Husic on ASD cyber certification
Ed Husic: Wants answers about the government's cloud services accreditation program
The federal government has serious questions to answer over its “seismic policy shift” on the cloud services accreditation program, shadow digital economy minister Ed Husic said.
Speaking in Parliament on Thursday afternoon, Mr Husic said the government’s decision to award Microsoft verified status for 25 Azure services and 10 services within Microsoft 365, and the subsequent Consumer Guide “shocked” the local tech community and deserves a thorough explanation.
“For some time, Australia has been able to proudly rely upon local cloud service providers supplying those services to government. The framework has been set in stone for a while, even in the face of repeated questioning by local providers wanting to check that they wouldn’t be caught off guard by sudden policy shifts,” Mr Husic said.
At the start of April this year, Microsoft was awarded accreditation to host “protected” government data on its cloud services. The decision marked a big change in government cyber policy, with users and local service providers now waiting to see specific instructions on the changes in an upcoming ASD Consumer Guide.
Microsoft is the first international provider to gain the accreditation, joining four local players with the same service.
At a senate estimates hearing last week, it was confirmed that Microsoft employees who have access to systems housing Australian government protected-level data don’t need to be located in Australia. While employees who have access to this data will have to be cleared by the government, those that have access to the underlying systems won’t necessarily be vetted.
The decision appeared to apply a different set of requirements for global company Microsoft than the local providers that have already gained accreditation, and Mr Husic said the government now has a lot to answer for.
“I’m interested in the Turnbull government shifting the goalposts and impacting local companies. The same Turnbull government that once yammered on about driving local innovation, only gives it lip service when it comes to the crunch,” he said.
“There are a stack of questions the Turnbull government has to answer about this seismic policy shift.”
Mr Husic then outlined many of these questions, including whether Microsoft will be providing a public cloud or protected cloud, why the standards for cloud service providers have changed, who signed off on the accreditation and how many clearances will be issued to Microsoft staff that are not Australian citizens.
“Is it true Microsoft’s global head of sales and marketing specifically flew into Canberra to lobby senior members of the government for the ability of Microsoft to provide its cloud services to government?” Mr Husic added.
Mr Husic said the government needs to answer these questions as a matter of urgency.
“The Australian public deserves to know how the government is protecting and managing the data of ordinary citizens. And it would also be good to know why the government has decided to treat local Australian firms so shabbily - one day forcing those firms to spend up big to meet a big standard that just gets chopped and changed to suit a multinational, without regard to the impact on locals,” he said.
“The issue will not go away. It deserves a proper response from the government. And it certainly deserves to see local cloud services providers treated better than what we have seen to date.”
During the estimates hearing, National Cyber Security Advisor and deputy director-general of the ASD Alastair MacGibbon said he was “very, ver satisfied” with the risk mitigation measures deployed by the government.
“I am very, very satisfied that the controls are in place to mitigate the risks associated with Microsoft. The [government] data associated with Azure and Office 365 resides in Australia. It’s that simple. That’s where the servers are,” Mr MacGibbon said.
Mr MacGibbon also rejected the claim that the government had been seeking a “big player” to join the local providers of cloud services.