Home Affairs Secretary Michael Pezzullo says government has serious concerns with the security posture of global cloud computing giants like Amazon and Microsoft, and warned tightening data sovereignty requirements in Australia will “not be attractive” to them.
On Thursday, in response to large cloud providers’ protests about proposed critical infrastructure legislation, the top security bureaucrat fired back, saying their business model was creating risks for government.
Mr Pezzullo said the multinational cloud companies typically want “very few strictures” so they can continue a business model which relies on moving data around the world to minimise costs but often sacrificed security.
“The ability of certain adversaries, some of whom are state adversaries, some of whom are criminal adversaries, to penetrate that data…is of deep concern to government,” Mr Pezzullo told a joint security committee.
He said this was a legitimate commercial model for cloud providers but could be at odds with Australia’s national interest when government-held data was involved. The federal government leans heavily on leading US cloud providers which collect hundreds of millions in government tenders.
“We’ve stated that [concern] very bluntly and directly to that sector,” Mr Pezzullo said.
“Because the Commonwealth Government itself has not been satisfied about the security of that data, both in terms of where it’s hosted and how it’s routed.”
The Home Affairs chief said the government has bound itself to a data certification project which would “toughen the strictures” on the cloud industry when dealing with government held data.
Last year, then-services minister Stuart Robert flagged the government was considering sovereign cloud requirements following a backlash against US company Amazon hosting data collected by the COVIDSafe contact tracing app.
In June, Mr Robert, who retained responsibilities for whole-of-government data and digital policy, announced three Australian data centre providers had been certified to store sensitive data locally under the government’s new Hosting Certification Framework.
The framework requires data and digital service providers engaged by government to use highly secure systems, and for the highest level of certifications to enable the Government to specify and enact ownership and control conditions that are not lowered at any time. It is designed to help agencies to mitigate against supply chain and data centre ownership risks.
For cloud providers the framework means they may only receive certification for certain facilities in Australia.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the official Hosting Certification Framework said.
Mr Pezzullo said the tightening data requirements being led by Mr Robert, made the Australian government an “exemplar” but would mean challenges for multinational cloud providers.
“What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.
“Because how they make their money is, frankly, by moving the data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity.
“And that’s a that’s a perfect illustration of the tension here between the private commercial interest and the public interest.”
Do you know more? Contact James Riley via Email.