Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

The message arrived from a good friend and colleague in Asia — a CISO at one of the region’s major banks.

“A lot of talk around sovereign tech, tech bifurcation etc but no real concrete so what for private organisations… I’m secretly hoping your next Substack will focus on this because there’s too much motherhood crap coming from media.”

He’s right. Governments across the Asia-Pacific are wrestling with sovereignty and vendor trust. Australia’s ASPI talks about “trusted tech ecosystems”. The United States actively weaponises export controls. The European Union builds sovereignty through regulation. Meanwhile, CISOs at banks, insurers, and telcos face vendor committees next Tuesday, making decisions that will lock in operational risk for the next decade.

The gap between policy discourse and operational necessity has never been wider, and this essay aims to bridge that divide.

The Problem: Geopolitical Risk Without a Language

Technology bifurcation, one of the Five Forces I’ve argued is reshaping the digital order, is now a defining feature of the technology landscape. But recognising the trend doesn’t help a CISO explain to a CFO why vendor nationality matters or how to quantify the difference in exposure between cloud providers under different legal regimes.

Traditional enterprise frameworks measure financial stability, cyber maturity, and compliance. None translate jurisdictional exposure into risk appetite. When a board asks, “Why does it matter if our cloud is American, Chinese, or European?” most frameworks offer hand-waving.

The issue moved from theoretical to immediate in 2023 when Chinese state actors exploited a flaw in Microsoft’s cloud identity infrastructure, enabling access to senior US officials’ emails. The subsequent review by the US Government’s Cyber Safety Review Board described “a cascade of avoidable security failures” at Microsoft. But the deeper lesson for CISOs was not simply technical; it was that large global vendors are subject to geopolitical incentives and legal systems that shape their threat profile. In other words, some vendors attract sovereign-level attention regardless of how strong their engineering is.

For Asia-Pacific firms operating under conflicting regulators — BNM, RBI, MAS, APRA, HKMA, BSP — this becomes existential. Technology choices made today embed structural dependencies that will persist long after the procurement team has moved on. Cloud computing, identity, and communications platforms define operational sovereignty in ways that few organisations fully confront.

Beyond Binary Thinking: A Framework for Vendor Geopolitical Risk

The real question isn’t “Which country’s technology should we trust?”
It’s:

What risks arise from this vendor’s legal obligations, given the sensitivity of the system and the geopolitical exposure of the organisation—and how can these risks be mitigated?

A pragmatic framework rests on four dimensions:

Worked Example: Singapore-Based Bank, 2025

Scenario: Migration of a core payments platform — AWS Singapore vs Huawei Cloud Hong Kong.
Criticality/Sensitivity: High-High (real-time payments, regulated data).

Vendor Jurisdictions:

• AWS → subject to U.S. CLOUD Act.

• Huawei → subject to PRC National Intelligence Law & Data Security Law.

Organisational Exposure: Operates in Singapore and Australia; no mainland China footprint; under MAS and APRA supervision.

Mitigations:

• External key management

• MAS-aligned data localisation

• Tested regional failover

Assessment:
AWS introduces U.S. legal reach; Huawei introduces PRC data-access exposure. Under MAS/APRA mapping, U.S. exposure is manageable with external KMS. PRC exposure is not acceptable for a High-High financial system.

Decision:
Proceed with AWS plus mitigations.

• Cost: +22% vs single vendor

• Resilience: ~3× RTO improvement (24h → 8h)

This is what geopolitical risk looks like when translated into an operational decision.

Translating Framework to Risk Appetite

Boards don’t need another sentence about having a “low appetite” for foreign influence. They need decision gates.

High-High Systems

• Vendor jurisdiction must align with at least two primary regulatory regimes

• Encryption keys must be externalised

• Annual failover and portability testing

• Transparent reporting of government data requests

High-Low Systems

• Multi-cloud or regional redundancy preferred

• Portability and continuity clauses required

Low-Criticality Systems

• Traditional commercial and technical assessment

• Jurisdiction as a secondary consideration

This turns geopolitical noise into something a board can govern.

The Financial Services Layer: Supervisory Fractures

Regulators across the region are diverging, not converging:

• MAS (Singapore): Cloud-pragmatic, resilience-focused, strong on exit planning.

• APRA (Australia): CPS 230 heightens scrutiny on offshore dependencies and material service providers.

• HKMA (Hong Kong): Sensitive to data flows that may be accessible from mainland China.

A regional bank must therefore design for regulatory interoperability, not regulatory uniformity.

• Regulatory mapping: Understand divergence in localisation, sovereignty, and resilience.

• Architecture by jurisdiction: e.g., regional cloud for MAS markets; hybrid with externalised KMS for APRA markets.

• Supervisor engagement: Seek alignment before deploying critical workloads.

