Data sovereignty focus opens new opportunities for Australian cloud providers

This article originally appeared in The Australian

Australia’s burgeoning cloud industry is not really our own, as recent research showed the soon-to-be $1 billion sector is dominated by the large global providers.

That creates an inherent cyber security and privacy risk, as companies that belong to jurisdictions outside of Australia are subject to different rules than our own. Those rules can impact our data, privacy and sovereignty.

But new guidelines from the Australian Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) could change that, and open up new opportunities for Australian cloud providers to take a greater slice of the pie and develop sovereign skills and infrastructure, stimulating our digital economy in the process.

Data locality and ownership

The new guidelines replace the more stringent Certified Cloud Services List (CCSL). Until recently, this provided Government departments with a shortlist of certified cloud service providers that had passed specific cyber security criteria defined by the ASD.

The cessation of that list and the enshrined security it provided remain a disappointment, but one that has been cushioned significantly by the practical guidance laid out by the ACSC and the Digital Transformation Agency (DTA). Crucially, it highlights the importance of locality and ownership – where data is stored and who has access.

This is all about data sovereignty, responsibility and accountability,  terms that have become more prevalent in the mainstream recently as the Government places a huge focus on cybercrime amid increasing tensions with China.

Sovereignty is about more than simply the physical geographic location where data is stored. It concerns the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends.

Further, the DTA and ACSC have spelt out four cloud data types that need to be secured. Up until now, the focus had been on just one, customer data. By placing a spotlight here, the challenge of having customer data stored in Australia, but support being provided by the cloud provider offshore (typically referred to as ‘follow the sun” support), is being called out as a cyber security issue.

This single piece of advice will help drive business to local providers with onshore engineers. With the Australian economy most needs local jobs, this couldn’t be more timely.

These new guidelines will help provide a differentiator between ‘gold standard’ operators that invest in Australian infrastructure, skills and people; with those that have a presence here as part of a single global platform.

Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions, as the debate about the reach of the US CLOUD Act demonstrates. Globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk.

In the US for example, cloud providers may be subpoenaed to hand over data for which they have access. More recently, the Chinese Government’s inherent access to data stored in Chinese-owned infrastructure and within China itself has come into focus, with many Australian providers having established data centres in Hong Kong as well as the mainland.

This request is made easier by the fact that these companies could have offshore staff with ready access. This could include sensitive consumer data, account information, metadata and more.

The risk is nullified by working with locally owned, operated and staffed providers, and the ACSC guidelines make that very clear.

Expanding government sovereignty strategy

The move from the ACSC does not stand alone. It follows a trend and wider strategy the Government is pursuing to protect Australia’s privacy, most notably the $1.67 billion cyber strategy launched by the Prime Minister in August.

Recently, Minister for Government Services Stuart Robert also announced a sovereign data policy will be developed for sensitive government data. This appeared to be something of a learning from the experience of the public debate that ensued following the introduction of the COVIDSafe app on how its data would be stored, and who would have access.

This will essentially mean certain data will be required to not only be hosted in Australia but in an accredited Australian data centre, across Australian networks and only accessed by the Australian government and Australian service providers. This will serve as further advocacy for government departments to follow the same path.

The strategy is not exclusive to Federal Government either – last month the NSW Government completed a consultation period for an ICT Sovereign Procurement Taskforce, which in part aims to carve out new opportunities for Australian providers.

Local data, local opportunities

More than ever, we are looking at our economy, our skillsets, and how we’re going to innovate our way out of this crisis.

The impact of government departments following these guidelines will invariably make a mark on the private sector – governments’ combined market power as the largest spender on ICT impacts how enterprises spend on technology.

In the same vein, Australia’s homegrown cloud and technology providers have the opportunity to take on multinational competitors and drive the industry forward. This will ensure cloud and cyber security become essential, successful skillsets in Australia as we rebuild a new economy.