War in the clouds

The appeal of cloud computing is undeniable. It provides remarkable scalability, cost-efficiency and agility, qualities that attract government and business. However, for all its benefits, there are also risks, not least of which is maintaining sovereignty over Australian data.

The Australian government is working on mitigating the risks but needs to do more. Further necessary measures include improving cloud-computing regulation and encouraging development of entirely Australian services.

Data sovereignty is the principle that information is subject to the laws and regulations of the country in which it is collected and stored, ensuring that individuals and organisations maintain control over their data within national boundaries. It’s important because, as former prime minister Malcolm Turnbull said, ‘Data is the new oil. It’s the currency of the digital age, and we need to make sure that it’s controlled by Australians for the benefit of Australians’.

Relying on foreign cloud providers raises serious concerns about who ultimately controls our data and the systems that host it.

Some foreign governments can use extraterritorial law to compel cloud service providers to disclose data, even contrary to Australian law. Furthermore, foreign governments may pressure cloud providers to manipulate or disrupt services—for example, in war.

Debates around data sovereignty have persisted in Australia for nearly a decade, reaching a peak around 2020 during the COVID-19 pandemic. In response to this debate, hyperscalers—as the largest cloud services, such as Oracle, Amazon Web Services, Google Cloud and Microsoft Azure, are known—have invested time and resources to reshape the foundational elements of cloud infrastructure.

They are now implementing technical controls designed to prevent offshore data replication and restrict transmission of telemetry data containing personally identifiable information beyond national borders.

The Australian Hosting Certification Framework aims to establish robust guidelines and standards for secure domestic storage and management of sensitive data. However, its weaknesses include limited enforcement mechanisms and a lack of comprehensive coverage for all data types, leaving potential gaps that malicious actors could exploit.

Even with strong contracts and data residency requirements, risks of unauthorised access, data breaches and foreign surveillance remain. This erosion of data sovereignty undermines our ability to protect sensitive information and uphold our legal and regulatory frameworks.

The Australian government must be fully aware of where its and its citizens’ data is stored, who has access to it, and the safeguards to protect it. Cloud providers often struggle to reconcile these requirements, which is arguably affected by governments’ lack of understanding of cloud technology and its technical strengths and weaknesses.

Until 2020, Australia relied on the Certified Cloud Services List of products that the Australian Signals Directorate (ASD) had certified. However, ASD struggled to keep pace with demand for certifications, keeping products on the shelf and reducing competition between firms that could supply the government. Although the list has been replaced by the Infosec Registered Assessors Program (IRAP), the problem of slow processing may persist due to a shortage of IRAP assessors.

The government must carefully consider the broader implications of its policies. If the process remains cumbersome, businesses may choose to take their operations elsewhere.

This article was published by The Strategist.

The ASD stresses this need for transparency in its cloud security guidance:

“Transparency is essential to building trust in cloud services. Agencies should clearly understand the security controls implemented by cloud service providers and their ability to meet the agency’s security requirements.”

Recognising the shared challenges of data sovereignty, members of the Five Eyes intelligence alliance are collaborating to forge a unified approach. They are sharing information on threats and vulnerabilities, developing secure cloud technologies and promoting interoperability among national cloud infrastructures. By working together, the Five Eyes nations—Australia, Canada, New Zealand, Britain and the United States—enhance their collective resilience against foreign interference while preserving their individual sovereignty.

Australia must augment the Five Eyes’ efforts with a comprehensive strategy to protect its data sovereignty and control in the cloud.

First, it needs to strengthen its legal and regulatory frameworks to address the challenges that cloud computing poses. This includes clarifying data ownership and access rights, enhancing data-breach notification requirements and establishing clear guidelines for cloud service providers operating in Australia. It is important to note that hyperscalers and the Australian government continue to work together to address the challenges of cloud computing in standards-setting bodies.

The government should also continue promoting development of sovereign cloud solutions owned and operated by Australian entities. This will ensure that our data remains within Australian jurisdiction and under our control.

Third, continued investment in cybersecurity capabilities is vital. We must invest in advanced cybersecurity technologies, threat intelligence and workforce development to counter evolving cyber threats.

Finally, international cooperation is not just beneficial; it’s essential. Australia should continue its commitment with Five Eyes partners and other like-minded nations to establish common standards and frameworks for data sovereignty and cloud security. This collective effort will help foster a more secure and resilient global digital ecosystem.

As Australia continues to navigate the complexities of a digital future, the challenge of data sovereignty must be a priority.