Vendors get short shrift in political cyber spat

Technology vendors have resorted to publicly questioning if federal agencies have enough backing from their political masters to send private information into the cloud, as commercial tactics surrounding major systems upgrades become increasingly grubby.

The Australian Electoral Commission (AEC) is the latest agency to cop a serve from suppliers using (or misusing) the procurement system as a de-facto lobbying platform, after it issued a request for information (RFI) for a core election systems and electoral roll rebuild late last month.

“The government has a cloud first policy. The media may decide private information in the cloud is not safe. Is the political capital present to move AEC data into the cloud?” one clearly agitated supplier asks in addenda to the AEC’s RFI released on Friday.

The highly provocative question has raised eyebrows at both the Departments of Finance and Prime Minister and Cabinet over whether the AEC’s long-awaited core upgrade is about to be dragged into crossfire between cloud providers.

Of course it’s not for the AEC, or any other agency, to provide political commentary on its masters. (We’ll get to the AEC's public answer in a moment.)

But what is clear is that the use of scare tactics around data security, and personal information being on the racks of international companies isn’t about to go away, as jockeying for deals intensifies.

The bruising tactics comes at the same time as key reforms, particularly the rollout and management of the DTA-led digital identity myGovID, are facing sharply increased political risks.

Last week influential security thinktank the Australian Strategic Policy Institute cautioned that myGovID could create a Chinese-style social credit system.

In an uncharacteristically forceful response, the DTA hit back at ASPI, a sign key agencies are not about to let several years of toughing it out on reforms slip away.

The criticism of the DTA’s myGovID efforts were bookended by further warnings by ASPI that universities are highly vulnerable to having their research projects compromised by foreign academics with links to China’s government.

The timing of the broadside into the university sector comes at an opportune time.

Policymakers and former spy watchdog Vivian Thom are considering an unprecedented bid by defence interests to be able to retrospectively designate research projects as sensitive to national security under a review of export control laws now under way.

The university sector has hit back at the Department of Defence over its greatly expanded claim for control, warning it will undermine investment and the viability of technology related research.

Good relations between the business community, cyber security suppliers and intelligence agencies are also evidently being tested. The head of the Australian Signals Directorate Mike Burgess last week admonished some corporate boards for contemplating hacking back adversaries.

Some public servants hold the view that the skirmishes now under way can be characterised as a battle for influence between the military-aligned elements of the cyber security industry and commercial IT suppliers intent on securing government business by overhauling its technology estate.

The AEC’s rebuild is seen by some as a case in point because of the critical need for system integrity coupled with the fact it holds very large data holdings on Australian’s eligible to vote.

In its request for information, the AEC candidly acknowledges the increase of cyber risks.

“Since the 2016 federal election, events overseas have highlighted the importance of maintaining the integrity of electoral ICT systems and protecting them against unauthorised interference,” the AEC said in its RFI.

Those involved in the scoping of the AEC's massive project aren’t about to goaded into taking sides in the ongoing cloud wars.

The AEC’s response to the supplier taking issue with its “political capital” makes it clear the agency isn't about to be dictated to or used as a sock puppet.

“The attention of Respondents is drawn to clause 28 of the RFI, which refers to Cloud Security and provides a link to the Digital Transformation Agency’s Secure Cloud Strategy,” the AEC’s response says.

“The AEC currently uses some cloud based services in line with Whole of Australian Government policies and Australian Signals Directorate requirements. At the appropriate time, the AEC will further consult with the Australian Signals Directorate, Australian Cyber Security Centre and the Digital Transformation Agency to ensure that the security of data is met, whether it is in the cloud or not.”

Ask a silly question …