There have been a lot of fine people running around with their hair on fire yelling about sovereign capability holes in the manufacturing sector, specifically in relation to COVID crisis-related products that have been in desperately short supply.
There is nothing like a pandemic to very quickly highlight gaps in the supply chain for products – things like hand sanitisers, personal protection equipment such as P2 masks and gowns, as well as for more sophisticated products like ventilators.
Industry Minister Karen Andrews has been very good in relation to manufacturing and the industry is demonstrably energised by the attention.
COVID-19 has sharpened government focus on sovereign capability issues in a spectacular way in relation to physical goods.
And government has been quick to use its purchasing power to build capability where a clear supply problem exists. Witness the $31 million that government signed off in record time to a consortium of Victorian manufacturers for the design and supply – within three months – of thousands of ventilators.
But there is no such focus on the supply chains of the digital economy. There is no focus on ensuring sovereign capability in digital infrastructure, on building local capacity.
And there is no appetite whatsoever on using government procurement dollars to drive industry development outcomes in the infrastructure of the digital economy.
Look no further than the government’s controversial COVIDSafe app and the awarding of the contract to providing hosting infrastructure to the US giant Amazon Web Services. It just seems so inexplicably dumb as to warrant special attention.
The Australian Government, via the Department of Home Affairs, elected to host its controversial app in the public cloud, within an AWS region that is potentially housed in a Chinese-owned data centre (the Global Switch data centre in Sydney’s Pyrmont), at a time when public trust in government information systems is at a low-ebb.
Just to repeat: That is a foreign-owned public cloud service hosted in a Chinese-owned data centre. The management of the data will necessarily include access by AWS technical staff who are based overseas, who are non-citizens, and who do not have Australian Government security accreditation.
Which all seems a bit unnecessary, given that there are sovereign Australian secure cloud service providers that are ASD certified to appropriate Protected level status.
Companies like Vault Cloud, Sliced Tech or AUCloud would welcome the business and be quite capable of delivering. These companies’ services are managed by Australian citizens who hold appropriate Australian Government security clearances and are based in Australia.
These Australian companies’ services are hosted in accredited sovereign data centres. They would be quite capable of managing the work related to the COVIDSafe app. Government contracts allow scale. And yet AWS won the business through a limited tender managed by the Department of Home Affairs (“limited tender” meaning AWS was the only company invited to bid for the business).
Why? At a time when Australians have been rightfully mistrustful of the government in relation to data, would you introduce more cybersecurity complexity, rather than less?
Why was the original thinking/design and contract work for COVIDSafe done by Home Affairs, for what is quite clearly a health issue? What’s Home Affairs got to do with it?
And when the government was tying itself in knots over the past week to assure Australians that the data held via the app would not be accessible to law enforcement, why was its design being performed in a department that is home to both the Australian Federal Police and various branches of the intelligence services?
It was just a couple of months ago that the Department of Home Affairs was railing about the Chinese ownership of Global Switch and agitating for Australia Government customers of the company to leave its data centre.
And now the Department of Home Affairs has awarded a contract to host sensitive citizen data not only in a foreign owned public cloud, but a foreign-owned data centre as well.
The government assured Australians that it had enlisted two independent organisations to review the apps cybersecurity arrangements. But those organisations – AustCyber and CyberCRC – are constructs of government, funded by government (in AustCyber’s case to the tune of 100 per cent). How on earth is that independent?
(To be fair, AustCyber’s chief executive Michelle Price went on the record with ABC news saying she had advised that its plan to store encryption keys in the same cloud as the encrypted data posed an unnecessary security risk, which was in itself quite courageous. She also said it was “unfortunate” that Australian service providers were not invited to participate in the project. This was quite courageous.)
It is a measure of just how on the nose this contract with AWS is viewed even within government that the executives from Digital Transformation Agency speaking anonymously – “voiced concerns about the awarding of the contract to an overseas provider when several wholly Australian-owned cloud storage services had been security vetted for precisely such high-level contracts.”
You really have to wonder what kind of crisis would be needed for the Australian Government to use Australian technology providers for jobs that are well within their capability. It is laughable just how dominant foreign providers are in supplying to the $6 billion to $9 billion plus annual tech budget.
Can you imagine the US government contracting an Australian company to hold US citizen data in a public cloud that includes a foreign-owned data centre – Chinese owned – as a part of its infrastructure?
A spokesperson for Government Services Minister Stuart Robert told InnovationAus on Wednesday that no COVIDSafe information would be stored in Global Switch facilities.