Why Australia’s national security agencies need the cloud
30 Jul 2019|

There’s been a lot of talk lately about lots of submarines and fighter jets playing a role in Australia’s security. But in all the excitement of contemplating future battles between fleets of submarines and fortuitously small invasion armadas from the People’s Liberation of Army, little thought has been given to an emerging vulnerability in Australia’s national security apparatus brought about by the global change in ICT.

The world of computing was reinvented about a decade ago with the arrival of cloud computing. Since then, there’s been a shift away from dedicated computing resources (think the home computer that sits on your bench) to on-demand allocation of computing resources by a cloud service provider.

The advantages are big, although, as with all magical technological advances, there are downsides. Having on-demand computing power allows high processing power and speed to be applied quickly to meet a particular need, and then to be reallocated elsewhere when they’re no longer needed.

Much more complex functions, like big-data analysis, can be done rapidly and routinely without an enormous investment in standalone supercomputers, and more needs can be met from a given fixed stock of ICT power. Cloud architecture is an essential part of what makes Amazon, Microsoft, Alphabet, IBM, Apple, Facebook, Samsung, Alibaba, Baidu, Huawei, Tencent, Oracle, Cisco and SAP so powerful and able to service millions of customers’ needs simultaneously.

On top of this, though, another phenomenon of equal importance is that applications—the programs that run on whatever system you have access to—are being increasingly optimised for cloud-based architecture, not for the now-legacy, and increasingly niche, fixed systems used by many governments across the globe.

Governments and their officials either have been reluctant to give up owning their own servers and data centres or have outsourced them to data centre providers. They tend to look on cloud providers with some trepidation, partly because of concerns about data security ‘in the cloud’ and partly because of concerns about the overall lack of visibility of how risks are managed across a fairly opaque service model.

So, here in Australia we’ve seen moves to end contractual arrangements with data centre providers when ownership changes occur, along with a continuing debate over the use of in-house versus contracted-out data centres.

But the bigger issue—our national security capability—has been a bit of a sleeper here to date, and that needs to change. The situation reminds me of government policy on mobile phones, which was a tale of policy being dragged reluctantly forward by manifest changes in the market. Mobile phones weren’t welcome in much of the national security community, not just in the limited top secret facilities of intelligence agencies and other areas of big agencies.

Then they were allowed in more broadly because their use became pretty ubiquitous, and the debate moved to what to do about phones with cameras. The security policy world kept it simple. It banned mobiles with cameras. That worked until it became very hard to buy a smartphone without a camera. The policy folded, despite the reluctance of security policy experts. Under controlled conditions, it’s now possible for mobiles to be used in top secret agencies.

I think we’re at the same point with cloud computing. The overwhelming advantages national security agencies will get from the capabilities provided by a secure cloud infrastructure, compared with traditional computing power allocated to specific agencies and functions within them, are clear. A high-technology fifth-generation military with the intelligence capabilities it will need (as proposed in the 2016 defence white paper) requires cloud infrastructure to work effectively. And Australian agency folk know enough about this from their exposure to US agencies with secure cloud infrastructure to get the point.

The big companies mentioned earlier develop and implement their cutting-edge technology on cloud infrastructure. They can be providers of this infrastructure because they are developers and users of it themselves.

Even from a very narrow perspective, not moving the Australian national security community to cloud infrastructure will consign, a few years from now, agencies to commissioning bespoke Australian-only software to run on legacy ICT platforms. Meanwhile, their counterparts in the US—and potentially other Five Eyes partners—will all be able to use applications optimised for cloud architecture systems. It’ll be like getting retired Windows 7 software engineers to write new versions and keep them running on today’s computers.

If that isn’t convincing enough, potential adversaries’ militaries, intelligence agencies and national security communities will have capability advantages over their Australian counterparts simply because they either already have or will have adopted cloud infrastructure.

I’m not sure, though, that the Australian government’s secure cloud strategy can be usefully applied in Australia’s national security agencies.

It encourages each agency to make its own decisions in accordance with its own ‘vision and strategy for cloud adoption’. That approach is unlikely to maximise federal purchasing power or drive agency cooperation in an area in which a critical mass of investment is likely to be important.

It also says agencies should ‘consider public cloud first and in preference to any other cloud deployment model’ and simply adds that ‘agencies should ensure the public cloud service has the appropriate security’. That means existing government security frameworks and policies designed for the non-cloud IT world are just imported to this entirely new business model.

Leaving those issues aside, four big obstacles are likely to be in the way of Australia’s national security community moving to cloud infrastructure. The first will be money. A move like this isn’t in the budget plans of any agency or group of agencies—and Treasurer Josh Frydenberg just said he’s already kicked in to raise the defence budget and is in no mood to add more.

The second is agency independence. Cloud infrastructure for the national security agencies will be best done as a joint initiative that at least includes the national intelligence community and the defence organisation.

That’s a massive organisational and cultural shift to greater collaboration and interdependency, beyond the wildest thoughts of the authors of the 2017 intelligence review. Agency or portfolio control and ownership of functions is a bureaucratic battleground littered with skewered careers and reputations. And some nasty battles are still underway with the formation of the Office of National Intelligence and, more particularly, Home Affairs.

Third is the lack of knowledge and skills in this technology area—part of the broader STEM skills deficit Australia faces. National security agencies have some flexibility in employing specialist skills. They’ll need to use all of that to build and retain the knowledge needed to operate securely and to maximum effect on cloud infrastructure if they are to be more than passive customers of global providers.

The last major obstacle is likely to be trust and risk. The number of cloud providers that could work with the Australian national security community is fairly limited. It would certainly include the global providers at the big end of town like Microsoft, Amazon, IBM, Alphabet and even Northrop Grumman. But medium-sized data centre operators (for example, NEXTDC and Canberra Data Centres) and local cloud providers already serving government like Vault, partnering with bigger global cloud providers and with companies like Leidos, might also see this as a viable business proposition given a reliable big Australian customer.

If the government were to use its larger purchasing power across the national security community and other big agencies, and think strategically about what could be done with its US ally, the options would be broader, and probably both more resilient and more financially viable.

Regardless of who the provider or providers might be, validating the security of a cloud solution, and gaining a sufficient understanding of its vulnerabilities, will be large and difficult pieces of work. Simple issues like the resilience of cloud infrastructure if it’s dependent on a small number of international undersea cables will need to be assessed.

Overall, though, the issue of cloud infrastructure for the Australian national security community needs to be elevated way above the realm of individual agency IT departments and break the confines of debates over in-house or contracted data centres and current security rules.

A move now to secure cloud infrastructure is needed if Australia’s national security agencies are to remain at first-world capability.