Stop the world.

Thinking about the idea of resilience and digital resilience, an interesting factor about this and, and I think about this a lot with Australia, is that if all our cables were cut, could we operate autonomously?

And the answer might surprise us, because it's not just about data storage.

Welcome to Stop the World, the Aspy Podcast.

I'm David Rowe.

And I'm Olivia Nelson.

Today, we're coming to you on a Tuesday because we have a special episode.

We're speaking with Jocelyn King, who is Resident Technical Fellow at ASPY, and she's going to be talking about hyperscale cloud and all the attendant security and strategic considerations that come with it.

Yep, it builds on work that ASP has done with support from Microsoft.

Jocelyn is amazing on this stuff and it's pretty fundamental to the tech and security work that ASP does.

Jos takes us through the basics by explaining what hyperscale cloud is and why it's important, especially to countries in our region looking to digitise and prepare for the AI driven future.

There are some useful analogies here.

It's worth visualising a kind of foundation that hyperscalers bring.

They include big tech names like Microsoft, Google, Amazon, Oracle, Meta, and they deliver these services, which are things like data storage and computing power.

And then companies, economies, nations can build tools and applications and platforms on top of that to actually do the work that they need to do.

But are there risks in outsourcing your data storage or computing power to big overseas firms?

What should a country have as a sovereign capability?

Other advantages to having your data outside your country in case you're attacked?

Ukraine has been an obvious example here.

But then what do you need to have at home if you're an island and your undersea cables get sabotaged?

Jocelyn answers these questions and more.

It's a great primer on a really important topic that we're going to hear more and more about, especially as AI becomes increasingly central to our lives.

Enjoy.

Jocelyn King, welcome to STOP the world.

I'm here with Jocelyn King Joss, thanks for coming on.

Thanks, Dave.

So let's start with the basic super basics as much as anything for my benefit, explain what exactly is hyperscale cloud?

Why is it so important and central to the global tech landscape?

Sure.

Cloud computing is essentially leasing someone else's computing resources and accessing these resources through a network, usually the Internet for most people.

And these services can be spun up on demand and they can scale large when people need it and cut it down when they don't need it.

And you just pay for the services that you use.

Now, these computing resources I'm talking about, we're talking about computer processing, storage, software, applications, those kind of things.

Now, hyperscale cloud, it takes this to a whole new level.

It essentially is hyper in scale, speed and offerings.

So hyperscale cloud providers like AWS, Google, Microsoft, Alibaba, they have a global footprint and so they have a lot of data centres with a lot of computing power.

They offer a lot of services in terms of software applications as well as I think what a lot of people equate A hyperscale cloud to these days is AI and that ability to use the AI engines provided by these service providers.

Yeah.

I mean, I must say that's what I think.

I think of AII, think of data centres, I think of that grunt that the really, really big players are able to provide.

So you've worked on this project recently looking at a number of Asian countries and their approaches to hyperscale cloud, including the advantages and risks that might require mitigation.

Just talk through the project and the approach you've taken.

Yeah, we looked at starting from the north, we looked at Japan, South Korea, Taiwan and the Philippines.

Now all these countries are undergoing a high degree of digital transformation both in the private and public sectors.

They're both moving a lot of things to to cloud.

And in the public sector, these countries are really looking at moving their government services, so their their public services to cloud providing, providing in that way both as part of digital transformation and and the innovation that it allows.

Partially for security reasons.

Moving or having systems on premises has advantages, but having it online I suppose also has its, its, its advantages.

And there are Security benefits to hyperscale cloud because these cloud providers have such a large global footprint, which means they are exposed to a lot of global threats.

And in that way, that also means they gain a lot of intelligence about these threats.

And in some cases, they can also automatically address these threats for their whole infrastructure globally.

So that's those kind of advantages these countries benefit from when they go to a hyperscale cloud provider.

They're also in in the private sector.

These private sector is taking it up very quickly in, in all these countries a lot faster than the public sector.

I think that's very that's a very common thing.

