Information supply chains and sovereign capability

In a post-COVID world, Australia is in an excellent position to innovate and commercialise its domestic capability and uplift local industry. However, urgent action and collaboration are required across government and industry in terms of investment, policy, legislation, and tax reform.

Bolstering our local IT sector is critical not only for economic growth but also our national security. Cyber is the new frontier of warfare and Australia’s fleet is quite small compared to other countries.

Australia’s critical infrastructure faces many risks, but few hazards can impact so many assets at the same time. The ability for a nation to defend itself is a core component of sovereignty.

Data sovereignty is a growing concern for Australians. The Australian Community Attitudes to Privacy Survey 2020, published by the Office of the Australian Information Commissioner (OAIC), states that 74 per cent of Australians consider it to be “a misuse of personal information” if their data has foreign processing access — an increase from 68 per cent in the 2013 survey. 

Further, the same report shows that many Australians see loss of data sovereignty as a critical issue with 41 per cent of people believing sending data to foreign companies or countries is the biggest risk to privacy today. Ninety-two per cent of Australians have some concerns about the sovereignty of their personal data.

Understanding the importance of data sovereignty

Data sovereignty refers to the concept that data is subject to the laws and governance of the country in which the data originated. In order of importance, the main sub-constructs of data sovereignty are:

  • Legal, which subjects the data solely to the laws of the country of data origin and generally means that the custodian must be owned and operated within the country
  • Operational, wherein data, metadata, monitoring and remote access are managed solely within the country of the data’s origin
  • Physical, wherein the data at rest and in transit remains within the originating country. 

Both the Government and private sectors have to agree on an explicit approach to data localisation and sovereignty.

When in-country data is stored on services that are subject to foreign laws, an organisation retains substantial legal obligations concerning that data’s protection. However, the information may no longer be under their control and could be impacted by the laws and actions of a foreign country. This includes the future (as yet unwritten) laws of a foreign country. While the privacy laws of foreign countries may align to Australia’s today, there is no certainty that they will do so in the future. 

At present, some countries have sectoral coverage, while others have omnibus law, with at least one national data protection law in addition to sectoral regulations.

In Europe, under the General Data Protection Regulation (GDPR), a citizen must be informed if their data is subject to foreign law and have the right to opt-out of non-sovereign services. Once data sovereignty is lost it is unclear how to regain it in most cases. 

Global trends

In recent years, Data sovereignty is also a growing consideration in many countries. Canada, the US, UK, Germany, China and many other countries have strong sovereignty requirements and capabilities.

Interestingly in the US, home to many public cloud services, the government does not allow the use of public clouds for sensitive data. Instead, they elect to use special sovereign variants known as ‘Government Cloud’, ‘Community Cloud’, ‘Sovereign Cloud’ or ‘Secure Cloud’. 

Many global firms have started to adapt their globalised business models to better work with citizen expectations despite having to share revenue with local companies as a result. Many European governments also want more customised cloud solutions for their sovereign technology scenarios.

Data privacy and Australia’s health and welfare

Concerns about digital privacy and access to data led over two million people to opt out of the My Health Record system since 16 July 2018. In an Australian Information Security Association (AISA) briefing in 2018, the Australian Digital Health Authority (ADHA) shared that approximately 22,000 people died from adverse reactions to drugs in Australian hospitals every year. These deaths could have been avoided if health professionals had been able to access health records. 

A lack of access to health records leads to poorer health outcomes for Australians and has already resulted in the unnecessary loss of lives. In short, a significant number of Australians are actively choosing to risk their lives for privacy — your author included.

Analysis of personal data is also gaining traction in government as a way to realise benefits for citizens. For example, Australia’s public health data holds enormous potential, which could lead to future medical breakthroughs, especially if all Australians were confident in sharing their health records.

Another example is the analysis of police, financial, medical and social security records in combination to potentially predict which citizens are more likely to be exposed to domestic violence, thereby addressing one of Australia’s major health and welfare issues.

In the context of Australians opting out of eHealth, the Australians have high expectations for data security and sovereignty, so the opportunity for policy to have a material positive impact on the lives of Australians is substantial.

Transparency and harmonisation of government policies

Data sovereignty provides an added layer of trust and protection for Australians. The knowledge that data is protected under Australian law and not subject to the laws of another country, provides Australians with a level of assurance that their concerns regarding data sovereignty are being addressed and goes a long way to building trust in government and a better Australia for all Australians.

Transparency is important for citizens, government and industry. Home Affairs secretary Mike Pezzullo made it clear in July last year that the government was going to take a hard line with government suppliers. “What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.

The framework that was created at the Digital Transformation Agency (DTA) Industry Innovation Day, creates transparency around assessing and communicating data sovereignty.

The managed service provider, cloud and data centres are assessed across all aspects of data sovereignty (legal, operational and physical) and are rated based on staff security clearance level, sovereignty, change of control, financial remedy, foreign ownership and control, security policy compliance, and special protections. 

A platinum rating means there are provisions to ensure future sovereignty. The ratings then progressively move down from ‘Platinum’ to ‘No Rating’ where there is no sovereignty. If a foreign Software-as-a-Service (SaaS) provider used an Australian Cloud or data centre, based on the framework, a service could have a platinum or gold physical rating while having a bronze legal and operational rating. 

