence agencies’ systems, after verification around security. ONI calls this being able to develop on the low side and apply on the high side, to allow our intelligence agencies to take advantage of rapid change in the external technological environment. This will help any initial private cloud system remain capable over time.

The concept of aligning with approaches used at scale in the wider world continues into how this powerful new infrastructure and software as a service will be purchased. It’s refreshing to see the Australian government moving ICT procurement out of the ‘boom and bust’ capital procurement world, where a large upfront investment gets companies to build big systems and then the government ekes the capability out of legacy systems over an extended period, before recapitalising at scale and doing the whole thing again.

Instead, ONI wants a minimal upfront cost, with payment for cloud applications and services being made as personnel in agencies ‘consume’ them. And it wants the charges for this demand-driven approach to ‘align’ with the costs of cloud services in the wider world.

ONI has clearly also looked at and learned from the experiences of cloud users elsewhere in the Australian government and of Five Eyes partners like the US and UK. So, it’s deliberately not after one big proprietary partner that delivers the cloud infrastructure, services and all the software. Instead, at least at the services level, it wants the ‘multivendor’ approach that the US and UK have both moved towards for software and apps, where these tools are provided by third-party developers to be used by intelligence agencies on the new cloud platform.

The news is good for Australian sovereignty. Any provider has to deliver a solution that is hosted in Australia, geographically dispersed, and able to operate disconnected from the wider world, with this managed by holders of Australian security clearances. That’s not a trivial requirement for ‘hyperscale’ global cloud providers, as it means they can’t build a solution around software and services flowing to other parts of the globe using their dispersed technical infrastructure without Australian agency control or visibility.

And there’s a low-key reference to something that should have not just Australian human intelligence operators in a place like the Australian Secret Intelligent Service interested, but also have the attention of the huge defence organisation. The AusTender document talks about a priority being ‘edge computing’. That term wraps up a lot. It’s about this cloud approach going mobile, not just being for Canberra HQ. And so it probably means baking 5G-type functionality into the intelligence community’s technology base.

So far, only 5G technology (and 6 or 7G in the future) can really deliver the powerful edge computing capabilities ONI seems to want for the intelligence agencies. And that type of capability is exactly what Defence needs to release the power of its huge data pools and deliver combat effects for a military that needs to be mobile and present across our region. So, any aspiring providers of this new secure private cloud will need to have designed their approach to work with 5G as a core design principle—and if it delivers, there’s a much larger market for the approach in Australia’s wider national security community.

What might go wrong or be an obstacle to delivering the effects that this new approach promises? As usual, the big risks are not about technologies or systems but about the people using them. In this case, there’s a risk that the multi-tenant approach ONI is asking for could result in individual agencies building big ‘private rooms’ in the intelligence community cloud and doing less than they should in the collaborative—family room—part of the cloud.

You can see that’s a real risk if you have waded through much of the Tolstoy-length intelligence review released earlier this month, which observes, ‘Too often, Australian agencies look over the fence and want what another agency has so that they can, effectively, do their own thing in isolation of others.’

Overcoming that tendency is a matter for leadership: agency heads across the national intelligence community need to show by personal example that they get the essential ideas that this new approach from ONI brings—even as it means their individual agency ‘silos of excellence’ must cede some control (and a lot of data) for the common good.

ONI has given potential providers a busy Christmas, because it wants responses by 8 February and then seems ready to run a rapid procurement process from there. While that may be putting pressure on providers’ holidays, I’m pretty sure that the refreshing and well-crafted approach ONI is taking will be recognised, and may even bring a bit of Christmas joy to the staid worlds of ICT and government contracting.

Why Australia’s national security agencies need the cloud

There’s been a lot of talk lately about lots of submarines and fighter jets playing a role in Australia’s security. But in all the excitement of contemplating future battles between fleets of submarines and fortuitously small invasion armadas from the People’s Liberation of Army, little thought has been given to an emerging vulnerability in Australia’s national security apparatus brought about by the global change in ICT.

The world of computing was reinvented about a decade ago with the arrival of cloud computing. Since then, there’s been a shift away from dedicated computing resources (think the home computer that sits on your bench) to on-demand allocation of computing resources by a cloud service provider.

The advantages are big, although, as with all magical technological advances, there are downsides. Having on-demand computing power allows high processing power and speed to be applied quickly to meet a particular need, and then to be reallocated elsewhere when they’re no longer needed.

Much more complex functions, like big-data analysis, can be done rapidly and routinely without an enormous investment in standalone supercomputers, and more needs can be met from a given fixed stock of ICT power. Cloud architecture is an essential part of what makes Amazon, Microsoft, Alphabet, IBM, Apple, Facebook, Samsung, Alibaba, Baidu, Huawei, Tencent, Oracle, Cisco and SAP so powerful and able to service millions of customers’ needs simultaneously.

On top of this, though, another phenomenon of equal importance is that applications—the programs that run on whatever system you have access to—are being increasingly optimised for cloud-based architecture, not for the now-legacy, and increasingly niche, fixed systems used by many governments across the globe.

Governments and their officials either have been reluctant to give up owning their own servers and data centres or have outsourced them to data centre providers. They tend to look on cloud providers with some trepidation, partly because of concerns about data security ‘in the cloud’ and partly because of concerns about the overall lack of visibility of how risks are managed across a fairly opaque service model.

So, here in Australia we’ve seen moves to end contractual arrangements with data centre providers when ownership changes occur, along with a continuing debate over the use of in-house versus contracted-out data centres.

But the bigger issue—our national security capability—has been a bit of a sleeper here to date, and that needs to change. The situation reminds me of government policy on mobile phones, which was a tale of policy being dragged reluctantly forward by manifest changes in the market. Mobile phones weren’t welcome in much of the national security community, not just in the limited top secret facilities of intelligence agencies and other areas of big agencies.