And some countries like South Korea, for example, a very digitally advanced country, their cloud uptake in the public sector was, is actually a fair bit slower, I think partially because they were really concerned about the the security of the systems on the cloud.

And so they had restrictions in place which meant that the public sector use, they could only use Korean providers, they could only use Korean staff who were physically in Korea to manage that data as well.

Now I can see the Security benefits of that, but the innovation benefits of these global hyperscale cloud providers is they innovate very quickly.

And so that the speed of innovation that global cloud providers allows faster passes the ones of domestic providers.

But domestic providers do have that local security advantage.

So there there's a space for for both the domestic providers and the global providers.

So what we've talked about is, is kind of why these countries have quite happily adopted cloud and are shifting to cloud.

But as part of that, they also one common challenge that they they all face is definitely a lack of cloud expertise in the workforce.

So you can be a highly, I guess, digitally mature country with a lot of IT expertise, but that doesn't automatically translate to understanding cloud services.

It's almost like a new paradigm because the way it's architectured is different from what you would have on premises.

So traditionally what you'd do is you'd you'd go out and buy your own hardware, install it and install the hardware, physically connect it up, network it up, install the software on there, configure the software and then put your data on it.

What cloud allows is a lot of that is done by the service provider, both the infrastructure, the platform and then the software services.

And what the customer does is they do the configurations of the software as well as put their data on it.

And so those two things are split in terms of the responsibility.

So the cloud providers handles the security of essentially the infrastructure and the customers handle the the responsibility and the security of the the data and the configuration.

Every cloud provider kind of does it a different way.

So you can generally understand how cloud works, but you also have to learn the different, I guess software in interface of each cloud provider.

So it's it's a real big shift from, you know, doing on Prem to doing on cloud.

A and the expertise question is clearly quite central there.

I mean you, you really do need some home grown expertise to be able to manage that effectively in, you know, in in in your nation's interests when it comes to you to, to the way you use computing and and and data resources.

Absolutely.

And, and the global cloud providers, they, they recognise this.

And so when they commit investment in a country for their their data centres, they usually pair this with local training as well.

OK, let's just focus in on innovation for a moment.

What are the advantages that access to hyperscale cloud affords a country in terms of its capacity to innovate?

So hyperscale cloud, the services provided by these hyperscale cloud providers as part of their cloud platform means that there are a lot of pre built services or you know, things like AI engines, things that are kind of pre set up that you I would say, I would, I see it as like modules you need to connect together as opposed to build from scratch.

So what I was talking about previously, when we you have on Prem, it's kind of like do it yourself, do it everything yourself from scratch.

Services provided by hyperscale cloud means you don't need to you just need to kind of learn the upper level so the the software kind of level as opposed to actually building it from the ground up to what you want.

And then providers have built it in such a way that you can kind of connect things together that they were already provided.

So using a few clicks, you can make this happen as opposed to previously, you would have to physically get the hardware and make sure you got the right hardware, make sure you have everything correct and even go through the the rigmarole of installing things that may not work if anybody's installed software before.

It's not always as streamlined as you would like.

So it provides that kind of speed advantage.

And think about that in scale because sometimes you don't need just one thing, you need several things to connect together.

And you can now do this at the software level and you don't need to think about the infrastructure level, the hardware infrastructure level, which really speeds up that kind of innovation cycle, I suppose.

I mean, it makes a lot of sense, yeah.

You have a foundation that you can just basically build applications on and yeah, you don't have to worry about all of that sort of deeper underlying technical infrastructure.

I think of it almost a little bit like vibe coding, which I've been exploring a little bit recently.

Like I've literally never coded in my life.

I don't have the faintest clue how to go about it, but I'm looking at these apps where I, all these platforms, I should say, where I can actually, you know, potentially build an app without knowing anything about coding it, you know, sort of me as a person or, or another country, as a nation.

I can feel like there are some parallels there.

Yeah, absolutely.

And as long as you've high speed Internet, you don't even need that infrastructure in your country, which is actually for the case of the Philippines, they don't actually have a cloud region in or hyperscale cloud region in the Philippines.

They are actually, they do have data centres that provide services from these high scale cloud providers, but cloud providers don't.

