Australian intelligence community seeking to build a top-secret cloud
Australia’s national intelligence community (NIC) hopes to build a highly-secure private community cloud service capable of protecting data that is classified all the way to the level of top secret.
The Office of National Intelligence (ONI), Australia’s peak intelligence agency, is leading the project, and issued a call for expressions of interest on Friday.
“The NIC is seeking to accelerate its ability to transpose and extract relevant data from complex data sources. It sees common toolsets for data filtering and manipulation to extract relevant useful information as a force multiplier,” ONI wrote.
“The NIC seeks greater interoperability through shared common services, common infrastructure, and standards, centralisation of services, and the ability to create collaborative environments.”
All 10 NIC agencies will eventually use the cloud: ONI, Australian Signals Directorate (ASD), Australian Geospatial-Intelligence Organisation, Australian Secret Intelligence Service, Australian Security Intelligence Organisation (ASIO), Defence Intelligence Organisation, Australian Criminal Intelligence Commission, and the intelligence functions of the Australian Federal Police, Australian Transaction Reports and Analysis Centre (Austrac), and the Department of Home Affairs.
The platform would also allow “trusted third-parties” to operate software-as-a-service (SaaS) services in the private community cloud.
ONI’s leadership of the project, and indeed the project itself, stem from recommendations of the 2017 Independent Intelligence Review.
“We recommend that data analytics and ICT connectivity, including the establishment of an intelligence community computing environment in which technical barriers to collaboration are minimised, be one of the highest priorities of a more structured approach to technological change and the funding of joint capabilities,” the review said.
The project does not involve agencies collecting any new data. Nor does it expand their remit. All existing regulatory arrangements still apply.
Rather, the NIC hopes that a community cloud will improve its ability to analyse data and detect threats, as well as improve collaboration and data sharing.
“Top Secret” is the highest level in Australia’s Protective Security Policy Framework. It represents material which, if released, would have “catastrophic business impact” or cause “exceptionally grave damage to the national interest, organisations or individuals”.
Until very recently the only major cloud vendor to handle top secret data, at least to the equivalent standards of the US government, was Amazon Web Services (AWS). AWS in 2017 went live with an AWS Secret Region targeted towards the US intelligence community, including the CIA, and other government agencies working with secret-level datasets.
In Australia, AWS was certified to the protected level, two classification levels down from top secret. The “protected” certification came via the ASD’s Certified Cloud Services List (CCSL), which was in June shuttered, leaving certifications gained through the CCSL process void.
Under the ISM framework, AWS had 92 services assessed as protected. It also negotiated an Australia-wide government cloud deal in 2019.
While the CCSL is no longer, it is expected the Information Security Registered Assessors Program (IRAP) will support government in maintaining their assurance and risk management activities.
This week, Microsoft launched Azure Government Top Secret cloud to handle classified data at all levels, including top secret, for US government customers. However, Microsoft is still working with the government to achieve accreditation.
Under the CCSL, Microsoft was also able to store government information up to a protected level. Unlike all previous such certifications, Microsoft’s certifications were provisional, and came with what the ASD called “consumer guides”.
ASIO issued expressions of interest in 2019 to use Microsoft Azure internally for protected, secret, and top secret data.
In the UK, private company UKCloud launched its potentially top secret UKCloudX service in 2018. UKCloud is already a provider of cloud services to the UK government’s G-Cloud via a contract with the government’s purchasing agency Crown Commercial Services.
ONI is seeking to explore the market, however, and vendors with experience in delivering secure cloud environments can apply, even if they do not yet have top secret certification.
However, the cloud must be hosted on infrastructure physically located in Australia and geographically dispersed.
“[This is] the first stage in a multiphase procurement process by which ONI will determine which, if any, respondents will be invited to participate in the next stage of the procurement process,” ONI wrote.
Expressions of interest close February 8, 2021.
New Bill introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing, and government ‘last resort’ powers to step in and defend.
With the government’s Cloud Services Certification Program now shuttered, Commonwealth entities will be required to perform their own due diligence when procuring cloud services.
It would repeal the existing parts of three Acts to form a new one that covers the use of computer access and surveillance devices powers.