National security agencies can be surprisingly risk-averse organisations and have been historically slow to adopt new technologies outside times of crisis.
Within these agencies, chief information and technology officers may be less effective champions of change, partly because they can be stuck making incremental adjustments within budgetary constraints and focused on the day-to-day demands of keeping existing systems running.
When it comes to cloud computing, this creates a problem. The cloud offers new technological capabilities, although its adoption by the national security community has so far been protracted and fragmented. Ministers and agency heads need to drive the transition to the cloud as a matter of sheer capability advantage for Australia.
Our new ASPI special report, National security agencies and the cloud: An urgent capability issue for Australia, released today, argues for rapid, large-scale investment in secure cloud infrastructure for Australia’s national security community, with the intelligence agencies an early focus. The report seeks to shift perceptions of new technology as capabilities, rather than as business enablers, and calls on agency executives to drive the required change.
In 2014, Australia announced the ‘cloud first’ policy, which evolved into the secure cloud strategy. These were positive first steps, but the policies haven’t sufficiently managed the take-up of and spending on cloud services and infrastructure in the public sector.
Under existing policy, agencies are expected to develop their own cloud strategies and risk assessments. This siloed approach is unlikely to maximise the government’s purchasing power or encourage agency cooperation in an area in which a critical mass of investment is likely to be necessary.
The policy also suggests public clouds as the preferred deployment model, but many global cloud providers are based offshore and public clouds involve organisations’ data and cloud applications being managed for them on providers’ systems alongside those of myriad other customers with which they have no working relationships.
So, when determining what type of cloud system to adopt, decision-makers have to seriously consider issues of data sovereignty, trust, risk and supply-chain resilience with providers. As an example, government research shows that 93% of Australians are concerned about organisations sending their personal information overseas. Reliance on undersea cables connecting to offshore servers may also leave core government services and systems vulnerable to sabotage and disruption unless the risks are assessed and mitigated.
In the world of intelligence and national security, public cloud solutions seem less viable. Agencies should consider a range of alternatives such as hybrid cloud, community cloud or private cloud to maintain the level of control over data and functionality they need. But choices that maximise capability outcomes don’t include a set of separate ‘agency clouds’ without interoperability as a defining design principle to maximise the power of the datasets that the Australian national security community holds.
Regardless of which provider agencies choose, the paradigm shift in computing has occurred. Many businesses and organisations know that the powerful processing, big-data analytics and versatile resource configurations that cloud systems provide are simply essential to their success. They have already shifted from traditional on-premises computing to on-demand cloud services or to private cloud systems that give them more control. The industry is also designing new applications and software that take advantage of the technical power of cloud infrastructure.
If change doesn’t occur rapidly and comprehensively within Australian national security agencies, they will fall behind and be stuck with platforms that vendors only support as legacy activities (think Windows 7). Meanwhile, allies and adversaries will continue to take advantage of the new technology to scale up their operations and analysis and get the capability advantages from cloud systems.
US national security agencies already have at least five years’ lead time over their Australian partner agencies. Decisions in the US now are not about whether to adopt cloud infrastructure and functionality, but how best to orchestrate and manage what has become a reasonably crowded and chaotic multi-cloud environment.
A major investment in secure national cloud capabilities must be made by at least the intelligence organisations, with big defence and other less agile agencies following suit. Our report identifies four obstacles that agencies will need to overcome.
First, they haven’t planned or budgeted for a move like this. Treasurer Josh Frydenberg said he has already kicked in to raise the defence budget and is hesitant to increase government spending further.
Second, agencies usually function independently. Cloud infrastructure, however, will be most effective as a joint initiative, at least between the intelligence agencies and defence organisations. This will require massive organisational and cultural shifts to greater collaboration and interdependence. In addition, by leveraging the purchasing power across the national security community, Australia can get the best bang for its buck and share the responsibility for security.
Third, there’s a lack of knowledge and skills in cloud computing in Australia—part of a broader shortage of skills in science, technology, engineering and maths. To be able to operate cloud infrastructure efficiently and effectively in the long term, agencies will need to be able to build and retain expertise in the area.
Last, establishing trust and assessing risk will be key issues. The number of providers that could work with the Australian national security community to build a cloud foundation is relatively limited. This includes global providers, as well as credible Australian cloud providers that have designed their approaches with security and sovereignty in mind.
To succeed, organisational and cultural changes to overcome these obstacles need to be driven by ministers and agency heads. Chief information and technology officers and security staff have important and useful internal roles to keep systems and services running and identify new risks. Security, however, is merely one important factor in the decision-making process. The capability benefits of cloud infrastructure and services that we all understand when looking at the world’s tech giants must weigh heavily in the decision-making.
This shift requires looking beyond current technical security standards and rules to achieve the capability benefit that cloud computing can bring to Australia’s national security.
Not acting wouldn’t avoid risk; it would simply mean that the information advantage that comes from the most capable systems and analytical tools wouldn’t be available to Australian national security agencies—and that’s not the future we need.