Australia has a new framework for dealing with high-risk technology vendors, though the government isn’t brave enough to call them that.
Home Affairs Minister Tony Burke says the framework ‘will ensure the government strikes the right balance in managing security risks while ensuring Australia continues to take advantage of economic opportunities’.
An alternative reading would be that it’s an opaque, toothless framework that gives the government wiggle room to minimise risk to the China relationship by increasing risk to our digital sovereignty.
The framework was announced on 20 December but not published. It’s a set of guidelines for assessing national security risks posed by foreign technology products and services sold in Australia. The timing was so unlikely to attract attention that it looked deliberate. Information on the Department of Home Affairs website, striking an unsatisfying balance between brevity and circumlocution, reinforces the impression that the government would be pleased if few people noticed the policy.
The framework establishes a ‘proactive process to consider foreign ownership, control or influence risks associated with technology vendors’. That will enable the government to ‘provide guidance on technology vendor risks to inform public and private sector procurement decisions about the security of technology products and services’. Risks will be assessed and mitigations considered where these risks are unacceptable.
The government’s factsheet provides a few more details. The security reviews will be led by Home Affairs in consultation with relevant agencies, presumably including technical experts in our security agencies. Assessments will be prioritised based on preliminary risk analysis of such factors as where the product or service is deployed, its prevalence and access to sensitive systems or data.
We don’t know what technologies the reviews will focus on or who will make the final decisions on which risks need mitigating. Review findings will apparently inform future government policies or support technical guidance to help organisations mitigate identified risks. The framework itself will not be released publicly to ‘ensure the integrity of the framework’s processes and protect information relating to national security’.
What’s clear is the focus on mitigating risk. Bans or restrictions on vendor access are off the table, even though, as we discovered with 5G, it is sometimes impossible to mitigate technology products and services that are one update away from being remotely manipulated by the vendor who supplies and maintains them.
But who would seek to manipulate or disrupt the critical technologies on which Australians rely?
Well, the government says the framework was not established to ‘target vendors from specific nations.’ The majority of foreign vendors ‘do not present a threat to Australia’s interests. However, in some cases, the application, market prevalence or nature of certain technologies, coupled with foreign influence, could present unacceptable risks to the Australian economy. This is particularly true if the vendor is owned, controlled or influenced by foreign governments with interests which conflict with Australia’s.’
The document steers clear of the more zingy phrase ‘high-risk vendors’, which was associated with Australia’s 2018 ban on Chinese 5G suppliers Huawei and ZTE.
It’s a tricky balance. Reluctance to point the finger at our largest trading partner is understandable, even though everyone knows we wouldn’t need a framework without our growing reliance on Chinese vendors who are indeed owned, controlled or influenced by the Chinese government. But, unsettled by China’s reaction to its predecessor singling out Chinese 5G vendors, this government seems more concerned with anticipating Chinese concerns than explaining to the public what technologies it should be worried about.
For example, will the government target electric cars and solar inverter technologies, where China’s dominant position has raised concerns? Perhaps not, since we are reminded that foreign technology companies ‘are essential’ for Australia’s net zero transition.
Businesses weighing the merits of buying cost-competitive Chinese tech will be reassured that the framework won’t introduce new legislated authorities or regulation. The focus seems to be on consultation with business so the government can ‘understand the risks introduced by a product or service, and the availability of mitigations’.
But mitigations reduce efficiency and add cost, and selecting pricier gear from alternative trusted vendors adds even more. Businesses may feel that avoiding these extra costs is worth the risk.
How might this play out? One way is we never hear about the framework again, aside from occasional technical security guidance. Low public awareness of the risks will mean inquiries can be batted back with assurances that the government has been making progress but can’t talk about it for national security reasons.
Then, one morning in the middle of an Indo-Pacific crisis, we might wake up to find the power and water don’t work.
As Mike Tyson might have said, everyone has a secret technology vendor review framework until they get punched in the mouth.
