If there was any doubt that the trend towards globalisation had decelerated, the emergence of COVID-19 has put that to rest. The shift towards more inward-looking policy settings around the globe, has been emboldened by the COVID-19 pandemic.
Since early 2020 there has been a heightened awareness of the value and indeed necessity of sovereign control and domestic capability – from vaccines and medical equipment to hand sanitisers, a nation’s capacity to develop, manufacturer and protect its resources has become a key priority across the political spectrum (here and overseas).
The impact of COVID has been far reaching, particularly in one area not readily recognised by the broader population – that of jurisdictional control and authority over data – an increasingly valuable resource. There has been a gradual shift over time towards data privacy and residency regulations to protect citizen data, and data privacy laws like the EU’s General Data Protection Regulations (GDPR) are becoming the accepted convention.
The bipartisanship we have witnessed in Australia during the pandemic, particularly in areas such as international security and cyber security, has been compared with that of war time. The Australian government is increasingly alert to potential risks and threats and the implications of the changing digital and geopolitical environment has for self-determination, or sovereign capability.
To build or maintain our sovereign capability we must pay more attention to the key two pillars – sovereign control and domestic capability. While fundamentally different concepts, their combination equates to sovereign capability.
Sovereign control correlates to a government’s ability to control the direction of resources, for example, its people, assets, capital, and intellectual property (IP), thereby delivering control over data, risk and outcome. Domestic capability relates to the capacity to design, build, or create, using a combination of assets, such as funding, a skilled and experienced workforce, and access to data and/or IP.
In the current geopolitical environment and in a world where jurisdictional control and authority over data is increasingly important to national security, you need both. You need sovereign capability.
The Australian Government’s Digital Economy Strategy announced as part of the Federal Budget recognised this:
The 21st century is all about data and in this modern digital era, data is much more than names and birthdates; it’s about, amongst other things, metadata – the data or information about the data – that which provides information describing and contextualising the data to help organise, find and understand it. If personal information is the currency of the modern age, and the battle is over who controls the data, and by extension who has access to it, it is crucial that governments ensure it is adequately protected. Where that information relates to citizens or business within a specific jurisdiction (country), this can only be truly guaranteed where there is sovereign control: data is stored both onshore and only subject to sovereign jurisdictional control and legal authority.
It has been said that data is the oil of the digital era and tech giants are the new power brokers. Publicity surrounding data breaches has similarly been a driver for the way the world does both politics and business, entrenching even further the relevance of sovereign capability.
According to the National Cyber Power Index, developed by a team of researchers at Harvard University, Australia is the 10th most powerful cyber country in the world, behind the US, China, UK, Russia and others. While Australia may be doing reasonably well on the world stage, in the modern digital era, vigilance is essential.
The way Australia stores and secures its data is fast becoming one of the most important considerations for government, as is it around the world. Like it or not, a government is the guardian of its citizens’ data and cyber security is one of the most pressing national security issues of our time.
As security, safety and trust are essential to the digital economy, governments must now look beyond the assurances of large multinational corporations that say data is stored safely in onshore data centres. Any risk assessment of where confidential or citizen sensitive data is stored must include not only the risks to data and where it is housed, but also where and how it is moved, how it can be scraped and exploited in transit or subject to extra judicial laws.
The time has come to extend the management of Australia’s borders to include data security. Just as we have checks, balances and border controls for the flow of people, agricultural produce and money, to name a few, so too should we highlight the importance of security measures for the flow of the personal data we give to governments and the providers that service us. Without a guarantee that ALL our data (including the metadata etc) remains onshore, the confidentiality, integrity and availability of our data is simply not assured.