Has Australia just deregulated government cyber-compliance?
One of the biggest barriers to digital transformation is flexibility or a lack of it — that’s often because stringent regulations have to be imposed to satisfy cybersecurity needs and data privacy requirements.
In many instances, these regulations are a burden to organizations, especially within industrial government agencies that are trying to accelerate digitization efforts.
Cloud adoption, for one, is key in consolidating digitization and transformation efforts. However, there are times when regulatory requirements and strict verification systems that surround the technology may seem to hinder the growth of operations.
In a bid to foster the growth of its local cloud market and nurture flexibility in a cloud-first environment among government agencies, Australia has decided to fall back from its cloud regulation program.
The decision was announced earlier this week by the Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA). ASD, the actor in charge of issuing verifications for cloud providers serving government agencies has decided to retire the Cloud Services Certification Program (CSCP).
Previously, the CSCP has been proposed alongside the Information Security Registered Assessor Program (IRAP) to narrow the eligibility of providers that can host government data. However, over time, it is clear that not all government agencies share the same cloud needs and privacy policies.
Additionally, not all agencies host highly-sensitive data that need stringent regulatory measures. So, there is on occasion a lack of need for some agencies to follow practices that may end up being a burden to operations.
In a joint statement, both actors have said that they want to ensure that the new arrangement would “support Commonwealth entities, Australian businesses, and the community while maximizing cybersecurity and resilience to protect against evolving cyber threats.”
In the meantime, the actors proposed the creation of new co-designed cloud security guidelines and consultative forums for cybersecurity that satisfy the needs of respective government industries.
Will these regulatory changes affect government cloud adoption?
The move arguably comes from a need for more personalized regulations that support organizational agility and cybersecurity needs, however, the reception wasn’t all positive, with the AIIA stating that it could result in risk-averse approaches, and some sources commenting that it could undermine Australia’s national security.
A day after the announcement was made, the Australian Information Industry Association (AIIA) raised concerns over the confusion that may arise in the absence of standardized regulatory measures.
“The closure of the list and removal of the central role the ASD has had for certifying cloud platforms does assume that agencies have the requisite skills and capabilities to appropriately assess and accept this risk,” said AIIA in a statement.
“The mixed ability for small and even larger government agencies to conduct cyber-threat risk assessments may lead to risk-averse behaviors due to a lack of cyber skills in agencies resulting in a decline in the adoption of latest cloud technologies and digital services,” it said.
Other sources have called the move a “disaster”, concerned that smaller agencies wouldn’t have the capacity to self-regulate, and that it will hinder local firms’ ability to sell into government: “To say this is counter-intuitive is a giant understatement,” read a report by local tech news site, InnovationAus.
“If the ASD is unable to adequately assess cloud services on behalf of government in a centralized compliance environment – with all of its cyber resources and expertise – what chance would a small government department or agency have?
“The devil will be in the detail, but at face value, the changes will make government less secure, with an eroding of cybersecurity fundamentals ultimately undermining our national security.”