Should data be considered critical infrastructure?
18 Apr 2018|

We’ve all experienced the pain of data loss. Whether a work report, university assignment or family photos—everyone knows that nauseating realisation that hours, days or even years of work have disappeared in the blink of an eye.

In the late 1990s, Pixar almost lost its film Toy Story 2 before its release when backup systems failed. Luckily, the film’s producer, a working mum, had a copy of the film stored on her personal computer.

While the loss of that film might have been difficult to swallow, the devastation of losing critical national identity data would have much broader and more consequential implications, particularly on our national security, our democratic processes and the memory of who we are as a nation.

Estonia, widely acknowledged as a leader in e-government, now have a cache of government data that they consider so valuable that they’re establishing ‘data embassies’. Effectively, these  will be, datacentres located on foreign soil.

By classifying these new facilities as embassies—essentially Estonian territory in a foreign land—rather than as offshore datacentres, Estonia will retain sovereign control and security over the data.

The project will be expensive. Estonia’s current embassies don’t meet the technical requirements to properly secure the data, which includes the physical construction as well as the necessary networks and trained personnel. Estonia obviously places a high value on its data if it’s willing to go to such lengths to protect it, and to ensure that its government services are uninterrupted.

So, what might happen if Australia’s national digital identity data were manipulated or deleted? That’s the question that ASPI Visiting Fellow Anne Lyons is asking. Historically, the concept of critical infrastructure (CI) has, understandably, been confined to tangible assets.

However, Canada’s definition of CI also refers to processes and systems, both of which could be considered intangible. So an argument could be made that data is both a process and a system, from its collection and creation to its use and eventual re-purposing.

Australia defines CI as:

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.

Under that definition, data could be considered CI. So, why should we want to think of data as CI?

Data is a valuable national asset that supports the foundations of our nation—the parliament, the courts, the government. Without it, there would be no evidence of modern Australia, its property ownership, international relations, trade history, immigration records or information proving who we are as individuals.

Our data is also evidence of where we have come from—the songs, stories, communities and iconic representations of Australia through the ages.

Our data is one of our nation’s most important assets because it defines our uniqueness.

But there are some who don’t think data should be classified as CI. So what are the obstacles? In general, there are four primary objections:

  • Data doesn’t fit within the traditional meaning and view of CI.
  • Some data that’s critical to the nation may still be in analogue form, so requires different protection from digitally born material.
  • Some datasets may be harder to access if they’re more stringently regulated, or may complicate security practices.
  • Some believe that the whole system—hardware, software, personnel and the data—should be considered critical. That would dilute the idea of ‘critical’.

In December 2017, the Australian government released the Security of Critical Infrastructure Bill for public comment. One of the consultation questions was, ‘Are there other critical assets (other than ports, electricity and water), such as gas and data centre assets that should be captured [in the bill]?’

ASPI’s Peter Jennings offered a blunt response in asking, ‘How could [datacentres] not be covered?’

But what we’re considering goes one step further. We’re not asking whether the hardware and software supporting data should be labelled CI, but whether the actual data itself should be considered CI.

The Productivity Commission notes that data takes various forms: characters, text, words, numbers, pictures, sound and video, just to name a few. There are plenty of datasets that—if degraded or made unavailable—‘would significantly impact the social or economic wellbeing’ of Australia.

Take, for example, Australia’s census data. This data not only helps us to decide where government funding should be directed, but also affects our democratic processes. David Fricker, Director-General of the National Archives of Australia, believes that ‘we have to value our government data holdings as a national asset and within government we have to adjust our behaviours and our policies accordingly’. While there have been several efforts to identify which data is critical for Australia, so far no significant efforts have been made to classify said data as CI.

If national identity data is compromised, it jeopardises public trust, as noted by the Productivity Commission regarding #censusfail. If Australia’s national identity data were compromised, the consequences would be far greater than those of the cabinet file saga.

Ultimately, we need to ask whether classifying national identity data as CI would change how it was used or protected, or, if not, what purpose this classification would serve. It’s time we had a conversation about how critical our data really is.