Information and communication technology (ICT), encompassing digital services, digital infrastructure, cybersecurity, software, and so on, is ubiquitous throughout the Australian economy and society at large.
As a result, Australia’s accelerating digital transformation is multiplying the number and complexity of ICT services, as well as increasing the threat surface and associated vulnerabilities.
Inside the federal government, the ubiquity of ICT services is reflected in the diffusion of ministerial responsibilities for policies and legislation regarding the national direction of ICT – our cyber and digital security, the ongoing development of our digital economy including technological advancement and regulation, procurement policy, digital identity and data-sharing, digital skills initiatives, and service delivery.
Subsequently, our strategies, legislation, regulation and policy initiatives have been developed separately, without an overarching vision, resulting in point solutions and ‘stove-piped’ policy development, implementation and governance.
While improvement is evident under the new government, with the elevation to Cabinet of the cybersecurity portfolio, cybersecurity and home affairs now sit with a single minister, and machinery of government changes have yet to be seen that will address the diffusion of responsibilities.
Meanwhile, Australia is dealing with ongoing challenges associated with the pandemic and increasing geostrategic competition in our region, escalating our need for critical technologies and more robust cybersecurity.
These challenges are creating renewed emphasis on national sovereignty, with the goal of greater national resilience and self-reliance. Indeed, the Prime Minister Anthony Albanese (when Opposition Leader) called for a “whole-of-nation endeavour” in relation to cyber resilience.
So, what to do?
First and foremost, Australia needs an overarching national strategy for ICT capability – to bring together all aspects of legislation, policy, governance, capability and priorities into an integrated national plan for Australia’s digital economy, digital society, cybersecurity, national resilience, national security, and Australia’s contribution to a more prosperous and secure Indo-Pacific region.
Such an integrated national plan would address both social and economic threats – for instance, cyberattacks which are growing exponentially in number and seriousness; and opportunities which have the power to reshape our economy and society for the future – the Internet of Things (IoT), quantum computing and 6G, to name just a few.
A sovereign ICT capability framework would underpin the development and sustainability of Australia’s digital and cybersecurity future.
This would create new and expanded opportunities for Australian companies to provide ICT solutions to Australia and, over time, as export to our near neighbours, creating future ICT-focused employment pathways supported by a thriving local industry.
Using this model, Australia could establish a number of separate but related plans, such as:
- a national cybersecurity capability plan, addressing our skills and capability needs throughout the economy;
- a national digital infrastructure plan, addressing our requirements where data storage and processing, submarine cables, telecommunications poles and wires, and 6G are concerned; and
- a national sovereign data plan, addressing the necessary controls which should be in place for various government and non-government data stores created by Australian people and organisations. (Such a plan would need to address weaknesses at the federal level, not just at the state and territory levels and across the private sector, as the previous government’s consultation program sought to do).
Such an overarching framework would allow Australia to determine just what ICT capability it wants, and to decide what will be built and maintained in Australia (on-shoring), what can be built and maintained in partnership with our allies (ally-shoring), and what can be obtained from other countries as part of global trade (off-shoring).
On-shoring addresses the new premium on sovereign capability and capacity. So too does ally-shoring to a point, as nations and companies collectively build trusted networks of strategic partners, with shared values and mindsets, as is evidenced in AUKUS and the Quad.
Some off-shoring with other nations can be done as part of global trade, where the degree of sovereignty and trust are not as crucial.
This approach – which will optimise and grow the capabilities we already have in Australia – through direct government procurement and via ally-shoring – is a ‘smart sovereignty’ approach as it assesses the degrees of sovereignty required to deliver and sustain the capabilities we need.
Everything from research and development, skills development, capability interoperability, raw materials to support ICT resilience, etc., would be captured under this framework, providing confidence to our ICT industry and to the nation.
We need to be clear on just what sovereign capability means. Sovereign control and domestic capability are fundamentally different concepts.
The former relates to the ability of the Australian Government to control the direction of resources (people, assets, capital, intellectual property (IP), etc.) to initiate and effect a process with full sovereign control of all aspects of data, risk and outcome.
The latter, relates to the capability to undertake a process (to design, to build, to create something) through the combination of resident assets, funding, people (skills, experience) and access to data and/or IP.
Australia needs both, the combination of which is sovereign capability. Not only does government need access to the capability to undertake processes and help them to deliver services and outcomes independently, but also the control to prioritise and protect in the interests of Australia; for example, to prevent foreign interference, protect national commercial interests and importantly, protect the data of Australians.
The term ‘digital sovereignty’ refers to individuals or nations having sovereignty over their own digital data and involves consideration of how data and digital assets are treated. It relates to various aspects of digital technology (such as ICT, including data storage and cloud computing; IoT; artificial intelligence (AI); big data and quantum computing).
Digital sovereignty means control over digital assets and digital technology. It is not simply a matter for example of data residency; that data also needs to be under Australia’s control.
We can turn to the defence department for further clarity. ‘Defence sovereignty’ is a key aspect of sovereign capability and is the ability to independently employ defence capability or force when and where required to produce the desired military effect.
