Government agencies must only store sensitive information in data centres certified under the new Hosting Certification Framework (HCF), with the first providers now accredited in a scheme designed to marginalise China-owned data centre operators.

Australian Data Centres (ADC), Canberra Data Centres (CDC), and Macquarie Telecom (Canberra Campus) are now the only three companies allowed to host Australian government data, after they were certified under the HCF released in March by the Digital Transformation Agency (DTA).

The move is the latest step in a Whole of Government Hosting Strategy that has amongst its key pillars the goal of protecting Australian government data with “robust, risk-based assessments to ensure data sovereignty and supply chain integrity”.

The HCF was, the DTA explains, created “to operationalise the principles outlined in the Whole of Government Hosting Strategy” – and will be administered by a new Digital Infrastructure Service run by the DTA, which manages a range of purchasing panels including the Data Centre Facilities Supplies Panel.

There are two levels of certification – Certified Strategic Hosting Provider (CSHP) and Certified Assured Hosting Provider (CAHP) – with the higher CSHP certification “intended to only be available to hosting providers that meet the stringent assessment threshold of suitability and enable the Government to specify and enact ownership and control conditions that are not lowered at any time.”

With the certification of the first HCF-accredited providers, Stuart Robert, Minister for Employment, Workforce, Skills, Small and Family Business, said that all “relevant government data” involved with “all future and in-flight projects” must be stored in CSHP or CAHP certified facilities.

“The Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” Robert said. “This includes knowing how, where, and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.”

Macquarie Government managing director Aidan Tudehope welcomed the policy, saying that the new policy “will set a strong example for the private sector to invest locally, ensuring Australia works towards enhancing its sovereign digital ecosystem that serves the national economy by providing world-class security for Australia’s sovereign data.”

Home Affairs will this month commence a series of industry consultation sessions to explore co-design of industry-specific rules for the data storage or processing sector

Keeping it onshore

Sovereignty of Australian data-centre facilities has been front of mind since 2016, when a consortium of Chinese companies called Elegant Jubilee Limited bought a 49 per cent stake in UK-based data-centre operator Global Switch.

With Global Switch hosting key government systems, the investment raised the prospect of sensitive data being stored in China-owned facilities where their protection from Chinese government interference could not be guaranteed.

The situation got even more fraught in 2019, when Chinese steel maker Jiangsu Shagang Group paid $3.3b (£2.2b) for a 24.01 per cent stake in Global Switch, making it the company’s largest single shareholder.

Last year, the Department of Home Affairs designated ‘data storage or processing’ facilities as a critical infrastructure sector alongside traditional sectors including electricity, gas, water, and ports.

The need to strengthen Australia’s sovereignty was, the Australian Strategic Policy Institute said in a recent editorial about the policy changes, reinforced by Facebook’s decision this year to shut off Australian news feeds.

“Imagine if Facebook was a water utility or an energy company,” Major General Marcus Thompson (retired) wrote, noting that “with near-universal dependence on digital information and electronic devices… the first rules of cybersecurity are to know what data is most valuable and where it’s physically located.”

Lauding the US government’s ‘buy American’ mandate for government operations, Thompson said Australia “should follow suit”.

“’Buy Australian’ for government agencies should be a position our government is prepared to adopt,” he wrote, “and it should include sovereign data storage and sovereign digital technologies as its centrepiece.”

A backhander to China

Chinese authorities see data centres as a key part of its global expansion strategy – echoed in statements by Shagang Group chairman Shen Wenrong that the Global Switch buy “complies with China’s Belt and Road Initiative (BRI)”.

BRI has been so problematic that in April the Australian government tore up a controversial Victorian Government Belt and Road partnership.

The escalating war of words with China has seen Australian agencies abandoning Global Switch in droves.

Last year, the Australian Taxation Office (ATO) signed a deal to begin a $73m migration to move its infrastructure to fully Australian-owned alternative Canberra Data Centres (CDC).

Home Affairs and ASIC have also moved to CDC, but Defence significantly became the outlier in February when it extended its deal with Global Switch to allow for completion of a five-year migration plan.

Growing demand for local capacity is driving strong growth in Australian data-centre operations, with 257 data-centre operations already in the country – and new facilities like Macquarie’s new $17m IC5 data centre appearing regularly.

A recent Mordor Intelligence analysis predicted a 4.5 per cent annual growth rate, buoyed by the government’s data-sovereignty strategy and growing moves by cloud operators like Microsoft and Oracle to open Australia-only operations.

Yet ASPI also recently warned about the dangers of consolidating government data infrastructure into too few facilities, noting in January that 79 per cent of current contracts had been awarded to the dominant industry provider.