It's very expensive to create a cloud region because there's a lot of infrastructure, not only just the data centre building facilities, but also the Internet connectivity.

So actually putting all that connectivity in place.

Yeah, and the Philippines is a great example.

I mean, President Marcos has put a huge priority on digitisation and and he talks a lot about the the necessary economic gains that that a country like the Philippines can make.

So that's a that is a fascinating example.

Let's just talk about this sort of, I suppose, tension between the sort of sovereignty side and control of data against the resilience that hyperscale cloud provides.

It just seems to me, I mean, you can maintain complete data and compute sovereignty by only using data centres and associated infrastructure built in house at home.

But then you face the question of, well, what happens if something goes wrong with that?

What if you are in a strategically vulnerable part of the world, which the source of countries we're talking about here are, or they are vulnerable to natural disasters?

I think they're all on the Pacific Rim and therefore earthquakes, you know, tidal waves, these sorts of things, possibilities as well, as well as, you know, tropical weather risks.

So by outsourcing to hyperscale cloud, you give yourself some depth, but then you're also entrusting a lot of power to a big operator that's foreign headquartered.

Just talk about how countries are finding ways around that tension.

I mean, just explain some of the workarounds and some of the the options that they have to I guess strike a balance between those two things.

Absolutely.

The biggest challenge outside the the talent is definitely this question of national control when you're dealing with global cloud providers, because the only two countries, all most, most all countries in the world are affected by this.

The only two that aren't other the home countries of the major cloud providers, which are the US and China.

I think Taiwan's a good example to pull out here where what they've done, how they use hyperscale cloud is that they're trying to work out what they do in the case of all their submarine cables being cut where they can both if, if it's cut and they lose international connectivity, then they can operate internally, domestically, autonomously.

But if they're data centres inside Taiwan, and what I'm saying when I say data centres, I mean when they're using the services of the global cloud providers, if those aren't accessible within Taiwan, they've got put in resilience measures in terms of their connectivity.

And so they will they plan to use satellite to reach out and continue having that international connectivity to the data centres of the global providers outside Taiwan.

What they're doing is they're setting up their government services in other countries so that they have access to them in the case that their cables are cut.

And obviously trusted countries off the top of your head.

Where are they setting those up?

There's they've meant.

I'm not sure exactly where they're set up, but in when they were planning they did mention conducting exercises with links to perhaps countries like Japan and Australia.

Right.

OK, really interesting.

I mean, so, So what you're describing, I mean, it sounds to me as if a really a, a blend of approaches is the best way to do it.

I mean, you have to think about your cables.

What if they're cut?

You have to think about satellites to provide redundancy to your cables.

You need to think about what you're able to store and process at home, which gives you, you know, that I guess that sovereign control, but also give yourself the resilience by having access to hyperscale cloud in case something goes wrong with your, with your data centres at home.

I mean, is that a fair assessment that you've really just got to think about layers almost?

That's an excellent summary, thank you.

I wish I thought of it myself, really.

I, I have my moments, but I, I, I have been guided a little bit by the excellent pieces that you and my Aspy colleagues have been writing.

Well, let's, let's talk then about these blends.

I mean, it's not a, it's not a one size fits all, but and, and you've talked about Taiwan a little bit there.

But can you talk a bit more about what how countries are sort of finding these blended models that mix hyperscale and and local cloud and and these sorts of things and, and sort of give us some examples and thoughts on how countries are approaching that?

Yeah.

So all, all four countries that we looked at, they use both the global cloud providers and domestic cloud providers and the governments are supporting the use of both.

Like I said previously, there's you know, security advantages to the domestic ones and there's innovation advantages to to the global ones.

It's, I mean it's very, that's very simplified.

There are more advantages than that.

For example, in Australia, our Department of Defence is the developing their use of cloud and they use a bit of a mix of both hyperscale cloud providers and domestic providers.

Their guiding thought is that they will use the best of breed.

So whichever is best for the purpose that they need it.

They in terms of the local providers, in some cases the local provider actually provides better services for particular need.

