Australia needs a national security cloud: ASPI
Australian national security agencies must develop a national security cloud and finally catch up to the private sector in terms of cloud adoption, according to the Australian Strategic Policy Institute (ASPI).
In a new report, ASPI argued that agencies’ slow adoption of cloud services due to initial concerns about the security of cloud technology have left them years behind the adoption curve.
“For agencies that rely on cutting-edge high technology for their capability edge, this is disastrous,” the report states.
“Unless it’s addressed rapidly and comprehensively, Australia will quite simply be at a major disadvantage against potential adversaries who are using this effective new technology at scale to advance their own analysis and operational performance.”
Australia will also fall further behind its allies, ASPI said, arguing that the US national security community has a lead of at least five years over Australian partner agencies.
This change must be driven by ministers and agency heads rather than CIOs and security staff, ASPI said.
“That’s because security accreditation standards and processes can’t lead technological change. By definition and by design, security standards are lag controls, based on what’s already understood and formed from experience with past and present technical systems,” the report states.
“Ministers and agency heads have both the responsibility and perspective to look beyond the important current technical security standards and rules and think about the capability benefit that cloud computing can bring to Australia’s national security.”
Accordingly, ASPI has called for the government to commit to major investments in cloud infrastructure and services for Australian intelligence agencies as part of any government stimulus to Australia’s digital economy.
“The intelligence community needs to make this shift as a community, not as a rag-tag band of loosely coordinated agencies with agency heads making separate risk-based decisions,” the report adds.
“This means avoiding the non-strategy that’s the Digital Transformation Agency’s Secure Cloud Strategy, which takes exactly that Balkanised approach to investment decisions.”
This collaboration should involve the development of a national security cloud that has agencies’ interoperability as a core principle, ASPI said.
“The most powerful cloud infrastructure and applications are useless without the fuel they need to operate — data. So, the maximum data needs to be brought into the national security cloud by each agency in the intelligence community,” the report states.
“This is rice-bowl territory, so the decisions will be divisive and difficult, but national capability, not agency fiefdoms, needs to be the overriding interest.”
Another key attribute for the national security cloud must be security. Information hosted on the cloud must be protected from both state and non-state cyber actors who are already targeting Australian government systems.
As a result, data must be hosted onshore, and security must go beyond personal and system security to include the resilience and integrity of the supply chains that cloud infrastructure and service providers rely on to produce their products.
“This is a newly obvious priority exposed by the vulnerabilities we’ve seen in global supply chains through the pandemic — and high-technology supply chains are particularly exposed to Chinese state influence unless security is a design principle baked in from the start,” the report states.
ASPI also advised against what it anticipates as a tendency to adopt cloud infrastructure at the lower levels of classification first before more highly classified data.
The institute argued that combining valuable top-secret information with the huge trove of lower classification and open-source data is a source of distinctive advantage that agencies can offer the government.
“So, failing to incorporate highly classified data holdings with the analytic horsepower and flexibility that cloud infrastructure and applications bring would be a bit like adopting jet propulsion for reconnaissance aircraft during World War II but sticking with piston-engine aircraft for your fighter fleet, even as your enemy chooses otherwise.”
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...