It does not automatically mean a defence capability has to be designed, developed or maintained in Australia, but it does mean defence has to have access to a functioning defence capability as and when required.
Australian defence industrial capability becomes a sovereign industrial capability when Australia assesses it is strategically critical and must therefore have access to, or control over, the essential skills, technology, intellectual property, financial resources and infrastructure so that the Australian Defence Force is positioned to achieve the strategic defence objectives.
But are the related terms of sovereign control and domestic capability sufficient to address data vulnerabilities, supply chain vulnerabilities and cybersecurity threats?
I argue that the term sovereign ICT capability would be more apt – encompassing all policy areas relating to Australian application, control and authority over, the digital, data, supply chain, and cyber inputs necessary to address identified security threats and to exploit current and future economic opportunities.
A sovereign ICT capability framework would allow the nation to raise our cybersecurity posture to protect our sovereign capabilities and provide opportunities for Australians and Australian businesses to be intimately involved.
This is crucial not just for economic and employment reasons but because while the government can provide the top-down direction, the real traction will come from industry and the action – the ‘rubber on the road’ if you will – must be led by industry.
And Australian companies will also need to accept that they must invest back into the business if Australia is to address this soft underbelly of an increasing attack surface, increasing vulnerabilities, and increasing threat actors, with which we are simply not keeping pace.
Sovereign capability needs to address three key pillars:
- Security-by-design – security should be a core component of all critical domestic capabilities. Organisations should ensure they are making decisions that build in security from the ground-up
- Transparency – transparency in all critical domestic capabilities is crucial, both from a business perspective and a national security perspective
- Autonomy and integrity – knowing that your suppliers demonstrate integrity and are acting autonomously is fundamental to securing all critical domestic capabilities.
I see potential in adapting Defence’s approach to sovereign industrial capabilities, at least in terms of identifying key criteria that could be used as a start-point in assessing the degree of ICT sovereignty required:
- Protection of intent (i.e., a digital economy with a high degree of smart sovereignty and trusted supply chains)
- Independence of action
- Interoperability of all elements of the national ICT capability
- Assurance of supply
- Hardening national resilience
- Essential skills development and retention
- Fostering small-to-medium enterprises (SME) and indigenous businesses
- Leveraging competitive advantage, building domestic capacity, and expanding export opportunities.
It is important to note here that the government recently announced raising the SME target in procurement from 10 per cent to 20 per cent, which is a welcome initiative; however, that will need delicate balancing to catalyse the larger ICT companies to invest in sovereign capability.
Domestic capability should be seen as a building block of sovereign capability, underpinning Australia’s ability to respond to unforeseen events.
The continuing operation of our critical industries relies on the sustainable, uninterrupted delivery of products and services, which demands trusted and assured supply chains.
As the Australian Information Industry Association (AIIA) said in its 2021 Domestic Capability document, enhancing our domestic capabilities offers many benefits, such as:
- Sufficient independent capabilities to be considered a valued partner by those with whom we wish to ally or partner
- Enhanced domestic and export sales strength across critical industries
- Stimulated science, technology, engineering and mathematics (STEM) opportunities across all sectors, leading to economic growth
- Developing technology as a critical enabler for our core industries means greater domestic capability, and ensures strengthened business continuity and maintenance of global strength
- Contributing to the critical industry sectors rather than simply being a consumer, drives innovation and growth
- Positions Australia as an attractive and easy place to do business for foreign multinationals that seek access to global capabilities.
Improving our planning for domestic capabilities starts with understanding the current state which, again as the AIIA document said, encompasses:
- Understanding ultimate ownership and control of entities
- Understanding the existence of reciprocal arrangements between strategic partnership nations
- Visibility of entities’ supply chains and outsourcing arrangements to identify vulnerabilities that might compromise continuity of access or integrity
- Understanding associated entities and links to other companies
- Identifying a range of common services being used by multiple entities, such as shared information technology service providers or shared control systems, creating supply chain risk aggregation
- Understanding the extent of reliance on operations and subject matter expertise from outside Australia
- Understanding the impact of and planning for the limits of local manufacturing capabilities.
A dedicated Minister for ICT Capability should be appointed to have responsibility for building sovereign ICT capability in Australia.
This should be a Cabinet-level appointment to provide consistency of direction for national ICT capability and add weight to the message that sovereign ICT and cyber security are critical for our future economy and national security.
The minister could also bring together relevant domestic and foreign affairs aspects, as the nation seeks a safe, secure and prosperous Australia, Indo-Pacific and world, enabled by cyberspace and critical technology.
The way to do this is through the creation of a sovereign ICT capability framework to enable strategic prioritisation of the ICT capabilities we need, whilst building on the already strong foundations we have.
Dr Gary Waters served 33 years in the Royal Australian Air Force; served as a senior public servant in defence and worked in the private sector as Head of Strategy for Jacobs Australia. He retired in 2013 and now works on a casual basis as an independent strategy consultant. He has written over 20 books or papers on air power, doctrine, strategy, cyber security, cyber warfare, logistics, space policy, and military history. He is a founding director of the Integrated Institute for Economic Research – Australia.
Do you know more? Contact James Riley via Email.