Is there a cold war for the control of key data and infrastructures worldwide?
How can the battle for infrastructure and data shape the future?
Are nations without native data pools and technology at disadvantage?
How can they reconcile technological progress with regulatory frameworks?
How key is the cloud for the sovereignty and autonomy of governments?
Jocelinn Kang works on technology policy for the International Cyber Policy Centre at the Australian Strategic Policy Institute. The team looks at cyber issues, from information operations and disinformation to cyber capacity building and surveillance.
"Data sovereignty is an important facet of data governance that governments must consider. There is a general shift to cloud across industry, and this is likely to continue", she says.
Is there a cold war for the control of key data and infrastructures worldwide? And is this cold war among nations or among governments and companies?
There’s a growing understanding by the governments of some countries that control of critical infrastructure is important. Others appear to care more about simply getting the infrastructure in place. Large companies have known this for a long time from a business needs and cost perspective.
The 5G security debate of recent years -focused on using 5G equipment from high risk vendors – has made many governments reflect on some key questions: What is critical infrastructure? Why is it important to consider who has control of such infrastructure?
In response to such questions around 5G, for example, Vietnam is creating its own 5G infrastructure, the UK considered for a while how it could welcome different vendors with different risk profiles and manage the risk, and Australia has banned high risk vendors.
Then there is cable infrastructure. Namely, the move by internet companies such as Facebook and Google, and even traditional software companies like Microsoft, into submarine cable infrastructure. This is a result of growing data needs. The governments of Australia and US also recognise that China views data strategically, and therefore, due to national security concerns, has intervened in both the Coral Sea Cable between Australia and Papua New Guinea and the Pacific Light Cable Network that was to go between the US mainland and Hong Kong, respectively.
In terms of cyber supply chain security, the government sector in Australia is definitely aware of the risks involved and a level of security is built into government contracts. General awareness around cyber supply chain risk has definitely increased in larger enterprise environments since the recent SolarWinds supply chain attack, which saw malware planted into the regular distribution of software updates for a particular version of the SolarWinds’ network management product.
How can the battle for infrastructure and data shape the future?
Control of hardware infrastructure is important. But in my view, the protection of data is more important. This is because of the decentralised way the Internet works: a user has little control over how their data gets to its destination. This is just as true for data-at-rest (where the data is stored) as we move away from on-premises storage to cloud storage and processing.
The cloud can simply be considered as ‘someone else’s computer’. Therefore it will continue to be important to secure the data that flows through these systems, and networks that you’re unlikely to control.
Nation states that do not ‘own’ technologies are in a much weaker position not only to influence how these develop, but also how governance evolves. In today’s world, how important is data and technology for nations in terms of governance? Are nations without native data pools and technology at disadvantage?
This is a complex question. Let’s consider it through the lens of artificial intelligence: Given that biases can result depending on what data is used to train AI algorithms -for facial recognition or even compliance systems- those countries that do not create or input their own country or region-specific data will be disadvantaged.
To take a now notorious example, driverless car makers that were testing their vehicles in Australia ran into issues with their animal detection systems They were sometimes unable to detect kangaroos crossing the road. (Kangaroos are unfortunately a frequent roadkill on our roads.)
How can they reconcile technological progress with regulatory frameworks that protect citizens from being continuously monitored and possibly manipulated, when they do not regulate the organisations virtually supplying these services?
This is a difficult problem. Technological development will always move ahead of laws due to the length of time it takes to put laws in place. But some forms of regulation can be helpful and move a little faster. And guidelines can more quickly be put into place, and are more flexible and easily developed as time goes on.
There is also the issue of education – on both sides of the technology fence. Developers, engineers and the people involved in building technical systems need to be better educated to consider privacy, security and how their end-products could be used. These issues are vital, even as they’re designing a functioning, efficient product with the best user experience. And then policy makers need to better understand the technology and the technologists designing and developing and implementing these products, services and systems.
Additionally moving from a compliance culture to a more risk-based approach when considering technology and implementation, can assist here.
One of the objectives of the European Strategy for Data is the creation of an EU cloud platform alliance to improve cloud’s uptake in Europe and reduce the Union’s technological dependencies in these strategic infrastructures. How key is the cloud for the sovereignty and autonomy of governments nowadays?
Data sovereignty is an important facet of data governance that governments must consider. There is a general shift to cloud across industry, and this is likely to continue. In Australia there is a push for a cloud-first approach for government and an understanding that there needs to be consideration of the sovereignty of data, data centre ownership and supply chain.