WRITTEN SUBMISSION
Parliamentary Joint Committee on Intelligence and Security
8th July 2021
Introduction
My name is Philip Dawson. I am the Co-founder and Managing Director of AUCloud, a business that was recently listed on the ASX as Sovereign Cloud Holdings Limited (“SOV”).
AUCloud provides Cloud Infrastructure-as-a-Service (IaaS) – in simple terms renting data processing and/or data storage – to Government and Critical Industry companies. We are focused on delivering services with the highest security approach to support government’s “Protected” data standards and controls and are structured to ensure that we are Australian owned and controlled and that everything that we do is located within Australia and operated from Australia by Australian citizens who are appropriately cleared to the Attorney-General’s security vetting standards.
AUCloud was influenced by but is not commercially related to UKCloud, a business that I established in the UK, which became a leading provider to UK Government and the fastest growing UK technology company from 2012-2016. During this period, I was also a member of the UK Information Economy Council, led by Minster Willetts and the co-author of the UK’s Data Capability Strategy.
After three years of development and over $40m of investment, AUCloud has become a leading Australian provider of IaaS to Federal Government based on delivering similar services to the global providers in respect of commercials and capacity but specifically providing closer alignment to Australian security and sovereignty considerations than their global operating models permit. Security, particularly cyber security, is the core tenet of our activities and in this respect we bring some UK insights in the form of the cyber threat monitoring technology from a UK company called e2e-Assure, which supports a wide range of high end UK government agencies, including the UK NCSC. We are now incorporating this technology into a service that supports several mission critical Defence and Federal Government activities, including the Australian Electoral Commission federal election preparations.
In addition to my role with AUCloud, I am also an elected member of the AIIA’s ACT/Federal Council and an active facilitator of Australian-UK cyber security technology awareness raising, knowledge sharing and business mentoring for a wide range of Australian and UK start-ups and scale-ups.
I welcome the opportunity to provide evidence to the PJCIS and believe that my experience as an entrepreneur competing with global providers combined with my operational perspective across multiple critical industry sectors will provide a different perspective for your committee from many of the other organisations attending today.
Data Storage and Processing (DS&P) Sector
- We agree with the requirement for recognising providers of DS&P services as a relevant critical industry and note its criticality across all sectors.
- The definition of asset within the DS&P sector should be ‘data’ and the specific definition should align with existing definitions from the sectors best practice frameworks (ACSC’s Cloud Assessment and Authorisation Framework (CAAF) and DTA’s Certified Hosting Strategy). Data is the key asset to be considered along with the related protection of confidentiality, integrity and availability.
- We recommend that the DS&P sector is limited to data centres, providers of managed hosting services, including cloud IaaS providers and critical industry organisations that undertake similar activities in-house and that only these organisations are subject to the specific requirements applied to this sector. This is likely to be an order of magnitude of tens/hundreds but not thousands of organisations.
- To be clear, we recommend that providers of software solutions, in particular, cloud platform-as-a-service (PaaS) or software-as-a-service (SaaS), are not included within the DS&P scope or definition. The order of magnitude of providers of PaaS/SaaS will be in the tens or hundreds of thousands and aside from the practicalities of encompassing such a number within this legislation, appropriately managed, the failure of any given one provider could and should be mitigated through accessing the core data available within the underlying IaaS or self-managed IT hardware.
- We believe the proposed definition of data and the removal of PaaS, SaaS and similar will mitigate some of the concerns that have been expressed about the inclusion of the non-physical assets (e.g. system, networks, computer programs) within the DS&P scope. We do not believe this exclusion will materially affect the risk to data residing or processed within a data centre or related IaaS/hosting infrastructure, which can be mitigated through appropriate strategies.
Positive Security Obligations Considerations
- The most contentious consideration appears to be the step-in concept, which we would acknowledge has indemnity and practical implications. However, we do not have the visceral reaction that many of the global operators have expressed. Assuming that the practicalities can be effectively addressed and given that our customer base is limited to Australian governments and critical infrastructure communities, we have no issues with the DS&P conforming to the proposed legislation.
- A soon to be published report from IDC, a premier global provider of market intelligence for IT and telecoms markets, highlights the trends to localisation of ICT and cloud delivery with the development of sovereign government/public cloud services that conform to national “sovereign” expectations for the sensitive or classified data inherent across public sector and regulated industries, in a way that commercial public cloud services do not. The report highlights the different threat considerations of data residency and data sovereignty and the implications of transmission of metadata, support data and monitoring data outside of the sovereign environment.
- There are certain practical challenges identified within many other submissions, which we would agree with and would suggest as a minimum that 72 hours notification is applied consistently and definitions around ‘material risk, ‘relevant impact’ and “unauthorised access” are finessed to align with the CAAF and related ISM.