Govt looks to dump ministerial sign-off for offshore cloud

Australia's Attorney-General’s Department is planning to dump a controversial security policy that requires government CIOs to obtain the permission of both their own minister and the Attorney-General before storing citizen’s personal information offshore.

Speaking at a Canberra cyber security summit run by Australian Defence Magazine last week, AGD’s Mike Rothery said his team was “probably about a week away from going to the Attorney-General with some revisions” of the policy.

“The main proposed revision is the removal of the ministerial approval and leaving that to agency heads,” he said.

The move will return decision making to the hands of departments and agencies.

Rother, who heads the department’s National Security Resilience Policy division, said the main aim was to get agencies to be more conscientious about their risk assessments of various cloud solutions, regardless of who ultimately has responsibility for sign-off.

“The thing we want to see improved across government is the way proposals are considered,” Rothery said.

He wants to see CIOs “interrogate vendors much more to actually uncover some of the assumptions that are underlying the service.”

The news will no doubt be welcomed by industry, which has already been vocal in its opposition to the policy.

In March Microsoft criticised the stance in a submission to the Communications Department, describing it as prohibitive and not in keeping with the government’s otherwise pro-cloud rhetoric. ServiceNow also joined the chorus, claiming it would need to hire up to 50 extra staff to meet the policy requirements.

The news has also been welcomed by Gartner eGovernment analyst and former Government CIO Glenn Archer, who said he observed first-hand the impact that the policy had on cloud take-up in Canberra.

“I think this is an exceptionally good outcome,” he told iTnews. “[The policy] certainly had the effect of stifling cloud uptake in the government.”

“No CIO wants to face the prospect of going to their secretary or chief executive to obtain approval for IT works, let alone having to put together a submission to two ministers and up to three departments.

“If the Attorney General’s Department revise their policy it will place the decision back into the hands of agency heads and it will reduce the perceived hurdle that many CIOs had to face,” he said.

Archer said the recently released National Commission of Audit, which criticised the slow rate of cloud uptake in the public service, probably had more to do with the policy reversal than industry lobbying.

The audit “showed an interest in overcoming the hurdles that may be getting in the way of wider deployment,” he pointed out.

“Now we see that the department is taking a little bit more of a progressive stance in this area.”