And then for those in those cases they'll use the local provider.

The whole data sovereignty issue around hyperscale cloud is, is a big one and it's been around for a while.

And the global cloud providers to their credit have really tried to work with governments to address this.

And the way that they have done it in some cases is they'll offer what I'll term sovereign hyperscale cloud.

And what I mean by that is they are will say that OK, well your cloud tenancy it will be managed only by insert company name here our, our as in our staff who are local citizens, security cleared and they'll be the only ones that manage that.

That's a fascinating example because like a lot of things, you know, sovereignty doesn't necessarily have to mean everything's built, everything's owned, everything's operated from your own, you know, soil your own territory.

In that case, you have your own people working on it, but it's still employing.

You know, the the cloud which is distributed more globally, I mean it's a, it's a little bit the same with all I suppose you know, whether it's defence industry or national security generally sovereign doesn't mean sort of isolationist in a way.

That's right.

That's, that's actually a really interesting one because data localization is initial data localization, meaning some countries wanted their data to only reside in their country for security reasons.

We saw that in the Ukraine, but as soon it is in 2022 when with Russia's imminent invasion, they actually changed their laws to allow their data to be stored in global cloud providers and also offshore or outside their borders.

Yeah, and, and, and again, I mean, that's perfectly rational thing to do when you're facing a large, very aggressive enemy who, well, who's who is invading, in the process of invading you, but also is, you know, is notorious for its capability in cyber attacks.

And, and I suppose also in this case it's, it's ability to actually launch something like a, a ballistic missile against your data centres.

The certainly though they might have been attached to that idea of localization previously.

That makes a hell of a lot of sense to to give yourself a big insurance policy by spreading your data around globally with trusted providers.

Yeah, that's right.

But I, I do wonder moving forward, how thinking about the idea of resilience and digital resilience, an interesting factor about this and, and I think about this a lot with Australia is that if all our cables were cut, could we operate autonomously?

And the answer might surprise us because it's not just about data storage with us moving a lot of things to cloud with the Internet being global and us embracing that for the efficiency that the cost effectiveness.

If our international connectivity is completely cut, we have to consider things like when we're using all these cloud services that we use every day, whether it be our, you know, emails, any of our productivity suite does those things and the operations we need to work, can they actually function without international connectivity?

So does the application you need need software updates can operate without those software updates?

And what if those software updates are stored on a server outside of your country?

Can can that still function?

And if day to day you can happily, for example, use your email because of that international connectivity?

I'm not saying you're sending emails internationally, but perhaps the services that you're using as part of that require that international connection, you know, are those things affected?

If the answer is yes, then without that international connectivity, there's going to be issues equally.

Does that mean if countries are thinking about that, are they because we're moving to cloud, are countries going to require these global service providers to have presences in each country?

And that's a really crazy thought because that really breaks the paradigm of of cloud, the way that cloud is architect and the efficiencies that you gain from cloud cloud, which, you know, you could be using services in another country because it's more efficient to be, you know, processed over there.

And if we decide to put that, we need cloud regions in every single country and more than cloud reading cloud services, those services in country, how are you going to power and cool and you know, where are you going to put these data centres?

There's a lot of, you know, follow on questions from that.

I mean, a lot of the environmental and and even sustainability questions, yeah.

And it, but is that being talked about?

I mean, is that a, is that a prospect that people are seriously considering just to give themselves that assurance that in a worst case scenario in a, in a major global crisis, they have that that resilience?

National resilience seems to be a topic that of increasing importance.

So more and more it's it's being talked about, not necessarily in the digital space yet, but that's just the next question.

It's a logical question that follows what What about satellites?

How?

How much backup can they provide when they obviously just don't have the bandwidth of of undersea cables?

But are they part of the solution?

Like for an island, I would imagine that would be most definitely part of the resilience piece, that resilience and redundancy piece.

But because they don't have that same capacity as submarine cables, then you probably have to look at prioritising traffic and certain traffic.

What traffic do you want as a nation to go through there?

And that would have to be in discussion with the telecommunication providers, private companies that operate those networks.

