ASD cloud games break cover

When Microsoft’s Azure and Office 365 made it onto the Australian Signals Directorate’s Certified Cloud Services List (CCSL) in April, two things in the cloistered world of government security accreditation came into plain view.

The first was that after a prolonged period of evaluation, those at the top of Canberra's cyber security tree clearly wanted friendly global platforms inside the government tent.

The second was the degree of difficulty inherent in getting such certifications over the line, including the friction and heat such decisions generate at technical, commercial and political levels.

Within days of Microsoft’s admission as a member of the coveted certified cloud club with shiny new ‘protected’ level assurance badge, there were ructions. 

As the vendor and ministerial PR machines went into overdrive, the attendant fine print from ASD gently suggested prospective users also take some personal responsibility.

“Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services,” ASD noted.

Microsoft wasted no time in flashing its new credentials up in neon lights, emphasising that company had invested in local presence to meet required ‘protected’ standards.

Cybersecurity minister Angus Taylor did some sympathetic drum banging and showboating too. Ministers like it when things happen, even more so when you’re a minister assisting the prime minister.  

Microsoft’s detractors, of which there are many, immediately went into a frenzy and a giant  sledging match has ensued since.

Admission to the government certified cloud club doesn't mean the other members will make you feel welcome, especially when you're from out of town, no matter how many times club management (ASD and ACSC) plead for decorum.

In the middle of this rutting, Melissa Osborne a 24-year veteran of the Department of Defence and the clearly respected steward of ASD’s IRAP program left the agency last week just as it became a fully-fledged statutory agency.

It was reported that Osborne “declined” to sign-off on the Microsoft protected certification – a claim difficult to verify and one it’s most unlikely she would not be able to comment on, either as a serving or former public servant other than before committee.

However assertions Osborne was effectively frozen out of her role by new ASD Director General Mike Burgess drew immediate return fire from Osborne herself.

"Disappointed to read this article blaming DGASD Mr Mike Burgess for my resignation from Defence," Osborne posted on LinkedIn, unfettered by the shackles of Defence PR.

"Mike has been nothing but supportive of my career and has provided me with encouragement and mentorship," she said, saying that neither she or Burgess were "consulted" before the report ran.

What appears to have triggered the latest bout of shadow boxing is an apparent lack of public gushing tributes to former colleagues at ASD. Expectations of platitudes are a little unrealistic given ASD is a signals intelligence collection agency.

It says more about the trust Osborne commanded that she had a public professional social media profile. 

Here's what Osborne actually said when she posted she was moving on.

“Today I finished up in an organisation which has been my home for 24 years. Super inspired and excited for my next big adventure!!!”

That collected more than 103 likes and 49 comments.

It’s easy to characterise staff movements as the result of rows, feuds or brawls, especially when tech lobbying and government relations muscle thrown around in Canberra is substantial and sharply applied.

What’s less obvious is that amid all this vendor-propelled white noise, the public sector is actually stuck between a rock and a hard place when it comes to harnessing cloud’s transformative potential.

Taming cloud’s natural tendency to eschew borders and leapfrog state sovereignty is actually a an awkward fit, a bit like cooping-up an otherwise free range animal in a cage.

Most vendors recruit from the ranks of politics and the bureaucracy to open doors (or slam fingers).

Microsoft , like its peers, has been a long term and conspicuous investor in government relationships at multiple levels. 

Thus the often implied suspicion it wrangled a special cyber deal from Canberra to get its cloud certification to protected level is an easy sledge, especially if you are a detractor. 

That doesn't make it true and it conveniently ignores that vast tracts of government are still stuck on non-cloud Microsoft product. For better or for worse, most government agencies fall back on Office in some form because it’s the devil they all collectively know, rather than like.

Worse still, Microsoft’s nearest challenger in productivity apps, Google, is still on a steep learning curve when it comes to transacting serious business with government.

Some of this is cultural. Google’s relationship with government, at least until this week in NSW, sometimes seems to be more focused on property transactions.

Amazon Web Services has made significant inroads into government on the compute front, but it’s hardly about to be given a free pass by any of its rivals who also play in the apps space. Similarly Salesforce has made inroads, but that hasn't been plain sailing either.

And while all of this is happening, non-cloud support and security for on-premises applications running in government is evaporating.

For agencies this translates to more vulnerable boxes maintained by a shrinking and more expensive skills pool.

Against this context, the imperative to get a good cloud security framework for Microsoft into Australian government sooner rather than later makes more sense - especially if its competitors are starting to wonder if small markets like Australia are even worth all the effort in the eyes of their shareholders.

Apple has demonstrated that enterprise and government verticals aren’t necessarily essential to vendor survival.

It could be that the real risk the likes of Burgess and ACSC chief Alastair MacGibbon are trying to hedge is perpetuating another 20 years of Microsoft’s overwhelming presence.

The fact that Microsoft scored the first international ticket to ASD's classified cloud dance shouldn't be interpreted as a cozy sock-puppet arrangement.

Sometimes old clubs need new members to survive, and admitting one new member can be a necessary first step in attracting others.

Just ask any lawn bowler.