TECH SECURITYBuilding Trust into Tech: A Framework for Sovereign Resilience
Governments are facing a critical question: who can be trusted to build and manage their countries’ most sensitive systems? Vendor choices, for everything from cloud infrastructure to identity platforms, are no longer just commercial; they are strategic.
Governments across the Indo-Pacific are facing a critical question: who can be trusted to build and manage our most sensitive systems? Vendor choices, for everything from cloud infrastructure to identity platforms, are no longer just commercial; they are strategic. As cyber threats rise, supply chains fragment and coercive pressure grows, countries need better ways to assess technology providers and manage risk.
Too often, decisions rest on instinct or political reaction rather than structured assessment. Phrases such as ‘secure by design’ or ‘don’t trust, verify’ are common. But without a framework, they’re slogans, not standards.
Part one of ASPI’s new report—In Whose Tech We Trust: Mapping Indo-Pacific security approaches to foreign owned, controlled or influenced technology—offers a practical starting point. It provides comparative analysis of how five Indo-Pacific countries—Australia, India, Japan, Singapore and South Korea—have balanced technology risks related to foreign ownership, control and influence when assessing vendors. It provides a starting point of what ‘good’ looks like. This has included requiring vendor attestations, embedding exit rights in contracts, mandating incident notification and defining oversight early in procurement. These steps have reduced exposure and strengthened enforceability. That analysis reinforces technology assurance can no longer be reactive. Instead, it needs to be structured, enforceable and proportionate to the risks we face.
Part two of the report, scheduled for release next week, takes the findings from ASPI’s comparative analysis and turns them into a usable policy toolkit. It proposes a set of consistent country-agnostic principles with clear defaults and thresholds to enable faster, defensible decision-making and reduce policy fragmentation. But while principles should be clear and transparent, individual decisions or reasons do not always need to be publicized. This means clarity about the rules but disciplined case-specific enforcement when national interests demand it.
Building on this foundation, it introduces a four-point framework—covering ownership, operational control, access and legal authority—to identify what can be trusted. The accompanying trust taxonomy then takes this determination to support governments to decide which vendors should be able to access which systems. The result is a tiered model aligned with system sensitivity (see here for the “Four-point framework for identifying exposure and managing vendor participation” and “Trust taxonomy according to system sensitivity and assurance levels.”).
This approach doesn’t assume that all foreign vendors are a threat nor that domestic means trusted. Instead, it offers a practical way to map exposure, test enforceability and set thresholds that match the sensitivity of each system.