Then they were allowed in more broadly because their use became pretty ubiquitous, and the debate moved to what to do about phones with cameras. The security policy world kept it simple. It banned mobiles with cameras. That worked until it became very hard to buy a smartphone without a camera. The policy folded, despite the reluctance of security policy experts. Under controlled conditions, it’s now possible for mobiles to be used in top secret agencies.

I think we’re at the same point with cloud computing. The overwhelming advantages national security agencies will get from the capabilities provided by a secure cloud infrastructure, compared with traditional computing power allocated to specific agencies and functions within them, are clear. A high-technology fifth-generation military with the intelligence capabilities it will need (as proposed in the 2016 defence white paper) requires cloud infrastructure to work effectively. And Australian agency folk know enough about this from their exposure to US agencies with secure cloud infrastructure to get the point.

The big companies mentioned earlier develop and implement their cutting-edge technology on cloud infrastructure. They can be providers of this infrastructure because they are developers and users of it themselves.

Even from a very narrow perspective, not moving the Australian national security community to cloud infrastructure will consign, a few years from now, agencies to commissioning bespoke Australian-only software to run on legacy ICT platforms. Meanwhile, their counterparts in the US—and potentially other Five Eyes partners—will all be able to use applications optimised for cloud architecture systems. It’ll be like getting retired Windows 7 software engineers to write new versions and keep them running on today’s computers.

If that isn’t convincing enough, potential adversaries’ militaries, intelligence agencies and national security communities will have capability advantages over their Australian counterparts simply because they either already have or will have adopted cloud infrastructure.

I’m not sure, though, that the Australian government’s secure cloud strategy can be usefully applied in Australia’s national security agencies.

It encourages each agency to make its own decisions in accordance with its own ‘vision and strategy for cloud adoption’. That approach is unlikely to maximise federal purchasing power or drive agency cooperation in an area in which a critical mass of investment is likely to be important.

It also says agencies should ‘consider public cloud first and in preference to any other cloud deployment model’ and simply adds that ‘agencies should ensure the public cloud service has the appropriate security’. That means existing government security frameworks and policies designed for the non-cloud IT world are just imported to this entirely new business model.

Leaving those issues aside, four big obstacles are likely to be in the way of Australia’s national security community moving to cloud infrastructure. The first will be money. A move like this isn’t in the budget plans of any agency or group of agencies—and Treasurer Josh Frydenberg just said he’s already kicked in to raise the defence budget and is in no mood to add more.

The second is agency independence. Cloud infrastructure for the national security agencies will be best done as a joint initiative that at least includes the national intelligence community and the defence organisation.

That’s a massive organisational and cultural shift to greater collaboration and interdependency, beyond the wildest thoughts of the authors of the 2017 intelligence review. Agency or portfolio control and ownership of functions is a bureaucratic battleground littered with skewered careers and reputations. And some nasty battles are still underway with the formation of the Office of National Intelligence and, more particularly, Home Affairs.

Third is the lack of knowledge and skills in this technology area—part of the broader STEM skills deficit Australia faces. National security agencies have some flexibility in employing specialist skills. They’ll need to use all of that to build and retain the knowledge needed to operate securely and to maximum effect on cloud infrastructure if they are to be more than passive customers of global providers.

The last major obstacle is likely to be trust and risk. The number of cloud providers that could work with the Australian national security community is fairly limited. It would certainly include the global providers at the big end of town like Microsoft, Amazon, IBM, Alphabet and even Northrop Grumman. But medium-sized data centre operators (for example, NEXTDC and Canberra Data Centres) and local cloud providers already serving government like Vault, partnering with bigger global cloud providers and with companies like Leidos, might also see this as a viable business proposition given a reliable big Australian customer.

If the government were to use its larger purchasing power across the national security community and other big agencies, and think strategically about what could be done with its US ally, the options would be broader, and probably both more resilient and more financially viable.

Regardless of who the provider or providers might be, validating the security of a cloud solution, and gaining a sufficient understanding of its vulnerabilities, will be large and difficult pieces of work. Simple issues like the resilience of cloud infrastructure if it’s dependent on a small number of international undersea cables will need to be assessed.

Overall, though, the issue of cloud infrastructure for the Australian national security community needs to be elevated way above the realm of individual agency IT departments and break the confines of debates over in-house or contracted data centres and current security rules.

A move now to secure cloud infrastructure is needed if Australia’s national security agencies are to remain at first-world capability.

Australia’s new Cyber Centre and Australia Ltd

A new Australian Cyber Security Centre (ASCS) will be established in Canberra to boost the country’s ability to protect against cyber-attacks, Prime Minister Julia Gillard announced Thursday 24 January 2013. Making the announcement at the Defence Signals Directorate’s Cyber Security Operations Centre, Ms Gillard said that by drawing on the skills of the nation’s best cyber security experts, the ACSC will help ensure Australian networks are among the hardest to compromise in the world

When Mr Obama sat down with China’s President Xi Jinping in California this week, it’s a fair bet that the prickliest subject was cyber. American companies being are being ripped off by almost certainly state-backed cyber pirates but the asymmetry of the commercial battlefield makes like-for-like retaliation pointless. Meanwhile, the spoils of cyber theft keep growing—and Australia is far from immune, as last week’s exposé of IP theft from Adelaide-based Codan Limited, among other Australian targets, made clear.

In the absence of credible deterrence, Western governments have so far relied on defence. Cyber strategy for corporates is essentially bi-focal, according to the nature of the threat. On the near side is government agencies and ‘essential infrastructure’; the power generation companies and (retail) banks, without whom daily life would become swiftly awkward. For these guys, governments take a proprietorial cyber stance, mandating security processes. Read more