For Election 2020, Bernard Hickey continues a three-part series on the digital policies needed to bolster Aotearoa’s resilience, protect our sovereignty and reduce inequality in the wake of the Christchurch attacks, foreign interference in elections, the Covid-19 pandemic, America’s tech war with China, and state-sponsored cyber-attacks.
There have been three moments in the last 18 months when it dawned on Aotearoa/New Zealand that it had lost sovereignty over large parts of our national life in ways we could never have imagined in the days when sovereignty was all about wars, invasions and peace treaties.
Now sovereignty is all about which platform you get your information from, and run your business or school from, where it is hosted, what is written into the algorithms it uses and who is hacking into it. We have to negotiate with tech CEOS, rather than kings and dictators, to keep our data safe and private, to fix the holes in our tax base, and communicate with our own Government.
The first moment was the afternoon of the March 15 attacks in Christchurch when Facebook and Youtube were weaponised to amplify a hate crime. See more in our first article.
Here is the second of those three moments, and the policies to address the problems it raises.
Moment 2: November 28, 2018. The day Huawei was shut out
Not everyone remembers where they were on this day, but in time it will be seen as a turning point in Aotearoa’s political, economic and diplomatic history. It was the moment we realised how exposed our economy and networks are to companies and technologies caught up in a global contest for dominance between China and America.
Spark announced to the stock exchange on the afternoon of November 28, 2018 that the Director General of the Government Communications Security Bureau (GCSB) had blocked the country’s biggest mobile and broadband network provider from using Huawei equipment in its 5G network rollout over the next couple of years.
As announcements go, it wasn’t immediately obvious as a ‘game-changer’ for New Zealand. Acronyms are a ratings killer.
“The Director-General has informed Spark today that he considers Spark’s proposal to use Huawei 5G equipment in Spark’s planned 5G RAN would, if implemented, raise significant national security risks,” Spark said.
The building of 5G RANs (Radio Access Network) has become a key battleground in America’s push back at the extension of China’s influence around the world, given many see 5G as the base network for all data traffic and the control systems being built with artificial intelligence using data mined from all over the world. Whoever controls a country’s 5G network is effectively its sovereign power.
America believes (although Huawei denies) that Huawei’s historic links to China’s military and Beijing’s laws demanding unfettered access to its systems means it can’t be trusted. As a member of Five Eyes, New Zealand was part of Team America on this issue. The Government tried to deny ultimate responsibility for the decision, saying it was a technical matter decided by technocrats, but few have many doubts about the geo-political contest.
Since then, America’s drive to strip Chinese-made gear out of the rest of the world’s 5G networks has stepped up a gear. Just this month, Huawei was banned from using chips produced with American technology, effectively cutting it off from the supplies it needs for much of its networking gear and phones.
This pivot towards carving the world’s internet up into American, Chinese and European spheres of influence drives emphasises the risks of depending too much on one type or source of software, network, hardware and platform. If America could effectively shut down TikTok or cut off WeChat, how much should New Zealand Inc rely on overseas-based or run tools to keep our economy and society running.
It’s big news when a technical problem takes down Facebook or Gmail or Office365 for an hour or two. But what if a Chinese cyber-attack took one or more of these tools or the data centres they use for days or weeks? And how exposed is our Government or multiple data pools collected and held by the Government to these attacks, particularly if they’re hosted on proprietary platforms in the ‘cloud’ in a data centre governed by another country’s laws.
So what should be done?
The Covid-19 crisis has reinforced the risks of being too dependent on global supply chains and single sources of particular goods. The risks become larger as more of the economy pivots towards services delivered via phones, sensors and algorithms in the cloud.
Catalyst IT CEO Don Christie sees the Government’s development of local and more open digital platforms and tools as crucial to building resilience and reducing the costs and risks of delivering all sorts of public services online, including health and education.
“(Finance Minister) Grant Robertson has been talking about the manufacturing and supply chain being a risk because of Covid-19. It’s exactly the same story in IT. In fact, it’s more of a hidden risk in the digital world,” says Catalyst IT CEO Don Christie.
He describes the default position of many in Government and IT of going straight to outsourced and often offshore-run and big, expensive off-the-shelf type systems offered by the likes of SAP, Oracle, Microsoft, Amazon and Google as a kind of cultural cringe that concedes defeat before much proper analysis of the risks and true costs are done.