Just a couple of quick things to wrap up on.

When you were talking before about, you know, Australia using the sort of you know, the, the, the best of the options available, you know some, some local providers, some global hyperscalers.

Can you give me some thoughts on what that means for interoperability?

For instance, like how do, what, what does it mean for a country like Australia, say to actually work with a country like the United States where we, we need the, well, just the IT expertise here at home to be able to sort of, I guess switch back and forth and move our data and, and processing around between those various options.

But over time, I mean, it's one of the advantages that you actually build up a kind of a, I don't know, a sense of interoperability with, with the trusted countries that you work with.

I think there are options to do that.

If you architected some, you know, common platforms, there are definitely advantages to that.

Like I was saying, the brilliance of cloud computing is that it's distributed and you can process things in other countries.

And then if you had trusted countries that you were happy to collaborate with and run your processes on and elsewhere, you have that, you know, I guess geographical redundancy.

So there are definitely options there.

And there's a lot of instances of multi cloud now where you use multiple cloud service providers.

And the way that people who do that who want to prevent vendor lock in is that they make sure those workloads can shift from different cloud providers.

And so using that multi cloud kind of idea, you know, you could theoretically generate a or architect a common platform.

Yeah, OK, right, right.

Which which could bring all sorts of benefits.

I mean, just as you're speaking, I'm thinking actually pretty much throughout the conversation because I, you know, I have a, an evangelical obsession with artificial intelligence and I do consider it the most transformative technology we will invent.

I mean, I, I just keep thinking that, you know, really everything you're talking about and including, you know, this idea of having local hyper scale presence in the event of a global crisis to make sure that we can continue to function.

And I look at the those charts that you see that that represent the amount of compute that will need to be built over over the coming years and decades to actually power the sorts of AI aspirations that that countries are increasingly having.

There's just a huge amount of work to do here and a huge amount of these sorts of problems that need to be solved.

I guess just as a sort of, you know, a sort of wrapping up observation, you know, is it, is it just a, should we be thinking about really, I suppose orders of magnitude of greater compute and greater resources processing powered storage capacity, all these sorts of things if we're actually going to realise this quite amazing future that our, our, you know, our tech optimists are talking about.

I don't know.

This is a wrapping up question.

We're starting a whole new podcast.

I think there's a there's.

A it's let's I, I call it in journalistic terms, I call it throwing it forward.

It's a, it's a, it's a possible part to, to podcast down the track.

Excellent.

I'll see you next week.

I'm keen for you for your overall views.

I think you're right about the future.

I think it's very much linked to AI.

It takes an eye watering amount of energy to power these things.

And if we want this in our future, we have to think really deeply about how to make this sustainable, how both in, in terms of, you know, energy that it's going to require, but also land in terms of where these things are going to happen.

So traditionally data centres are built or the cloud is generally they try to build it as close to population centres as possible in order to get the best response time for the users going to be using it.

With AI data centres, we're seeing them in more regional areas where there is that land and you'll just need to you need to connect, be able to connect power to it and get the workforce to those areas.

So considerations in terms of what I was saying about countries thinking about how they will be resilient and I guess self sufficient, I think they'll be need to be discussions between the cloud providers and governments about this.

Resilience can be achieved in many different ways and it really depends on the risk appetite and also the threat level faced by countries there.

I think governments will probably realise that there is a lot of burden on the cloud providers if they insist that there is that localization of of data or services.

But on the other hand, equally, how do countries, how can they be assured that they have that resilience considering how much we rely on digital services today?

Yep, absolutely.

Absolutely.

All right.

Look, Joss, it's a.

It's a tricky and complex topic that you've laid it out really beautifully for us, especially for non technical people like me.

And if I if I can give myself a pound on the back, I think like a good Hollywood franchise producer, I've set us up for a sequel there as well.

So hopefully we'll have you back soon.

Thanks.

Excellent.

Thanks, Dave.

That's all we have time for folks today on Stop the World.

We'll be back with a regular episode on Thursday instead of Friday.

Look out for Lord Mark Sedwell.