Building trust into technology
Governments across the Indo-Pacific are facing a critical question: who can be trusted to build and manage our most sensitive systems? Vendor choices, for everything from cloud infrastructure to identity platforms, are no longer just commercial; they are strategic. As cyber threats rise, supply chains fragment and coercive pressure grows, countries need better ways to assess technology providers and manage risk.
Too often, decisions rest on instinct or political reaction rather than structured assessment. Phrases such as ‘secure by design’ or ‘don’t trust, verify’ are common. But without a framework, they’re slogans, not standards.
Part one of ASPI’s new report—In Whose Tech We Trust: Mapping Indo-Pacific security approaches to foreign owned, controlled or influenced technology—offers a practical starting point. It provides comparative analysis of how five Indo-Pacific countries—Australia, India, Japan, Singapore and South Korea—have balanced technology risks related to foreign ownership, control and influence when assessing vendors.
It provides a starting point of what ‘good’ looks like. This has included requiring vendor attestations, embedding exit rights in contracts, mandating incident notification and defining oversight early in procurement. These steps have reduced exposure and strengthened enforceability. That analysis reinforces technology assurance can no longer be reactive. Instead, it needs to be structured, enforceable and proportionate to the risks we face.
Part two of the report, scheduled for release next week, takes the findings from ASPI’s comparative analysis and turns them into a usable policy toolkit. It proposes a set of consistent country-agnostic principles with clear defaults and thresholds to enable faster, defensible decision-making and reduce policy fragmentation.
But while principles should be clear and transparent, individual decisions or reasons do not always need to be publicised. This means clarity about the rules but disciplined case-specific enforcement when national interests demand it.
Building on this foundation, it introduces a four-point framework—covering ownership, operational control, access and legal authority—to identify what can be trusted. The accompanying trust taxonomy then takes this determination to support governments to decide which vendors should be able to access which systems. The result is a tiered model aligned with system sensitivity:
Four-point framework for identifying exposure and managing vendor participation.
Trust taxonomy according to system sensitivity and assurance levels.
This approach doesn’t assume that all foreign vendors are a threat nor that domestic means trusted. Instead, it offers a practical way to map exposure, test enforceability and set thresholds that match the sensitivity of each system.
In Australia, that clarity is often missing for the general public. Consumer routers and connected devices are widely deployed without lifecycle support or security assurance. Foreign drones routinely collect high-resolution imagery over farmland, energy assets and logistics hubs, data that can be exfiltrated or analysed offshore. Critical infrastructure still relies on components and software never designed with sovereignty or auditability in mind.
The result is inconsistency. Some countries act early and decisively, recognising the implications of vendor control. Others default to price, convenience or legacy arrangements. Procurement teams often lack the tools, policy guidance or commercial levers to distinguish between technical performance and systemic risk.
This taxonomy helps fix that. Trust becomes structured, not assumed. It forces a shift from intuition to evidence, and from goodwill to governance. Can you verify who has access to the system? Can you enforce national rules? Can you act decisively if obligations are breached? If the answer is no, then the vendor isn’t trusted—regardless of its track record, price point or technology stack.
These questions matter even more as Australia deepens its AUKUS commitments. Shared capability depends on shared standards. If partners define trust differently, delivery falters and interoperability suffers.
These steps align closely with Europe’s emerging approach. The European Union’s ICT Supply Chain Toolbox—expected later this month—will offer guidance on identifying high-risk vendors and reducing exposure through certification, diversified supply chains and, in some cases, phase-out measures. While currently voluntary, the EU is exploring how to anchor parts of the framework into law through the Cybersecurity Act review.
A coordinated, risk-based framework is exactly what Indo-Pacific partners now need. Without it, trust becomes guesswork, and guesswork is no substitute for security. This isn’t a call for autarky; it’s a way to decide where sovereign investment is needed, where foreign participation is acceptable, and where the line must be drawn.
Embedding principles into an enforceable framework allows governments to protect critical infrastructure, preserve strategic autonomy and mitigate state-controlled technology risks while maintaining economic openness and innovation. In practice, this means clarity about the rules and disciplined, discreet enforcement when national interests demand it.
The phrase ‘don’t trust, verify’ only matters if verification is possible or embedded within a framework that is predictable and consistent across jurisdictions. ‘Secure by design’ only matters if the design is open to scrutiny, governed under trusted legal systems and accountable when things go wrong. Sovereignty in the digital age is not defined by where a company is registered; it’s defined by who controls operations, who accesses data, and which laws apply when pressure is applied.
If Indo-Pacific countries want to lead with trusted tech, they first need to define what ‘trust’ means. The approach developed by ASPI is a step toward that definition—helping move from slogans to standards, and from rhetoric to resilience. This recognises the real question isn’t who built the system; it’s who controls it when control matters most.
This article was written by Jason Van der Schyff and James Corera, the director of ASPI’s Cyber, Technology and Security Program. It was published by The Strategist.
Jason Van der Schyff is the chief operating officer of SoftIron, a UK-headquartered private-cloud infrastructure provider with design and manufacturing facilities in the US, the UK and Australia.
