Govt cloud scramble: The sovereign demands of Top Secret

The sober ‘Notice to Industry’ issued by Defence outlining a plan to go to market for multi-vendor Secret Cloud Services belies the intensity of the scramble across the defence and intelligence communities in the preceding weeks.

The Defence notice outlined its plans to go to market to secure a multi-vendor cloud infrastructure including IaaS, PaaS and SaaS services capable of achieving accreditation to handle data and information to Secret level.

Defence indicated that the Secret Cloud Services it sought would be utilised by other agencies, with Defence confirming that is collaborating with other agencies including Home Affairs and the Department of Foreign Affairs and Trade, which are also interested in Secret cloud services.

The backstory here – and really it is a bombshell – is the decision by hyperscale cloud provider Microsoft to walk away negotiations with the Office of National Intelligence over the provision of Top Secret-accredited secure cloud services.

ONI had issued a Request for Expressions of Interest in December 2020 that sought to identify potential commercial partners to work with the National Intelligence Community (NIC) to build a Top Secret, scalable, private cloud service.

Microsoft is understood to have told the ONI in April that it could not meet the requirements of the proposed platforms nor the timelines for delivering it.

It is understood the company told ONI the shortage, specifically security credentialled skills, made the task impossible and that the company would walk away from the negotiation.

It is further understood that while a contract had not been signed, the discussion of the design of the project was well advanced, and that Microsoft had already invested substantial sums in infrastructure that would have served the Top Secret arrangement.

There is chatter in Canberra – and it is loud and persistent – that the Microsoft decision to walk away from ONI’s Top Secret cloud service was actually based on decisions made in the US to get out of the business of providing the highest level of cloud security to governments in all markets except in the United States.

Regardless of where the decision was made, it has forced the Australian Defence and intelligence agencies to scramble.

Unintentionally perhaps, but the decision has put a massive spotlight on the issue of sovereignty in relation to information and data supply chains.

And it must surely have ratcheted up anxiety inside government about sovereign control in public cloud environments.

There has been a kind of Big Tech exceptionalism applied to sovereignty issues in the information and data supply chains over the past several years – certainly ever since public cloud offerings from Microsoft and AWS were ASD-certified to Protected-level under the old system.

It was extraordinary then, just as it remains extraordinary now, that essential services and government data has been – and still is – maintained in public cloud environments that are not entirely under the control of the Australian government.

Specifically, these environments allow access to technical personnel who are not security credentialled by Australian government and who are not based in Australia. This is for data loads at Protected level. It’s personal data, its sensitive government data.

It also means that decisions made in foreign boardrooms can have a massive impact on the running of the country. That’s the whole point of maintaining sovereign control of supply chains, whether in relation to ensuring the supply of diesel fuel additives, mRNA vaccines, or mission critical data.

Big Tech exceptionalism is real. How else to explain the Australian government’s attitude to cloud services in that long-ago time before the pandemic demonstrated the frailty of strategic supply chains, and before the alarming escalation of geostrategic tensions?

The fact that Defence officials have been running around with their hair on fire for the past six to eight weeks, might be an indication that sovereignty issues in relation to data and information supply chains are suddenly more front-of-mind.

The Microsoft corporate decision to walk away from a critical strategic project will have sharpened the focus.

There are three levels of sovereignty that governments need to consider in relation to critical information systems. The first is physical sovereignty, related to where the data is located.

The second is jurisdictional sovereignty, whereby even if data is held locally, is there is jurisdictional issue whereby a foreign-domiciled company can be compelled by a law in its home country to act in a way that would undermine Australian sovereignty.

And thirdly there is operational sovereignty, which asks where does the systems administration take place?

How the Australian government now approaches these three elements of sovereignty will have a huge impact on what public sector information technology environments look like in future.

The Defence plans to approach the market to build multi-vendor Secret cloud service hosted in Australia does not adequately define in public documents how it will approach these three aspects of sovereignty.

What we do know about the last several weeks is that a lot of senior techs working across Defence, intelligence and across the rest of government have been running around with their hair on fire.

The Microsoft decision – something completely outside of government control – landed like a bombshell.

The decision has important ramifications for the local cloud service providers, which will suddenly have access to potentially hundreds of millions of dollars’ worth of business – or more – with government in the coming years.

If the decision in Australia reflects a change in global Microsoft policy, then it will have a material impact on Microsoft global cloud revenues.

And then there is the reputational hit that the company will have to account for.

Do you know more? Contact James Riley via Email.