The company was responding to a call for submissions to the government's consultation paper on protecting critical infrastructure and systems of national significance.

A draft bill will be circulated next and it is intended to change the Security of Critical Infrastructure Act 2018 and put in place "an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure. The regulations support the operation of the bill’s assistance and co-operation measures".

The changes are part of the country's Cyber Security Strategy 202​0.​​​ A total of 194 submissions to the consultation paper were received and 128 were made public a few days ago.

In the submission, Vault chief executive Rupert Taylor-Price said the lack of a data and cloud regulator had resulted in reduced investment in the sectors due to lack of certainty, adding that appointing a regulator would address this.

Taylor-Price, whose company is the first local cloud outfit to win a whole-of-government contract — a five-year deal with the NSW Government signed in July — said Australia was fortunate that its four biggest banks were all owned locally, adding that if they were owned by foreign interests, then this would "present an unacceptable aggregate risk to Australia".

"In the data and the cloud sector, unfortunately Australia is in the situation where the majority market share has gone to foreign companies," he said. "In the data and cloud sector we face a grave existential risk because:

"Cloud is rapidly expanding in all critical infrastructure and government supply chains; and "Cloud providers operating in Australia are predominantly foreign owned which, according to the Australian Cyber Security Centre, poses a foreign interference risk."

Taylor-Price said the majority market share of the data and cloud sector has gone to foreign companies in part because the Australian Signals Directorate formally certified non-compliant foreign- owned clouds, while at the same time enforcing compliance on Australian providers resulting in the latter operating at a disadvantage.

Ad additional reason, he said, was that the Federal Government had signed whole-of-government agreements with several foreign companies but no Australian companies, citing figures from a report in the Australian Financial Review which showed that AWS, Azure, Google Cloud, IBM, Oracle and Alibaba Cloud made up about 82% of local cloud infrastructure-as-a-service spending, with the first two companies dominating.

"The result is an enormous aggregation risk, a black swan event beyond any Australia has seen," he said. "Conceivably, within a few years from now more than 51% of critical infrastructure entities could have a critical supply chain risk on two foreign-owned clouds.

"For the avoidance of doubt, this could mean that the majority of Australia's critical infrastructure could have a simultaneous outage including all the major banks, federal and state governments, Home Affairscritical infrastructure centre itself, communications, transport, defence, defence industry and utilities.

"To compound this many platform-as-a-service and software-as-a-service providers also leverage the infrastructure-as-a-service of these cloud providers, often without the knowledge of the critical infrastructure buyer – resulting in many auxiliary and support systems being down at the same time.

"In 2020, both Google and IBM had global outages in all regions that lasted over four hours. We respectfully put forward that this aggregate risk is one of the greatest risks that Australia could face in the next decade in the absence of regulation."