Australian Government Struggles to Exit Chinese-Owned Data Center
(AFR) — Five of Australia’s most sensitive government bodies are scrambling to remove servers from a Chinese-owned data center in Sydney ahead of a self-imposed September deadline, which was triggered by security fears.
The Australian Financial Review has been told the departments affected by a government directive to leave the data center, owned by Global Switch, include Home Affairs, Foreign Affairs and Trade, and Defence.
The Australian Taxation Office and Australian Securities and Investments Commission are also looking to leave the Ultimo facility, but the move, set to cost around A$500 million ($330.5 million), is proving difficult.
New rules around data sovereignty and finding the huge amount of space required has been one challenge, while concerns have also been raised about the already high concentration of sensitive government information held by one competitor, CDC Data Centres.
A consortium of Chinese investors began buying into Global Switch’s parent company in December 2017, prompting the defense department to remove its “top secret” data from the Ultimo facility.
The Chinese consortium, Elegant Jubilee, moved to full ownership of Global Switch from the U.K.’s Reuben brothers last August. Prior to this, a September 2020 deadline was set for government agencies and departments to move out of the Ultimo facility.
But the deadline looks unlikely to be met, according to two sources, who said the defense department had been forced to extend its contract with Global Switch while it determines what to do with its unclassified data.
Home Affairs is co-ordinating the relocation. The ATO is believed to be the most advanced, while the others are yet to settle on how they will undertake the complex move.
Concentration of risk
The move away from Global Switch has led to questions about where federal agencies store their data and the dominance of CDC Data Centres, which has won more than 90% of federal government contracts since 2008.
Owned by the Future Fund, the Commonwealth Superannuation Corp. and New Zealand’s Infratil, CDC’s dominance has led to worries about the concentration of technical, physical and corporate risk with a single operator.
Independent telecommunications analyst Paul Budde said in an age of terrorism, pandemics and climate-induced natural disasters, it was problematic to be so reliant on a single company whose operations were concentrated in one city, Canberra.
“It’s far too risky to put all your data eggs in one basket, given we are totally reliant on data for the running of the country,” he said.
The federal government’s Digital Transformation Agency said in a statement that procurement of data center space and services was the responsibility of individual agencies.
“The government has made significant investments in safeguarding the security and privacy protection of government-held data,” it said.
Decentralization directive ignored
When the federal government determined it would not build its own data centers more than a decade ago, then Finance Minister Lindsay Tanner said a “single deal with one supplier for all our data centre needs” should be avoided.
“We have no intention of replacing extreme decentralization with extreme
centralization," he said.
Publicly available data from the AusTender website indicates Tanner’s directive was ignored, with CDC having won at least $700 million worth of government contracts since 2008, 10 times more than its nearest rival.
The overall figure for CDC is likely to be much higher, as sensitive contracts with the likes of the defense department or the security services are not disclosed publicly.
CDC’s operations are concentrated at two sites in Canberra, while in December 2018 it purchased a small data center and development site in Sydney’s Eastern Creek.
Its founder and Chief Executive Greg Boorer said CDC’s success was due to its “offering” being tailored to the unique requirements of the government market. He said geographic, technical and corporate risks could be mitigated.
“The government does enormous due diligence on risk that you and I have not even contemplated,” he said.
Concerns around a Chinese consortium buying out Global Switch were first raised in the U.K., but it’s unclear what action, if any, was taken to remove sensitive government data from its centers.
Global Switch has rejected security concerns, saying it only houses the servers and has no access to the data held within its facilities.
There has been an increased focus on data as a critical national asset over recent years, and security agencies have been working with business and government to ensure they are protected from state-sponsored hacking and commercially oriented ransomware attacks.
On Monday the government was forced to loosen rules around cloud computing suppliers to its departments and agencies, as the tightened restrictions were proving too onerous.
This story was first published in the Australian Financial Review.
- MOST POPULAR