Home Affairs Secretary Michael Pezzullo says government has serious concerns with the security posture of global cloud computing giants like Amazon and Microsoft, and warned tightening data sovereignty requirements in Australia will “not be attractive” to them.
On Thursday, in response to large cloud providers’ protests about proposed critical infrastructure legislation, the top security bureaucrat fired back, saying their business model was creating risks for government.
Mr Pezzullo said the multinational cloud companies typically want “very few strictures” so they can continue a business model which relies on moving data around the world to minimise costs but often sacrificed security.
“The ability of certain adversaries, some of whom are state adversaries, some of whom are criminal adversaries, to penetrate that data…is of deep concern to government,” Mr Pezzullo told a joint security committee.
He said this was a legitimate commercial model for cloud providers but could be at odds with Australia’s national interest when government-held data was involved. The federal government leans heavily on leading US cloud providers which collect hundreds of millions in government tenders.
“We’ve stated that [concern] very bluntly and directly to that sector,” Mr Pezzullo said.
“Because the Commonwealth Government itself has not been satisfied about the security of that data, both in terms of where it’s hosted and how it’s routed.”
The Home Affairs chief said the government has bound itself to a data certification project which would “toughen the strictures” on the cloud industry when dealing with government held data.
Last year, then-services minister Stuart Robert flagged the government was considering sovereign cloud requirements following a backlash against US company Amazon hosting data collected by the COVIDSafe contact tracing app.
In June, Mr Robert, who retained responsibilities for whole-of-government data and digital policy, announced three Australian data centre providers had been certified to store sensitive data locally under the government’s new Hosting Certification Framework.
The framework requires data and digital service providers engaged by government to use highly secure systems, and for the highest level of certifications to enable the Government to specify and enact ownership and control conditions that are not lowered at any time. It is designed to help agencies to mitigate against supply chain and data centre ownership risks.
For cloud providers the framework means they may only receive certification for certain facilities in Australia.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the official Hosting Certification Framework said.
Mr Pezzullo said the tightening data requirements being led by Mr Robert, made the Australian government an “exemplar” but would mean challenges for multinational cloud providers.
“What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.
“Because how they make their money is, frankly, by moving the data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity.
“And that’s a that’s a perfect illustration of the tension here between the private commercial interest and the public interest.”
Do you know more? Contact James Riley via Email.
Back in the 90s, the UK government outsourced their social security system to a large American multi-national. The organisation determined it was cheaper and quicker to transfer all the data to their much faster mainframes in the States (Arizona? can’t remember), run the pensions programs, and transfer the results back to the UK in order to pay the recipients.
A perfectly sound decision from both a commercial and a technical standpoint.
When the UK government discovered what was happening inside their service provider, they were appalled. personal information on pretty much every resident of the UK was being off-shored. No matter that it came back. If ever there was a national dispute between the countries (unlikely, maybe), could the US demand the company withhold the data from the UK? While the data is off-shore, whose laws does it fall under? (Do _you_ want to be the test-case? Hint: never be a beta-test site.)
This is when Australian government agencies were introduced to a new term: “data sovereignty”! I believe it’s also the reason why many remain suspicious & mistrustful to this day.
“Someone Who Knows…” says this doesn’t happen. But at best he can only say “this *no longer* happens, to the best of his knowledge. And he may be absolutely correct; onshore data centres mean this should no longer be an issue. But the suspicion remains, and remains a hurdle which cloud providers will have to overcome. “Your data on someone else’s computers” is still a turn-off.
Hey, who knows? Maybe its worth them banding together and doing their own political lobbying, presenting the facts and promoting their own products to combat the fear-mongering from others. Y’know, becoming self-motivated lobbyists? 😉 😀
Wow, just wow. The level of misleading information from this Secretary is breathtaking in both its ignorance and its arrogance. Hot on the heals of the ‘Drums of War’ article comes this. But lets add some facts here:
– Cloud services like Microsoft and AWS allow you to define which data center your data is located in and both run Government data centers in Canberra for this purpose.
– Given AWS and Microsoft own their infrastructure, there is no commercial benefit, in fact there is a significant cost, in moving data around the world. The data migration ‘problem’ described by the Secretary is simply NOT a thing and does not occur.
– The security controls I have implemented in the cloud are far better than what I have seen in Government departments. the Governments own ACSC audits prove this.
The article by the Secretary is either,
– At best, a breath taking display of ignorance about a subject he clearly has no idea about, or
– A regurgitation of the political lobbying by so called ‘sovereign’ cloud providers, where fear mongering replaces facts.
If this Secretary is in charge of security for Government, it shows why the overall state of Government systems security is audited to be so pathetically bad. Perhaps its time to bring facts tot eh table and people who actually know what they are talking about, rather than self-motivated lobbyists and ignorance?
Mike has a BA in History from the University of Sydney. What do you call a bloke with a degree in History?
A historian ….
He knows about the Peloponnesian War (431–404 BC). Should I listen to him about cloud-anything ?
I think I won’t ….