BLUF

Concerns about digital sovereignty are intensifying because of the inherent risks associated with hosting government data in a foreign cloud.

Summary

Cybercrime and cyberespionage are serious issues in their own right, but the consequences are potentially even more severe when they affect government data. The Federal Government now requires relevant government data to be hosted only by certified data companies. It applies to government data at the ‘protected’ level or data belonging to whole-of-government systems. This two-fold classification recognises two realities—that threats posed by a failure to protect government data are different from those for other types of data. Further, there are particular vulnerabilities inherent in cloud systems where information belonging to various agencies is hosted in the same data space. The Government’s move follows concerns about the acute data challenges confronting the Australian public sector, including data sovereigntysupply-chain vulnerabilities and cybersecurity threats. The Government’s tightening of its certification framework is an acknowledgement of cyber risks. There is now an opportunity for all Australian state governments to improve on the federal approach.