Federal guidance for the new decentralised and deregulated cybersecurity regime has been released to mixed reviews, with some concerned that the new framework puts Australian companies at a disadvantage in selling to government.
The Australian Cyber Security Centre and the Digital Transformation Agency released new Cloud Security Guidance to support the adoption of cloud services across government, a document that was “co-designed” with industry.
The new guidance replaces the Certified Cloud Services List, which ceased operation on Monday.
The CCSL had operated as a central model managed by the Australian Signals Directorate and was recognised as the ‘gold standard’ for cybersecurity. With the cessation of the CCSL, the government has moved to a decentralised model of self-assessment where each department and agency is responsible for its own assessments and cyber risk management.
The changes are a radical overhaul of the architecture of cyber security standards in Australia, and a deregulation of a cloud services market worth billions of dollars in the coming years.
Since the government announced in March that the CCSL would cease on August 27, the ACSC and DTA have been in consultation with the industry and with government customers over the what would be included in the guidance and what would be excluded.
While the government’s intention in the design of the Cloud Security Guidance was to open up the Australian cloud market and to allow more local, home-grown cloud service providers to sell in to government, not everyone is convinced this will be the outcome.
It is far from certain that the new measures will make the Australian government more cyber resilient. Some observers say that although the process for the development of the Cloud Security Guidance had generally been excellent and had made the best of the government decision to move to a decentralised model, that decision would ultimately make Australia less secure.
As a high-level observation, Vault Cloud chief executive Rupert Taylor-Price told InnovationAus that “decentralising, deregulating and removing the certification process reduces the cyber resilience of Australians.”
The CCSL program ensured that cloud services met stringent security standards through a centralised assurance process. Without that list, government and consumers may struggle to understand which cloud providers meet these high security standards.
“The bar for achieving ASD certification was extremely high and provided certainty into data protection,” Mr Taylor-Price said.
“By decentralising compliance requirements, we are concerned that government agencies may experience inconsistent standards, not only impacting the service the government receives, but also their ability to interoperate with other agencies and in turn the outcomes for citizens,” he said.
“Although there may be initial cost savings for the ASD there may be overall cost, delays and security implications in the future. However, if Australia continues to experience a threat landscape at the level the Prime Minister outlined recently, the continued investment in a certification program is in our national interest.”
With the decision to decentralise cyber risk assessment and management already made, Mr Taylor-Price said the process for the developing the guidance was as good as any consultation he had ever been involved with, with any government.
In the absence of a central regulatory authority, this process does improve transparency and does introduce a framework, he said.
The government cloud services market will be worth tens of billions of dollars over the next decade and the competing interests of the local providers versus foreign suppliers has been on display. There has also been a schism between the local companies that were on the CCSL versus the providers that had not got on to that list.
The local industry has welcomed the intent of the guidelines to open up opportunities for Australian owned and operated cloud services providers. But there is scepticism about whether this is the framework will deliver for local industry.
“Overall, there is a very strong pro-Australian ownership implication. The question is whether this will simply be overwhelmed in the market by the marketing power of the multinational corporations,” one senior executive from an Australian cloud provider told InnovationAus.
“A lot of it will come down to how IRAP assessors regard the risk associated with overseas support when they are advising agencies,” the executive said.
And this exposes a potential flaw in the process. There is a prevailing view that the Australian infrastructure-as-a-service providers do not offer equivalent services to the tech giants AWS and Microsoft.
An IRAP assessor is not going to be asked by an agency to compare two options. Instead, the provider gets their service IRAP assessed, and then gives that to the agency client. This presents a problem, in that the IRAP assessor’s client should be the government agency, not the provider.
Regardless, in the months since the arrival of the coronavirus pandemic in Australia, the government has shown greater interest in sovereignty issues, whether that is in supply chains, data sovereignty or sovereign capability.
Government Services Minister Stuart Robert told the National Press Club earlier this month that government was mulling a “sovereign cloud” capability for certain kinds of sensitive data.
Under the plan being considered, the government would declare certain data sets as ‘sovereign’, meaning they could only be hosted in Australia by an accredited Australian data centre across Australian networks and only accessed by the Australian government and service providers.