The Billion Dollar Brick: AUKUS and the Illusion of Sovereign Capability

A few months ago, I wrote about the growing graveyard of “smart” home devices — expensive bits of plastic and silicon that turned into bricks the moment a corporate server in Virginia or San Francisco was switched off. It’s a personal annoyance when your $300 security hub stops talking to your lightbulbs. Scale that logic up to national defence and critical infrastructure, and the stakes shift from a darkened living room to a crippled nation.

We don’t need to speculate about how that failure mode plays out. We have a preview.

The AUKUS Subscription Model

Australia received its first F-35 Joint Strike Fighters in 2018, with full multi-squadron operations from 2021. They are, by any measure, extraordinary aircraft. They are also, in a very specific and underappreciated sense, not ours.

The software stack that runs them — first ALIS (Autonomic Logistics Information System), now rebranded as ODIN — is designed, maintained, and controlled by Lockheed Martin under a proprietary arrangement governed by US International Traffic in Arms Regulations (ITAR). When ALIS repeatedly failed to perform basic sustainment functions in the early years of operation, Australian engineers could not inspect or fix it. We waited for Lockheed Martin to issue a patch.

This is the preview. Multiply the price by a factor of ten and add nuclear propulsion, and you have AUKUS Pillar I. Australia is not buying submarines that we understand and can sustain independently. We are buying access to a platform whose core technology we cannot inspect, modify, or maintain — where the master keys are held in Washington.

AUKUS is sold to us using the language of “sovereign capability.” It sounds sturdy, like a well-built shed. It implies we own the tools, we know how they work, and we can fix them when they break. Look at the actual procurement structure and the “sovereign” part starts to feel as flimsy as a terms-of-service agreement you didn’t read.

AUKUS Pillar II — the “advanced capabilities” tranche covering AI, quantum computing, undersea surveillance, and electronic warfare — is the same logic, taken further. The specific systems being developed, the vendors engaged, the data handling terms, and the algorithmic dependencies are shielded from any public scrutiny by commercial-in-confidence clauses and national security classifications. The public is paying for systems it is not permitted to understand.

Project REDSPICE — a parallel and related initiative run through the Australian Signals Directorate, distinct from AUKUS Pillar II but cut from the same cloth — committed $9.9 billion over ten years to domestic cyber and intelligence capabilities. The opaque procurement structure makes independent accountability effectively impossible in both cases.

If the vendor changes its mind, or Washington’s strategic priorities shift again — as they have done, visibly, over the past two years — we will discover exactly what “sovereign” meant in the contract.

Opaque Procurement: The Epistemic Gap

A recent study in the Journal of Responsible Technology — Opaque Procurement: How Transparency Deficits Compromise Democratic Digital Sovereignty by Kamphorst et al. (2026) — examines this structural rot in the Dutch public sector. Their argument extends far beyond the Netherlands.

The researchers identify what they call an “epistemic access” problem. Public institutions that don’t know what they’ve bought, on what terms, and with what dependencies cannot exercise effective control. They cannot plan alternatives. They cannot assess whether a vendor’s sovereignty claims are real. They are, in the researchers’ words, “restricted in exercising effective control” — and without meaningful transparency about those procurement decisions, researchers, journalists, and citizens have no basis for democratic contestation.

The Dutch case study is instructive precisely because the Netherlands has a reasonable reputation for open data and government transparency. Even there, Susha et al. found that systematically tracing public procurement of data and AI products through the available platforms is “deeply challenging due to poor quality tender descriptions, ambiguous tender titles, and poor or missing documentation about the exact nature of a data product or service.” The tenders exist. The intelligence they should carry doesn’t.

AusTender — Australia’s equivalent of the Dutch TenderNed — publishes contract notices. In practice, the descriptions frequently read as “ICT Services” or “Technology Consulting.” The terms, the data dependencies, the lock-in clauses: commercial-in-confidence. You paid for it. You don’t get to know what you bought. For defence procurement, the classification layer removes even the contract notices from view entirely.

The researchers’ conclusion is worth sitting with: “Without knowing what is bought, from whom, and under what terms, public institutions are restricted in exercising effective control and cannot adequately plan for and use suitable alternatives.”

We are running that experiment right now, at national scale.

Nobody Ever Got Fired for Buying Microsoft

The AUKUS conversation dominates the headlines. The quieter procurement failure is happening in every agency, every hospital, every school.

“Nobody ever got fired for buying IBM” — the phrase updated to Microsoft in the nineties — names something real: procurement officers in risk-averse institutions default to the established vendor because the failure mode is defensible. An experiment that fails is a career problem. A Microsoft outage is a supplier problem. The logic protects individuals at the cost of collective sovereignty.

The Australian Tax Office runs its enterprise systems on SAP. Services Australia administers welfare payments through IBM mainframe systems built over decades of integration — attempts to replace them, including a failed Infosys-built entitlements engine abandoned in 2023, have made transition expensive and politically fraught. More than 140 Commonwealth agencies now run on Amazon Web Services under the Digital Transformation Agency’s whole-of-government cloud agreement. Most state health systems are deep into Epic or Oracle Health lock-in, with multi-decade contracts that make transition financially and operationally prohibitive.

Most critically for everyday Australians: Microsoft 365 is now ubiquitous across the Australian Public Service, state governments, and most school systems. Every email, every document, every Teams call from a public servant or a schoolchild lives on Microsoft’s cloud. The APS agreements with Microsoft run to hundreds of millions of dollars annually.