The National Data Security Action Plan (NDSAP), as a driver of digital security and part of the Digital Economy Strategy, is a critical trust and protection measure in the Australian Data Strategy. It needs not only to be aligned with the federal government’s Buy Australian Plan and have a unifying role with the NSW Government Sovereign Procurement Taskforce, but also to have clear guidance on data sovereignty requirements to increase reliable investments from both global and domestic providers.

Citizen trust in government matters. A loss of trust will result in a loss of life and a dysfunctional economy. Data sovereignty represents an enormous opportunity for domestic organisations to bolster Australia’s national security and drive Australia’s economy. 

Leveraging IT sovereignty as an economic advantage

Sovereignty can only be lost once. Once a country loses its sovereign capabilities the effort required to build capability is substantial and often requires government investment

By creating a policy environment that supports sovereignty, the government can organically foster domestic innovation and capability leading to self-evident benefits such as improved national security capabilities, trade balance, and citizen trust; increased tax revenue and employment; and reduced friction of digital transformation.

The technology sector is equivalent to Australia’s third largest industry, behind mining and banking, contributing $167 billion to gross domestic product (GDP) (around 8.5 per cent).1 Jobs in the sector have grown twice as fast as average employment over the last decade, making tech a critical pillar of our economy.

However, while Australia ranks well for technology ideation and adoption — for example, most Australian businesses now use cloud services — we are seriously lagging when it comes to innovation and domestic production.

A report by Accenture for the Tech Council of Australia on the economic contribution of Australia’s technology sector found that Australia ranked 36th out of 38 countries in the Organisation for Economic Co-operation and Development (OECD) for its ICT trade balance. We can certainly do much better.

Historically, there has been a tendency to look overseas, even when the Australian solution is better. We don’t fully embrace our local technology, despite the fact that our procurement arm is enormous, and this has stifled innovation.

Australian Government investment in the local technology industry seriously lags other nations at only eight per cent according to the Australian Institute of Information Association (AIIA), compared to other developed nations such as the US, which invests over 80 per cent.

The local industry would like to see 30 per cent of tech purchases by value as a minimum benchmark.

We have all the right ingredients to be a global powerhouse when it comes to IT innovation — an advantageous geopolitical position, a well-educated and relatively affluent population, political stability, and a skilled and creative workforce.

There is absolutely no reason why Australia shouldn’t have its own Silicon Valley, with all the economic growth that would entail. Furthermore, it would secure our ability to attract the best international talent into the future, rather than risk losing our best people to overseas opportunities.

A growing number of Australian companies have developed beyond the startup phase to become internationally competitive while supporting economic growth and jobs at home.

Among these success stories are well-known companies such as Atlassian and Afterpay and emerging firms such as Willow, Culture Amp and AgriDigital. Many more are waiting in the wings for their chance.

The answer lies not in blocking global innovation and technology – such as in the case of Huawei – but in lifting the capability of Australia by proactively addressing our challenges.

So, how do we do this? What’s required is leadership, capital, tax reform, legislative changes, policy making, and the proactive use of government buying power. We need to better balance the needs of our sovereign capability with leveraging the benefits of global innovation.

While all these represent major challenges, bolstering innovation in the Australian technology sector is pure opportunity. It can only create a safer, more prosperous Australia that has greater domestic capability, more jobs, and a booming economy. Success follows success.  

Rupert Taylor-Price is founder and Chief Executive Officer of Vault Cloud. Rupert was CEO at JN Solutions before founding Vault Cloud, the only system to meet all of the Australian Signals Directorate’s security controls for classified government data. He is a member of the NSW Government Sovereign Procurement Taskforce; Co-chair of Home Affairs’ Trusted Information Sharing Network (TISN); board director of Australian Information Industry Association (AIIA); chair of AIIA Domestic Capability Policy and Advocacy Network (DC PAN) and AIIA Domestic Capability Policy and Advocacy Leadership Team (DC PALT). Rupert regularly consults Australian Government officials and departments on technology, procurement and security strategy.

Watch: Paper Presentation: Sovereign capability and information supply chains. Rupert Taylor-Price, CEO, Vault Systems. The Innovation Papers Forum, The National Gallery, Canberra, 4 August 2022.



Do you know more? Contact James Riley via Email.

1 Comment
  1. Digital Koolaid 2 years ago

    “Rupert regularly consults Australian Government officials and departments on technology, procurement and security strategy” – and that’s great – but then the PS buys clouds from Microsoft and Amazon, enterprise software from SAP and Microsoft and strategies from Big Consultancies headquartered in tax havens. Their policies include (foreign) “Cloud First” and “Buy, Don’t Build” COTS from OS, a German ERP “dominant stack”, single bidder RFQs and endless consulting from foreign advisors. InnovationAus recently reported another $1,000 Million to IBM. Now, 100 days of a new Labor government have passed and I’ve seen zero intention to change any of that. It’s clear to me that the future will be the past. Rupert wrote that “What’s required is leadership … and the proactive use of government buying power”. He’s right, but we must wait forever, while our tax $$$ take indefinite overseas trips. ps. Isn’t the AIIA the “Australian Information Industry Association” – just saying. The “Australian” in the name is an in-joke :o)

Leave a Comment

Related stories