The need for sovereign data protection – ensuring Australia’s critical data remains within our borders and under our control – is set to extend much further across both the public and private sectors, due to a raft of new security and compliance laws.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 is designed to protect Australia’s critical infrastructure from cyber security threats, including attacks from cyber criminals and nation states.
It comes amid repeated cyber attacks against Australia’s critical infrastructure, from higher education and healthcare providers to food and transport supply chains.
Bad actors have taken advantage of the disruption of the COVID-19 pandemic. Ransomware attacks against Australian organisations have leapt 60 per cent in the last 12 months, according to the Australian Cyber Security Centre (ACSC). Meanwhile, the number of phishing attacks rose 75 per cent in 2020, according to the Australian Competition and Consumer Commission.
The bill will introduce additional obligations for critical infrastructure assets, along with enhanced cyber security obligations and government assistance for cyber attack response.
Australia’s list of critical infrastructure assets is expanding to 11 industry sectors, including energy, transport, communications, finance, food, health, higher education, and data storage and processing.
Sovereign data protection is an important element of enhancing Australia’s cyber security. Not only concerned with physical borders, it also ensures data remains under Australian sovereign legal jurisdiction, and not subject to the overreach which some nations extend to the data held by their own businesses even when operating on foreign soil.
Two aspects are critical to developing a sovereign capability: sovereign control and domestic capability.
The Hosting Certification Framework, within Australia’s Whole-of-Government Hosting Strategy, ensures appropriate sovereign control. This involves sovereign, or Australian, ownership of data centres hosting data with a ‘protected’ classification. This framework is set to extend to all cloud and managed service providers from the end of this year.
Building on this, the Cloud Assessment and Authorisation Framework (CAAF) assures the security capabilities of cloud infrastructure, platform and software-as-a-service providers.
A Phase 1 CAAF assessment is undertaken by an assessor qualified under ACSC’s Information Security Registered Assessor Program (IRAP). The assessment covers a cloud service provider’s credentials and capabilities.
A Phase 2 CAAF assessment requires authorisation by a government agency that the cloud service achieves the protected controls outlined within the government’s Information Security Manual. This highlights and considers the risks of permitting any kind of overseas data access.
Mandated in July 2020, the CAAF requires detailed information on the cloud provider ownership and overseas operational access of not just customer data but all data types – including support, analytics and metadata.
This is a crucial aspect of sovereign data protection which is difficult for foreign-owned providers to offer due to their global operating modes, says Phil Dawson – managing director of cloud infrastructure-as-a-service (IaaS) provider AUCloud.
AUCloud is Australia’s sovereign cloud IaaS provider, exclusively focused on the country’s federal, state and local governments as well as the critical national industry communities.
It also partners with the Australian ecosystem of service providers, application developers and system integrators to ensure they can meet the sovereign data protection requirements of their customers.
AUCloud is the first cloud services provider to be fully authorised to operate under Phase 2 of the CAAF, through its work with the Digital Transformation Agency and other federal government agencies.
Under upcoming changes, more organisations will be obligated to ensure that sensitive Australian information remains in Australian hands, Dawson says.
‘‘The reality is that, regardless of where in the world they physically hold data, many foreign-owned providers are subject to the laws of their own nation – such as the United States’ CLOUD Act – which could force them to hand over that data,’’ he says.
‘‘Also, even if foreign-owned providers endeavour to keep Australian data onshore, the nature of their global operations means that a lot of that support, analytics and metadata still finds its way into offshore data centres around the world.’’
The expanded scope of Australia’s critical infrastructure is a wake-up call for organisations of all sizes, in all sectors, which have traditionally considered themselves not of interest to cyber criminals or nation state-backed actors.
The COVID-19 pandemic has highlighted society’s growing vulnerability to disruption, Dawson says, as well as the lack of appreciation as to what is critical for society to function. No organisation can assume its infrastructure, activities or data are too mundane to be of interest.
‘‘Alternatively, you could be the weakest link in another organisation’s security – with significant flow-on effects along supply chains and even across the nation – so it’s vital to think about the big picture when it comes to your own cyber security.’’
Phil Dawson
