That one word is the whole problem.
From it you cannot tell whether Defence runs that software on its own machines, holding its own data, or whether a vendor operates the environment and holds the data on its behalf. The first is one kind of exposure. The second is another entirely. The published procurement record, the only record a citizen or an auditor can read, does not say which. A $178 million slice of the nation's defence infrastructure, and the single fact that decides who can lawfully reach the data inside it is recorded as: Software.
Multiply that across the Commonwealth and you have the subject of the assessment AustraliaOS published today.
Start with how the exposure arrived, because it did not arrive the way people picture it. No Australian agency sat in a meeting and chose a foreign provider over a local one. In 2023 an American company, Broadcom, bought VMware. Nothing in any Australian data centre moved that day. No server was unplugged, no file was copied offshore, no contract was signed by anyone in Canberra. And yet the jurisdiction sitting above a large part of the Commonwealth's virtualisation layer changed completely, because the company that controls it now answers to United States law.
Picture a tenant who has rented the same office for years. One morning the building is sold. The desk has not moved, the rent has not changed, the lease still reads the same. But the question of who can be compelled to unlock the door now has a different answer, decided in a country the tenant has never visited, by an owner the tenant never met and was never party to the sale. The furniture stood still. The chain of authority above it changed hands.
This is the distinction the whole assessment turns on, and it is the one Australian institutions keep collapsing. Where your data sits is residency. Who can lawfully compel the company that holds it is jurisdiction. They are different questions, and only the second decides reach. A provider incorporated in Delaware answers to Delaware whether its servers are in Virginia or in Sydney. Residency is not jurisdiction.
Here the assessment does something an alarmist would never do. It refuses to treat the exposure as one thing.
There are three kinds, and conflating them is exactly how you produce a frightening number that falls apart under questioning. The first is data access: whether United States legal process could compel disclosure of Commonwealth data. This is the exposure everyone assumes, and it is the most conditional of the three, because it turns entirely on that one hidden word, deployment. The second is supply continuity: whether export control and sanctions law could direct the vendor to withhold, degrade, or cut off the software an agency runs on. This does not turn on deployment at all, and it is the most firmly grounded. The third is corporate control: the demonstrated willingness of the United States to assert national security authority over Broadcom's own transactions, which it has already done once, by Presidential order.
Keeping these apart forces an honest result. The full $694.7 million of dependence is real as a supply and corporate control surface. But the data access surface, the frightening one, the one a headline would lead with, the assessment shows is firmly established for only a small fraction of the estate, because the record will not say more. Naming what you cannot prove is the opposite of the work. The discipline is in the separation.
Which brings the finding to its sharpest edge. Across 22 agencies and $694.7 million, the Commonwealth cannot determine its own data access exposure from its own publicly available records. Not because an adversary hid the answer. Because the procurement record was never built to carry it, and no framework requires anyone to go and find it. The exposure falls in the gap between procurement, which tests value for money, privacy, which governs personal information, and security, which assesses controls. The Information Security Manual and the program built on it measure whether a system is secure. Their stated scope is cyber security. The legal authority a vendor's home government holds over the vendor falls outside it. That axis has no owner. So it goes unmeasured.
That is the gap. It is assessable, and nobody is required to assess it.
The full assessment is published now. Every figure traces to a public procurement record or a primary statute. Every step where a reasonable reader could disagree is named as such. The document carries a hash you can recompute yourself to confirm nothing has changed since publication, and it links each named figure to the government's own record, so you can check the work without taking a word of it on trust.
The data is in Australia. The law that can reach it may not be.
Analysis and general information, not legal advice. See the assessment for its full limits and disclaimers. Obtain your own legal advice.
Third-party names and marks are the property of their respective owners. AustraliaOS is not affiliated with, authorised by, or endorsed by Broadcom Inc, VMware, or any vendor named.