The Australian Signals Directorate has an important role to play in helping build Australian sovereign capability in cybersecurity, in software development, and in the creation of a resilient ecosystem of local suppliers to the digital economy.
The ASD’s primary role is not, obviously, about industry development. But it is regardless a huge influence on the local sector nonetheless. And its influence on government tech procurement decisions is formidable.
Among global intelligence agencies and cyber security peers, the Australian Signals Directorate is gold standard. ASD accreditation programs carry weight. And we should use that heft as a lever for improving industry development outcomes among local cybersecurity and software providers.
Which brings us to the “surprise” closure last week of the ASD’s Cloud Services Certification Program (CSCP), and with it the demise from the middle of the year of the Certified Cloud Services List.
The closure of the program was not a surprise. But the lack of detail around what comes next has created some angst.
There is a bit of a demarcation between those who liked the certified cloud services list. The local companies that were on the list liked it and the local companies that weren’t on the list did not. The big multinational providers did not love the additional hurdle but work hard to get on it (successfully in the case of Microsoft and AWS).
It is certainly true that the ASD had been swamped and struggling to keep up with the accreditation process. This was exacerbated as accreditation moved beyond PaaS and IaaS providers to include many applications from software as a service providers.
The certification process had slowed to a halt. No assessments had been undertaken since late 2018 (and re-assessments also halted). With no way to get on the Certified Cloud Services List, and with the list itself comprised of moment-in-time assessments, the whole program was considered no longer fit for purpose.
After appointing Prof Brendan Sargeant from the National Security College at the Australian National University to conduct a review in the middle of last year, the pin was pulled on the program last week.
And yet for the Australian companies on the list, it had value. It was a gold-standard ASD certification. This has value in selling to governments at all levels in Australia, and it has value in selling to potential customers overseas.
Why take that value away from the local industry? Why not further enable its use, rather than withdraw it?
The responsibility for conducting assessments always resided with the departments and agencies. The ‘list’ was an extra thing.
The ASD has promised more resources will be put to the IRAP assessors community to reassure the agencies. And Government and Industry Consultative Forums will be put together to make sure the new regime delivers.
But the Australian Signals Directorate could also play a significant role in the improvement of industry development outcomes by retaining its role as a Certification Authority.
In this role, the ASD would only assess products and services of Australian headquartered companies. This would be an additional “ASD-approved” badge for local companies only.
This gold-standard accreditation would carry weight with government buyers. And it would be a tremendous support for Australian companies seeking to sell into overseas markets (even more so if they had already sold into an Australian government.)
The ASD’s and the Australian Cyber Security Centre’s primary mission is not about industry development.
But it has an impact on industry development outcomes nonetheless.
The great concern on the local tech providers about the new scheme as outlined by the ASD last week is that it will make it harder to sell against the large multinationals, not easier. The concern is that conservative government buyers will take flight to the big multinational brands, as ‘size’ is mistaken for ‘more secure’.
This should be addressed, and ASD accreditation is good way to do it. Whether it likes the role or not, the ASD plays a big role in industry development.