The Australian Signals Directorate’s fundamental restructure of government cybersecurity support infrastructure is a potential disaster for home-grown tech companies and a disaster for Australia’s sovereign capability.
The devil will be in the detail, but at face value the changes will make government less secure, with an eroding of cybersecurity fundamentals ultimately undermining our national security.
At a time when global cyber threats have never been more menacing, and when government sites are subject to an unprecedented volume of attack, the Australian Signals Directorate has effectively deregulated cyber compliance.
To say this is counter-intuitive is a giant understatement. If the ASD is unable to adequately assess cloud services on behalf of government in a centralised compliance environment – with all of its cyber resources and expertise – what chance would a small government department or agency have?
That the government would choose this moment in time to deregulate – or to introduce a kind of hybrid industry-agency self-regulation – is extraordinary and disturbing.
Surely at a moment in time where the global threats have never been greater and the ability to access the cyber skills to combat those threats has never been shorter, this is a time for sharing centralised resources.
If the ASD found it too hard as the nation’s cyber intelligence agency, what chance has the rest of government got?
The ASD on Monday announced it would close the Cloud Services Certification Program (CSCP), that it would no longer be the Certifying Authority and that all certification activities would halt immediately.
Companies that are currently listed on the Certified Cloud Services List will remain certified until June 30. After that, ASD certified is void. The ASD will appoint government-industry consultative groups, which will help write new guidance for departments and agencies to do their own assessments.
In other words, the government has moved overnight to a model of self-regulation. The ASD will no longer assess and credential cloud products and services on behalf of the rest of government.
According to a joint announcement by the ASD and the Digital Transformation Agency, the cessation of the Cloud Services Certification Program “will open up the Australian cloud market to allow for more home-grown Australian providers to operate.”
“This will also give government customers a greater range of secure and cost-effective cloud services.”
This sounds like industrial-grade wishful thinking. It presupposes that the overnight change in ASD cyber policy has coincided with mass cultural change inside the public service. The level of cultural cringe about buying Australian tech is formidable.
The danger is that the changes make it more difficult for local tech suppliers to sell into government – as if it weren’t hard enough already.
The unintended consequence of these changes is that already risk-averse government users are less likely to buy from smaller providers – and that the prevailing view that ‘big and foreign’ equates to ‘more secure’ is reinforced.
The changes to the certification program and the shutting down of the Certified Cloud Services List has been a long time coming. The decision had been telegraphed.
The list was not perfect, and once Microsoft and AWS had been certified to ‘Protected’ status despite offering non-compliant services certainly undermined its credibility and led to some confusion.
Just how effective the new regime is will depend to a very great extent on a promised improvement of support and resources for the Information Security Assessors Program (IRAP) community. The ASD has promised greater numbers of certified assessors and better resources to ensure quality.
You have to wonder whether government CIOs and chief security officers have the budgets to do what has been asked of them. Because otherwise the safe option always ends with a shift toward the big brands.
This is a genuine problem. It hurts Australian innovation and does nothing for the development and maintenance of sovereign capability in these key areas of technology importance.
You have to hope that the Industry Consultative Forum that will inform the process are stacked with leaders from Australian companies.
And you have to hope that procurement guidelines put a thumb on the scale in favour of local technology companies. Government purchasing power is an important lever for industry development, and we should use it.