Always choosing the overseas-sourced IT also removes major potential sources of jobs and growth from the New Zealand economy. What appears the simplest and cheapest option in the short run, may limit growth opportunities and create sovereignty risks in the long run.
“If you’re a young person looking at what’s exciting happening in the world and maybe you’re drawn to tech, and all we’re doing here is plugging things into Amazon, then chances are you’ll go to where Amazon is or Google is,” Christie says.
Other ‘heavier’ industries that have already declared defeat are now coming to rue the new dependence on overseas-sourced systems. KiwiRail, for example, is now beholden to its Chinese supplier for engines, having decided buying overseas was cheaper. In the long run, the engines required expensive repairs that led to complaints about underpaying workers imported from China to do the work temporarily.
“It’s a bit like KiwiRail saying ‘we don’t have the expertise any longer to design new railways so we’re gonna be bringing in expertise’.”
‘Bring our data home’
Māori data scientist Caleb Moses writes in particular in ‘Shouting Zeros and Ones: Digital Technology, Ethics and Policy in New Zealand’ about Statistics New Zealand’s Integrated Data Infrastructure or IDI. It has brought together and organised data sets from all around Government with the aim of using machine learning and data mining to analyse decisions and help deliver services.
“The IDI has high value because of the massive accumulation of data over time, nicely tagged at the individual level and consolidated from multiple sources. High-value assets become targets, particularly where those assets are intangible and can be reused again and again,” Moses writes.
“Stats NZ is keeping the IDI as secure as a government IT system can be, but that is by no means 100 per cent secure. In particular, there are concerns about the number of Data Labs, especially the one in Sydney, where Stats NZ has limited ability to enforce the rules,” he writes.
Waikato University Professor of Demography and Indigenous Data Sovereignty, Tahu Kukutai, is also concerned about the location and nature of Government data storage. She says these data sets are often focused on Māori and Pacific citizens and could be used to amplify discriminatory biases already present in the likes of welfare spending, and the justice and prison systems.
“Over-surveillance of Māori, in particular by Police, Corrections and other punitive and disciplinary institutions, means that data about Māori are more likely to be included in government datasets, particularly those capturing ‘target’ populations requiring state intervention,” Kukutai writes in ‘Shouting Ones and Zeros.’
“Dominant approaches to big data tend to reinscribe rather than unwind coloniality by drawing on the same types of racialised and limited classificatory systems of the past,” she writes.
Kukutai wants Government to focus on ways of ensuring Māori data sovereignty to correct previous injustices and reverse the trend of increasing inequality.
“For this to be achieved, both the physical and logical storage of Māori data needs to be within the direct jurisdiction of Aotearoa New Zealand. The increasing move by state agencies to offshore all data, including Māori data, is a major concern,” she writes.
She points in particular to Australia’s Assistance and Access Bill passed in 2018, and the use of data centres in Australia. Amazon Web Services’ main centre for Australasia is based in Sydney and is heavily used by many New Zealand companies and government entities.
“It undermines data sovereignty by compelling companies to hand over data stored in Australia, even if it is protected by end-to-end encryption. It soon becomes apparent that data sovereignty is not possible if these data stores are used,” she writes.
American laws requiring software and data centre providers to disclose information to American authorities may even apply to data stored in centres in New Zealand, but which are owned there or are run on American-owned systems. The Government is, for example, ploughing ahead with plans for Microsoft to build its own large data centre in New Zealand that partners with Government, which may be subject to America’s jurisdiction.
Kukutai wants to see data stored closest to its users, and in a distributed and decentralised way.
“A federated data storage model with granular permissions on what is shared between nodes would be the most resilient, performative and safest way to store data,” she writes.
“However, local solutions are often not considered in decision-making in Aotearoa New Zealand with claims made about the purported constraints of cost or capacity. In this sense, Māori rights and interests in data are traded off against purported financial considerations, despite the lack of solid evidence that local storage solutions are not possible or feasible.”
What could Government do?
Christie wants to see Government procurement rules put in place that prefer local and open solutions for information technology. He sees a change required in the default position of many Government buyers of trying to outsource overseas.
“The philosophy has been that they don’t think government should own any infrastructure, including software — that it should be software services. It’s a pretty flawed philosophy,” Christie says.
“And again, what it’s done is create an environment where due diligence is not being done properly on cybersecurity, on sovereignty risks, and what it means for the future.”