
How the Department of Defence put their Classified Data at Risk
In December last year, a Chinese-backed consortium quietly went about purchasing a 49 per cent stake in the international data centre operator Global Switch.
As details of the deal emerged, it came to light that Global Switch had a 10-year contract in place with the Australian Department of Defence, to hold classified government data at two of its facilities in Sydney.
This sparked a Foreign Investment Review Board investigation. Global Switch was forced to agree to hand over the Australian arm of their operations to their parent company, Aldersgate Investments.
Despite Global Switch maintaining that their shareholders don’t have direct access to their data centres, the Australian Department of Defence has taken steps to return its data centre operations back into government hands, at a cost of more than $200 million, fearing the acquisition presents a national security risk.
The case of Global Switch raises questions about how organisations, both government and private, should manage their classified data and information assets effectively.
Business Advisor and Managing Director of Experience Matters, James Price says it’s important to understand that the Department of Defence needed to take responsibility for the way their information and data assets were being managed.
“We can’t lump blame on Global Switch in this case, because Global Switch is a business operating in a commercial environment,” says Mr Price.
“Global Switch isn’t a technology company per se, they’re effectively a real estate company. Where the Department of Defence made a mistake was that it didn’t consider the data sovereignty issues with putting their sensitive data into the hands of a third party.”
“They probably weren’t thinking about the management of the data, they were thinking about the management of the infrastructure,” he says.
Mr Price presents the metaphor of a glass of wine – the wine being the data and the glass being the infrastructure housing the data: “When you go to a restaurant, do you buy the glass or do you buy the wine? It’s precisely the same in business. The Department of Defence should have been putting their own data in their own infrastructure, instead of outsourcing it for reasons of cost reduction” he explains.
The situation between the Department of Defence and Global Switch highlights the need for companies to start putting more internal thought and resources into the management of their valuable information assets.
“We’re moving from the industrial age to the information age” says Price. “Information is rapidly increasing in value. In 1974 the contribution of a business’s intangible assets toward its overall value was 17 per cent. Today it’s 85 per cent, yet information assets are still managed extremely poorly. For the last 30 years have we been handing the responsibility for the management of data assets to IT departments, who rarely have the capacity or the capability to do so.”
Mr Price suggests data and information practices within an organisation need to start at the board and executive level, with responsibility for information management systematically delegated to every single person within the organisation.
“The board and the Chief Executive need to determine who is going to be responsible for the management of information as an asset. Ultimately the Chief Information Officer should be the person responsible for managing the information assets of the organisation,” Price says.
The Department of Defence will be forced to continue to use Global Switch’s data centres until the contract expires in 2020.