Sovereign capability and that shocking AWS deal


James Riley
Editorial Director

There have been a lot of fine people running around with their hair on fire yelling about sovereign capability holes in the manufacturing sector, specifically in relation to COVID crisis-related products that have been in desperately short supply.

There is nothing like a pandemic to very quickly highlight gaps in the supply chain for products – things like hand sanitisers, personal protection equipment such as P2 masks and gowns, as well as for more sophisticated products like ventilators.

Industry Minister Karen Andrews has been very good in relation to manufacturing and the industry is demonstrably energised by the attention.

COVID-19 has sharpened government focus on sovereign capability issues in a spectacular way in relation to physical goods.

Parliament
Sovereign capability: Where is the thinking on the digital economy

And government has been quick to use its purchasing power to build capability where a clear supply problem exists. Witness the $31 million that government signed off in record time to a consortium of Victorian manufacturers for the design and supply – within three months – of thousands of ventilators.

But there is no such focus on the supply chains of the digital economy. There is no focus on ensuring sovereign capability in digital infrastructure, on building local capacity.

And there is no appetite whatsoever on using government procurement dollars to drive industry development outcomes in the infrastructure of the digital economy.

Look no further than the government’s controversial COVIDSafe app and the awarding of the contract to providing hosting infrastructure to the US giant Amazon Web Services. It just seems so inexplicably dumb as to warrant special attention.

The Australian Government, via the Department of Home Affairs, elected to host its controversial app in the public cloud, within an AWS region that is potentially housed in a Chinese-owned data centre (the Global Switch data centre in Sydney’s Pyrmont), at a time when public trust in government information systems is at a low-ebb.

Just to repeat: That is a foreign-owned public cloud service hosted in a Chinese-owned data centre. The management of the data will necessarily include access by AWS technical staff who are based overseas, who are non-citizens, and who do not have Australian Government security accreditation.

Which all seems a bit unnecessary, given that there are sovereign Australian secure cloud service providers that are ASD certified to appropriate Protected level status.

Companies like Vault Cloud, Sliced Tech or AUCloud would welcome the business and be quite capable of delivering. These companies’ services are managed by Australian citizens who hold appropriate Australian Government security clearances and are based in Australia.

These Australian companies’ services are hosted in accredited sovereign data centres. They would be quite capable of managing the work related to the COVIDSafe app. Government contracts allow scale. And yet AWS won the business through a limited tender managed by the Department of Home Affairs (“limited tender” meaning AWS was the only company invited to bid for the business).

Why? At a time when Australians have been rightfully mistrustful of the government in relation to data, would you introduce more cybersecurity complexity, rather than less?

Why was the original thinking/design and contract work for COVIDSafe done by Home Affairs, for what is quite clearly a health issue? What’s Home Affairs got to do with it?

And when the government was tying itself in knots over the past week to assure Australians that the data held via the app would not be accessible to law enforcement, why was its design being performed in a department that is home to both the Australian Federal Police and various branches of the intelligence services?

It was just a couple of months ago that the Department of Home Affairs was railing about the Chinese ownership of Global Switch and agitating for Australia Government customers of the company to leave its data centre.

And now the Department of Home Affairs has awarded a contract to host sensitive citizen data not only in a foreign owned public cloud, but a foreign-owned data centre as well.

The government assured Australians that it had enlisted two independent organisations to review the apps cybersecurity arrangements. But those organisations – AustCyber and CyberCRC – are constructs of government, funded by government (in AustCyber’s case to the tune of 100 per cent). How on earth is that independent?

(To be fair, AustCyber’s chief executive Michelle Price went on the record with ABC news saying she had advised that its plan to store encryption keys in the same cloud as the encrypted data posed an unnecessary security risk, which was in itself quite courageous. She also said it was “unfortunate” that Australian service providers were not invited to participate in the project. This was quite courageous.)

It is a measure of just how on the nose this contract with AWS is viewed even within government that the executives from Digital Transformation Agency speaking anonymously – “voiced concerns about the awarding of the contract to an overseas provider when several wholly Australian-owned cloud storage services had been security vetted for precisely such high-level contracts.”

You really have to wonder what kind of crisis would be needed for the Australian Government to use Australian technology providers for jobs that are well within their capability. It is laughable just how dominant foreign providers are in supplying to the $6 billion to $9 billion plus annual tech budget.

Can you imagine the US government contracting an Australian company to hold US citizen data in a public cloud that includes a foreign-owned data centre – Chinese owned – as a part of its infrastructure?

A spokesperson for Government Services Minister Stuart Robert told InnovationAus on Wednesday that no COVIDSafe information would be stored in Global Switch facilities.

Do you know more? Contact James Riley via Email.

9 Comments
  1. Kernal 5 years ago

    Dont just blame AWS simply because it is a US-based company. The Data stays in an Australian data centre. Pretty much every big Australian enterprise uses AWS in some capacity, so I am sure they would have done due diligence. I was a bit surprised that AWS won the contract and not Azure as they have a Canberra-based data centre specifically for Govt workloads. But the thing with local cloud vendors is that they are not proven to deliver at scale. Considering the urgency of this project it makes sense to go with a cloud provider that can deploy at massive scale. Having said that I would expect that the Govt looks at Australian owned Cloud vendors for future projects as that is the only way to promote home-grown enterprises.

