Australian national security agencies must develop a national security cloud and finally catch up to the private sector in terms of cloud adoption, according to the Australian Strategic Policy Institute (ASPI).
In a new report, ASPI argued that agencies’ slow adoption of cloud services due to initial concerns about the security of cloud technology has left them years behind the adoption curve.
“For agencies that rely on cutting-edge high technology for their capability edge, this is disastrous,” the report states.
Unless this is addressed rapidly and comprehensively, Australia will quite simply be at a major disadvantage against potential adversaries who are using this effective new technology at scale to advance their analysis and operational performance.
Australia will also fall further behind its allies, ASPI said, arguing that the US national security community has a lead of at least five years over Australian partner agencies.
This change must be driven by ministers and agency heads rather than CIOs and security staff, ASPI said.
The report states that this is because security accreditation standards and processes can’t lead technological change. By definition and by design, security standards are lag controls, based on what’s already understood and formed from experience with past and present technical systems.
Ministers and agency heads have both the responsibility and perspective to look beyond the important current technical security standards and rules and think about the capability benefit that cloud computing can bring to Australia’s national security.
Accordingly, ASPI has called for the government to commit to major investments in cloud infrastructure and services for Australian intelligence agencies as part of any government stimulus to Australia’s digital economy.
The intelligence community needs to make this shift as a community, not as a rag-tag band of loosely coordinated agencies with agency heads making separate risk-based decisions, the report adds.
This collaboration should involve the development of a national security cloud that has agencies’ interoperability as a core principle, ASPI said.
The most powerful cloud infrastructure and applications are useless without the fuel they need to operate — data. So, the maximum data needs to be brought into the national security cloud by each agency in the intelligence community.
The report also notes that decisions will be divisive and difficult, but national capability, not agency fiefdoms, needs to be the overriding interest.
Another key attribute for the national security cloud must be security. Information hosted on the cloud must be protected from both state and non-state cyber actors who are already targeting Australian government systems.
As a result, data must be hosted onshore, and security must go beyond personal and system security to include the resilience and integrity of the supply chains that cloud infrastructure and service providers rely on to produce their products.
This is a newly obvious priority exposed by the vulnerabilities seen in global supply chains through the pandemic — and high-technology supply chains are particularly exposed to Chinese state influence unless security is a design principle baked in from the start.
ASPI also advised against what it anticipates as a tendency to adopt cloud infrastructure at the lower levels of classification first before more highly classified data.
The institute argued that combining valuable top-secret information with the huge trove of lower classification and open-source data is a source of distinctive advantage that agencies can offer the government.
“So, failing to incorporate highly classified data holdings with the analytic horsepower and flexibility that cloud infrastructure and applications bring would be a bit like adopting jet propulsion for reconnaissance aircraft during World War II but sticking with piston-engine aircraft for your fighter fleet, even as your enemy chooses otherwise,” the report concludes.