• Audit trail: Document how geopolitical risks were assessed, mitigated, and accepted.

Expanding the Options: Beyond the US–China Binary

The US–China vendor dichotomy obscures more strategic choices than it reveals. It’s a framing that dominates the headlines but rarely helps boards or CISOs make operational decisions.

In my analysis of the uBios development and other arguments, I have shown that origin is a blunt and misleading proxy for risk. A Chinese vendor operating in Singapore, a US vendor operating in Frankfurt, and an EU vendor operating in Australia all carry extraterritorial legal exposure. The risks differ — but not in the simplistic “country-of-origin = trustworthiness” way the public debate assumes. Jurisdiction, legal obligations, and system criticality matter far more than flags or sentiment. This is why a framework-based approach beats ideology every time.

With that in mind, the real choice set is broader:

Sovereign cloud alternatives
Australia: AUCloud (Sovereign Cloud Australia) and Canberra Data Centres offer Australian ownership and in-country operations, reducing foreign legal exposure. Trade-offs: limited scale and service breadth versus hyperscalers, especially for advanced analytics and AI.

Singapore: Government Commercial Cloud (GCC/GCC+) provides government-orchestrated environments on commercial clouds with Singapore-only regions and sector-specific compliance for public sector workloads.

Both models reduce but don’t eliminate cross-border legal risk while constraining capability compared to global platforms.

Alliance-based trust frameworks
AUKUS, EU–US adequacy arrangements, and Five Eyes-aligned assurance models

• Lower friction for specific data classes

• Highly sector-dependent (especially defence, national security)

Open-source and self-managed models
Kubernetes/OpenStack on sovereign compute

• Maximum jurisdictional independence

• High operational complexity and cost

Each option still requires evaluation across the same four dimensions: system criticality, vendor jurisdiction, organisational exposure, and mitigation.

From Framework to Tools

1. Vendor Geopolitical Risk Scorecard

Ten practical lenses:
legal compulsion · transparency · regulator alignment · portability · resilience · sector targeting · supply-chain opacity · financial durability · incident behaviour · exit cost/time

2. Technology Estate Classification Matrix

Classify all systems by criticality × sensitivity to trigger differentiated vendor requirements.

3. Strategy Comparison: Cost–Resilience Trade-Offs

4. Scenario Planning

Stress-test vendor choices against plausible shocks:

• CLOUD Act subpoena

• PRC DSL/NIL enforcement abroad

• CPS 230 interpretations

• Taiwan/Philippines escalation

• Supply-chain ransomware attack on a major cloud provider

Indicators to Watch (2026–27)

1. CLOUD Act case law on overseas data production

2. First PRC Data Security Law enforcement involving non-Chinese entities

3. APRA’s CPS 230 guidance on offshore dependency

4. Legal durability of the EU–US Data Privacy Framework

5. AUKUS implementation for data handling and tech-sharing

6. RCEP digital harmonisation trends across ASEAN

As these factors change, your vendor risk posture will change accordingly.

The CISO as Geopolitical Risk Manager

Technology bifurcation has quietly turned CISOs into interpreters of geopolitics. We still manage cyber resilience, but now we also arbitrate between legal systems, evaluate jurisdictional incentives, and design around geopolitical exposure.

It’s shared work:

• Boards must understand why jurisdiction matters

• Executives must accept cost–complexity trade-offs

• Risk teams must integrate geopolitical exposure into frameworks

Different organisations, such as a bank in Melbourne, a fintech in Jakarta, or an insurer in Hong Kong, will establish different boundaries, but they all stand to gain from transforming rhetoric into measurable, defensible criteria.

My next piece in this series will transform this framework into a concrete scorecard and a board-ready appetite dashboard—practical tools designed to make sovereign technology decisions both repeatable and defensible.

Closing Thought

The vendor committee meets next Tuesday. The cloud business case goes to the board next month. Geopolitical risk isn’t a policy debate; it’s part of the operating environment.

Operational sovereignty isn’t declared; it’s engineered, and increasingly, that work starts with the CISO.

References

[1] Department of Homeland Security Cyber Safety Review Board, “Review of the Summer 2023 Microsoft Exchange Online Intrusion,” March 2024

[2] Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. § 2713, 2018

[3] People’s Republic of China, National Intelligence Law (2017) and Data Security Law (2021)

[4] European Union, General Data Protection Regulation (GDPR) 2016/679 and Network and Information Security Directive (NIS2) 2022/2555

[5] Monetary Authority of Singapore, “Technology Risk Management Guidelines,” January 2021 (updated June 2023)

[6] Australian Prudential Regulation Authority, “Prudential Standard CPS 230: Operational Risk Management,” effective July 2025

[7] Australia-United Kingdom-United States Security Partnership (AUKUS), technology-sharing provisions announced September 2021, implementation ongoing