A sovereign Australian government data framework
11 Aug 2021|

The federal government set an example for state and territory counterparts in early June when it announced that all relevant government data under the Digital Transformation Agency’s hosting certification framework will soon need to be stored only in either ‘certified assured’ or ‘certified strategic’ data centres.

The government’s move follows concerns about the acute data challenges confronting the Australian public sector, including data sovereignty, supply-chain vulnerabilities and cybersecurity threats. The challenge once faced by Australian governments was completing their digital transformations; now, it’s about figuring out how to adequately protect government systems that are hosted in the cloud.

More and more countries are addressing these data and digital issues through policy and regulation. Data localisation and targeted government procurement of digital goods and services are two ways governments may seek to secure their data, and the systems and infrastructure that rely on it.

Data localisation means keeping data within Australian borders—not just when it’s stored, but also when it’s processed. Targeted or sovereign procurement means not just selecting contractors that are operating in Australia but selecting those that aren’t subject to the legal influence of foreign jurisdictions.

But these policies are often condemned in international trade law circles as discriminatory trade barriers. Government policy claiming to pursue the legitimate objective of data protection may be accused of promoting data protectionism in disguise. With Australia continuing to push ahead with trade liberalisation and wishing to maintain its reputation for honouring its international trade obligations, government data challenges will need to be addressed through balanced and proportionate measures.

I argue in a forthcoming report that a level of digital sovereignty is required for securing and developing Australia’s national interests. The report also finds that Australia retains the regulatory autonomy under international trade agreements to adopt digital sovereignty measures that balance its liberalised trade agenda with its national interests.

The federal government now requires relevant government data to be hosted only by certified data companies. This is data at the ‘protected’ level or data belonging to whole-of-government systems.

This two-fold classification is a recognition of two realities. First, the threats posed by failure to protect government data are very different to those for other types of data. Second, there are particular vulnerabilities inherent in hyperscale cloud systems, where information belonging to various agencies is hosted together.

An inability to monitor, control and protect overseas data centres is an overt practical risk of using foreign clouds. It means uncertainty about the operational reliability of overseas data centres. Physical attacks, shutdowns, blackouts, natural disasters and regulatory interference are less able to be managed far away.

There are also risks of foreign interference by overseas governments and private actors, which are often legal in nature. Foreign agencies can exercise authority over cloud and data companies that are legally subject to foreign jurisdictions.

Australia’s proposed bilateral agreements with America under the US CLOUD Act is an oft-cited example. Under that law, a US-based company can be asked by US authorities to relinquish access and control over data regardless of where the data is located.

Other vulnerabilities relate to weak points in the distributed supply chains of multilayered cloud systems, or the security defects of large-scale cloud providers that house multiple tenants’ data simultaneously.

Importantly, accepted technological principles that emphasise security processes over data location don’t account for other, non-cybersecurity-related risks. Data stored outside Australia may be stored in countries with political, social and economic interests that don’t necessarily align with Australia’s national interests, or by providers with obligations to such countries. Foreign facilities and personnel may not be subject to the same legal, regulatory and physical controls as domestic suppliers operating onshore.

So digital sovereignty concerns are intensifying because of the inherent risks associated with hosting government data in foreign clouds, and the threats that those risks pose to Australia’s national interest.

It’s this combination of urgent risks and threats that gives Australia sufficient latitude under international trade law to introduce proportionate, tailored digital sovereignty measures for the public sector rather than data protectionism.

Cybercrime and commercial cyberespionage against private citizens and enterprises are serious issues in their own right. But the consequences are potentially much graver when they affect government data.

Australian defence and intelligence agencies continue to rely more heavily on cloud computing and other emerging digital technologies to carry out operations. And digital technology is part of Australia’s offensive and defensive cyber arsenals.

This dependence on digital technology is expanding even more rapidly in critical infrastructure sectors, where cloud technology and various cyber–physical systems are being used to control infrastructure. Recent remote attacks on power plants, refineries and gas pipelines have highlighted some dangerous vulnerabilities.

Measures designed to afford competitive advantages to domestic businesses may be seen as merely protectionist. However, the line between building stronger domestic digital sectors for industrial policy purposes and securing an adequate level of strategic autonomy is quickly fading. The widespread integration of digital technologies and their central role in government and other critical sectors has illustrated the legitimacy of protecting or promoting domestic capacities.

The federal government’s tightening of its certification framework is a welcome acknowledgement of these risks and legitimate policy concerns that remains to be embraced by governments at the subnational level.

However, there is now an opportunity for all Australian governments to improve on the federal approach. Companies certified under the current framework don’t need to be Australian owned and controlled or even have their operations exclusively in Australia.

A better approach, and one that’s commensurate with the risks, would be much stronger provisions to ensure that data hosts are Australian owned and based.

The personnel and supply-chain assessment procedures and strict requirements that limit changes in ownership and control under the current framework may be sufficient to maintain Australian government control over its own data. But as they currently stand, the existing arrangements fall short of a truly sovereign framework for government data.