A statement from the Digital Transformation Minister Michael Keenan — who will be retiring from active duty at the election — said the strategy "provides a new framework that strengthens data sovereignty, supply chain and data centre ownership provisions to increase security, protect privacy and improve resilience of data infrastructure".
And, further, "This includes a requirement that data centre facilities that host high-value government data achieve certification as “sovereign” or “assured” data centres."
There was no mention of the fact that cloud providers, both Australian and from other countries, duly certified by the Australian Signals Directorate, can host government data of the highest security classification provided they have obtained Protected status.
Since the hosting strategy seemed to cut across the ASD's role as well, iTWire contacted the agency for clarification, asking: "On Friday, the government announced a new whole-of-government hosting strategy. It says, in part, 'This includes a requirement that data centre facilities that host high-value government data achieve certification as 'sovereign' or 'assured' data centres.
"How does this tie in with the certification of providers that ASD/ACSC does, giving them Protected and other status to host classified government data?"
The ASD's response was: "ACSC [the Australian Cyber Security Centre] has referred your inquiry to the Digital Transformation Agency (DTA) as best placed to respond directly to your questions in consideration of the whole-of-government hosting strategy."
When DTA was contacted and the same query posed, the agency did not provide any answer for the record.
iTWire understands that the push for a whole-of-government hosting strategy came about after a Sydney data centre, Global Switch, accepted Chinese investment for its parent company, Aldersgate Investments, back in 2016.
Aldersgate owns two data centres in Ultimo where it stores classified Australian government material, including sensitive Defence and intelligence files.
Both these data centres have secure gateways certified by the ASD and can be used for secure access by government offices.
According to a story that surfaced in 2017, the Australian Defence Department decided to end its relationship with Global Switch due to this.
Reliable sources in Canberra have told iTWire that a decision on a hosting strategy has been hanging fire since then, and was finally rushed through — like many other government initiatives which have been pinging the email inboxes of journalists over the past few weeks — with Prime Minister Scott Morrison signing off on it a few days before the news was announced.
And, say these sources, the media release was sent out late on Friday afternoon so that it would not attract much attention – an old ploy practised by politicians of every shade.
However, this strategy would bring the DTA into conflict with the ASD sometime down the track. The latter has certified both Microsoft and AWS to host sensitive classified government data – do they fit in with the profile delineated by the hosting strategy where it says "This includes a requirement that data centre facilities that host high-value government data achieve certification as 'sovereign' or 'assured' data centres?"
Adding to the problems, the DTA statement said a "new Digital Infrastructure Service will be established to manage data centre certification and ensure the ecosystem is supported by an effective and efficient network infrastructure. DTA will also work with industry to develop a genuine strategic partnership that recognises government as a single customer".
Looks like many hands will be trying to do the same work.
Microsoft has two data centres in Canberra and has been given the okay by the ASD to have staff from outside the country handle administrative IT tasks without security clearances. It serves its cloud platform Azure and the office suite, Office365, from these centres. But when it comes to Active Directory, a service which government also uses, this is served from Singapore.
Would a data centre in Singapore meet the requirement of being one that qualifies as sovereign or assured?
There are three aspects when it comes to data sovereignty – there is the physical aspect, the operational aspect and the legal jurisdiction aspect. Physically, the data that conforms to the hosting strategy would have to be stored within Australia.
AWS does not conform to this requirement, having told the ASD in advance that it would be offering only the same commercial service that it offers to everyone else. In the US, AWS has built an isolated service that meets all sovereignty requirements that the US Government demands.
In operational terms, too, there would appear to be an issue as personnel from outside Australia, who have no Australian security clearance, would be handling Australian data structures for both Microsoft and AWS.
And there is an added conundrum: the ATO has been using Global Switch as well, and will be ending its relationship with the company in 2020. But when it moves to AWS — as it is expected to — which uses the very same Global Switch data centre, would that conform to the requirements of the hosting strategy?
Once again, DTA was asked about this, but the agency again did not provide an answer for the record.
The government appears to be uncomfortable with foreign-owned data centres, but what would the reaction be if one of the ASD certified clouds was purchased by a Chinese consortium? Why does Australia not have sovereignty requirements for clouds like other nations? These are probably questions for the next government.
But at the moment, the party that is likely to form that next government is keeping mum. Efforts to extract an answer from Labor Shadow Minister for Human Services and the Digital Economy, Ed Husic, about the hosting strategy were unsuccessful.
Husic was asked the same question as put to the ASD and the DTA. A reply was promised, but never came.
The only takeaway from this is that there are lots of questions, a number of close-mouthed government agencies, politicians and businesses – and a lot of taxpayer money is being wasted in the process. But then isn't that the normal state of affairs in Canberra?