Ensuring Australia’s Digital Sovereignty
The concept of ‘sovereignty’ has recently gained new life in Australia and around the world. Increased tensions with China, a constant flow of fake news, frequent references to cyberattacks conducted by sophisticated state actors, and public announcements on foreign espionage have placed sovereignty front and centre in the Australian psyche. We’re in an era of cyber spies and cyber warriors.
Territorial sovereignty has always been understood and accepted. Increasing geopolitical uncertainty for Australia has seen political and economic sovereignty dominate conversations from the barbecue to the boardroom.
But Facebook’s recent shutdown of its Australian services has brought digital sovereignty squarely into the national consciousness. Digital sovereignty is harder to explain and conceptualise. In turning off our digital assets, Facebook said to the world that any nation’s digital sovereignty—the data each nation publishes on its platform—is Facebook’s to control as it pleases. Imagine if Facebook was a water utility or an energy company.
Like all services and resources, digital services and capabilities are vital to our society. Digital information is at the heart of how Australians work, live, play and interact. From the Treasury’s forecasts to our digital wallets, we know that the digital economy is key to Australia’s national prosperity.
Data privacy and security are core to this prosperity—our very functioning depends on data. The personal information of every Australian—from where we live, work and shop, to details about our social habits, health information and financial status—is all digitised. For this reason, data has been described as the ‘new oil’, and, like our natural resources, it belongs to us.
With near-universal dependence on digital information and electronic devices, cybersecurity has become critically important. The first rules of cybersecurity are to know what data is most valuable and where it’s physically located.
This has led to an explosion in international demand for data storage, and therefore data centres—large, windowless structures housing long rows of computer servers, and very large air conditioners that keep them cool. Many of these data centres, such as those owned and operated by big US technology companies, are seamlessly connected by networks that cross international borders. Sydney’s well-publicised Global Switch data centre is owned wholly by Chinese interests. It hosts some of the Australian government’s data, including data owned by the Department of Defence.
So, where are our digitised selves—our data, our new individual and national reflections—stored? Are they held within Australian territorial confines? Can they be accessed by foreign nationals? Are they subject to foreign laws?
It’s becoming increasingly difficult to answer these questions. This led to the publication of the government’s Data hosting strategy to address ‘risks to data sovereignty, data centre ownership and the supply chain’.
Storing Australia’s data within Australia so only Australians can access it seems right. But the government has released its hosting certification framework to explicitly exclude sovereign in term and concept, because ‘given the potential for a level of foreign investment, any publicly listed hosting provider would be ineligible for the higher level of certification’.
So, with sovereignty removed, does this mean the government is happy to hand over our data to foreign data centre operators?
The framework tries to repair this apparent gap: ‘Sovereignty refers to the ability of the government to specify and maintain stringent ownership and control conditions.’ But this explanation presents more questions than it answers.
Will our data be stored offshore? Who will control it? Will access be subject to foreign government policies? How secure is it? Will we be able to access it whenever we need it?
These are important questions for Australia’s friends and allies, not just our competitors. Several big US tech companies maintain and operate data centres in mainland China. The US is our friend, but the recent action by Facebook raises questions as to the willingness of big US tech companies to use their considerable might to influence and coerce customer nations.
In January, US President Joe Biden signed an executive order requiring US government departments to ‘buy American’. It was a perfectly reasonable action to take as the US seeks to rebuild its economy following Biden’s multitrillion-dollar recovery package. The Australian government should follow suit. ‘Buy Australian’ for government agencies should be a position our government is prepared to adopt, and it should include sovereign data storage and sovereign digital technologies as its centrepiece.
There are so many outstanding Australian technology and cybersecurity companies that are either wholly or majority Australian owned. They’re also Australian controlled, which is critically important for security and sovereignty. Yet these companies will struggle to compete unless the government wrests back a measure of control from the US tech giants and prioritises Australian sovereign technology companies.
Data and technology are essential to our way of life. If the digital economy truly is key to Australia’s national prosperity, then the government should provide clarity on the security, privacy and protection of data for Australia and Australians.
With next week’s budget, the government has an opportunity to stand behind and promote Australian technology companies. Failing to do so will leave us all asking if Australia is fair dinkum about digital sovereignty.
Marcus Thompson is a retired Australian Army officer who was the inaugural head of information warfare for the Australian Defence Force. Since leaving the army in January 2021, he has founded an independent advisory focused on improving cybersecurity and developing sovereign Australian capability, working with a number of Australian companies including Macquarie Telecom Group, Penten and ParaFlare.
Featured Image: Credit, Getty Images.
This article was published by ASPI on May 10, 2021.