  2. Aaron 5 years ago

    You can’t prove any of the “facts” presented in this article.

    Prove that any of the data is hosted in a Chinese owned data centre. Yes the AWS region in Sydney uses the Global Switch data centre for hosting a network point of presence, but if you have any evidence supporting the claim that data is stored or processed there, or that foreign nationals have access to that data you can start working on that Pulitzer Prize award speech.

    This article is pure FUD.

    • James Riley 5 years ago

      You might have missed the point of this article, which was about Australian sovereign capability and how local secure cloud providers were precluded from bidding for the COVIDsafe contract. The Chinese data centre is an interesting aside that highlights the certified sovereign data centres available. Microsoft would also have been miffed about not being allowed to tender for the business given they invested substantial sums setting up an Azure region in sovereign data centre infrastructure sitting atop the governments own Canberra fibre network. I have asked where the data is stored and what technical controls are in place to stop data from moving within the AWS region, but have been told I will not be getting a response. Anyway, thanks.

  3. TBA 5 years ago

    John,

    If the Government let local companies bid on this projects we would be able to see how much more they cost and if we are willing to pay that premium. I don’t see how we save tax dollars by excluding locals from bidding, it simple market economics. If they bid and fail so be it, but let them bid.

    • Devin 5 years ago

      In principle this seems to be an opportunity lost for Local cloud providers; but IMHO the pragmatics are against such considerations; at this point in time. The speed at which this app needed to be deployed required well understood, well established and storage mechanisms. Amazon, with it’s Partnership with the Federal Govt, and the AWS S3 or EFS fulfills both of these aspects. Therefore, the Feds may have regarded the AWS as the path of least resistance, consequently rendering the highest speed of deployment. While the security of the Data is the governments concern there are layers of security that can be deployed in AWS to protect the CovidSafe-Dataset. Therefore, these arrangements are good enough for me to continue to have CovidSafe active on my device.

      However, it is highly appropriate for the Federal Government to be more pro-local, not just in Cloud Computing, but with ALL of it’s IT. But with a clear agenda of promoting price competition and reducing it’s cost foot-print; and provide “real” pathways for both Systems and Infrastructure providers.

  4. John H 5 years ago

    I am very interested to see what the Government says about the China connection given they are anti China (I don’t actually care if China has the data personally). Their options:
    Say nothing (Morrison MO).
    Deny AWS use Global Switch (a fact proven in 2018).
    Say AWS have left Global Switch (If so, when?).
    Admit the truth, they had to rush this out and they did not get every aspect right – I think most people would be ok with this, they just need to change provider or move the data.
    Any bets anyone?

  5. Paul 5 years ago

    It’s right to question government procuring IT services “locally” and forge in nationals ownership of facilities and agree that moving forward we need to be mindful of the chain of custody of our data – it’s also an incredibly nuanced issue.
    We need to be pragmatic about the upper limits of the sovereign vs. foreign capabilities of our infrastructure providers and I believe that sadly we are no more likely to have a highly scalable, competitive and profitable domestic cloud infrastructure provider than we are to re-start making cars in Australia.
    To do that (coincidently both cloud provider and the cars) they would need to compete at an international scale and that requires billions, not millions of dollars of investment – and if that seems like an exaggeration, ask only of the US based cloud providers that tried to compete with AWS and Azure how much cash they had to lose before declaring defeat.
    And I agree, those billions will not come from the public sector without a commitment from government.
    Therein we find the next challenge for our courageous government, that until/unless these domestic (commodity) services can reach the right economies of scale, the government would need to be willing to pay more to source local services and withstand attacks during Senate Estimates as to “why they are overpaying for virtual servers and storage”, THAT would be courageous Minister.
    Having done all of that, we encounter the stubborn reality that this newly minted, very expensive sovereign capability was all running on silicon, servers, storage and networking ALL built in Taiwan/China and the security chain of custody Huawei 5G merry-go-round starts again.
    Who knows, before you know it we’ll be re-opening the Ford glass making plant in Geelong to manufacture silicon and there will be jobs for everyone…
    It’s a complex problem not given to stroke of the pen solutions – well, not without their own awkward consequences.

  6. Bill Caelli 5 years ago

    Congratulations James – need more like you – once again – Australia the “ICT Colony” – a situation which the former Labor Industry Minister, Hon Senator John Button, tried hard to get others to note many years ago with his draft of a “Buy Australia Bill”, based on the USA’s equivalent Act. Strangely, in this vital area there has been no comment at all from the current Government or the associated political parties, Liberal/National. AND incidentally, COVIDSafe will not run on my Oppo R7 with its up-to-date OS – so much for the PM’s appeal around noon today – up to his Government to ensure the app works on a full range of mobile phone/tablets (not difficult).
    Bill

  7. Leticia 5 years ago

    Sharp, necessary commentary, James. The issue of sovereignty is so significant, yet time after time seems to be something that the very leaders of the nation don’t respect. Thank you for your work – have shared widely.

Leave a Comment

Related stories