This is not a Microsoft criticism specifically — it is a structural observation. Every one of those vendors is a US company operating under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which allows US authorities to compel American cloud providers to hand over data regardless of where the servers are physically located. Australia signed a bilateral executive agreement with the US formalising this framework in 2021 — normalising, rather than constraining, the access mechanism. As I wrote in the AI transparency post: when an Australian school, health service, or government agency routes data through a US-based platform, that data is subject to US law. Microsoft 365 across the APS is that problem at federal government scale, normalised by years of quiet lock-in.

The pattern is also generational. The technology in these contracts changes faster than the contracts do. Australia signed decade-long arrangements with vendors whose data practices and jurisdictional obligations were not well understood at signing. The sleepwalking series documented how Australia’s surveillance and data infrastructure was assembled incrementally, each decision defensible in isolation, the cumulative picture visible only in retrospect. Procurement works the same way. Each renewal is reasonable. The aggregate dependency is alarming.

The Master Key Problem

The pattern from the F-35 to Teams messages to Collins class sustainment to AUKUS Pillar II is the same one I watch play out in IoT devices: the vendor holds the keys, and you don’t discover until you need them that you never had your own copy.

The Collins class submarines — the predecessors to what AUKUS is meant to replace — spent years in maintenance difficulties that the Australian National Audit Office criticised repeatedly. The sustainment arrangements meant that for critical components, Australia had to go back to the original equipment manufacturers, waiting on their schedules, paying their prices, unable to develop independent capability. It was expensive. It was foreseeable. It was the predictable result of buying complex proprietary systems without insisting on the technical knowledge transfer that genuine sovereignty requires.

In my own work building open-source irrigation and environment controllers, the philosophy is straightforward: if you own the hardware, you should own the code. If a sensor fails, you should be able to inspect it, understand it, and replace it with an alternative. That is not idealism — it is sound engineering. Systems you cannot understand are systems you cannot maintain.

AUKUS Pillar II inverts this entirely. It promises “sovereign” AI systems while the models, training data, algorithmic decisions, and data servers are leased from foreign entities. If we cannot inspect the algorithms or host the data on Australian soil under Australian governance, we do not have strategic independence. We have a dependency. And as the Kamphorst researchers note — and as I’ve seen with IoT platforms, and as the Collins sustainment demonstrated — dependencies are fine right up until they aren’t.

What Sovereignty Actually Requires

The contrast with how other nations approach digital infrastructure is pointed.

Estonia built its entire e-government architecture around explicit interoperability and open standards. The X-Road data exchange layer that connects Estonian government databases is open-source. Multiple vendors implement it competitively. If one fails or behaves badly, there are alternatives, and public administration can act without asking permission. The architecture was designed so that no single vendor could hold the system hostage. That was a deliberate political choice, made early, when it still cost less than the alternative.

Germany’s approach to digital sovereignty — funding the Sovereign Tech Agency to maintain the open digital infrastructure that underpins much of the world’s shared software — treats digital commons as public infrastructure, not an afterthought. As I wrote in Unicorns Build Monocultures, the EU is funding the equivalent of roads and water pipes in digital infrastructure. Australia is still signing ten-year leases on someone else’s proprietary stack with a flag sticker over the login screen.

The Kamphorst et al. paper offers three concrete recommendations that translate cleanly to the Australian context:

Transparency directives for digital procurement. End the blanket commercial-in-confidence exemption for software and data systems. If public money is paying for a system, the public should know where the data goes, what the dependencies are, and who holds the kill switch. Defence has legitimate exemptions. A contract for welfare payment software does not. A school’s Microsoft agreement certainly does not.

Independent verification of vendor claims. We cannot take a multinational’s word that a system is “sovereign-ready.” Structured, independent impact assessments — published by default rather than locked in a drawer — would surface what is currently invisible: the accumulated risk across agencies, the shared dependencies, the vendor lock-in terms that make transition prohibitively expensive. The EU’s AI Act establishes mandatory technical documentation requirements for high-risk AI systems. Australia has nothing equivalent, and is actively procuring those systems anyway.

Mandatory open standards. Every dollar of public investment should require interoperability. Systems that cannot be substituted — that are architected for lock-in — should not receive public funding. Australia should be building public-interest alternatives to dominant commercial platforms, or contributing to international open-source infrastructure alongside Europe’s coordinated efforts, rather than perpetually re-signing leases on platforms whose terms we don’t control.

Sovereignty is a Verb

Real sovereign capability is not something you acquire in a procurement round. It is something you build, understand, and maintain — the demonstrated ability to exercise effective control over the systems your society depends on.

The EU’s “Apply AI Strategy,” the expected revisions to European Public Procurement Directives, Germany’s Sovereign Tech Agency, the NLnet Foundation’s sustained investment in open digital infrastructure: these are not idealistic gestures. They are strategic responses to the same question Australia is failing to ask. What happens when the vendor changes the terms? What happens when the geopolitical alliance shifts? What happens when the company gets acquired or the contract expires and the replacement is three times the price?

If we continue to funnel billions into opaque, proprietary systems — nuclear submarines with US-controlled software stacks, classified AI capabilities buried in REDSPICE, welfare systems on American cloud infrastructure subject to US law, children’s school data on servers governed by foreign courts — we are not building sovereign capability. We are assembling the world’s most expensive and strategically consequential collection of potential bricks.

The first step toward sovereignty is knowing what you’ve bought and on what terms. That should not require a Senate estimates hearing or an ANAO audit after the damage is done. It should be the starting point for every dollar of public money spent on digital infrastructure.

Demand the terms sheet. Demand the keys.

Sources

F-35 and ALIS/ODIN

• Royal Australian Air Force, F-35A Lightning II
• ANAO, Joint Strike Fighter Project Data Summary Sheet (2022–23)
• Air & Space Forces Magazine, F-35 Program Dumps ALIS for ODIN
• Defense News, Pentagon completes first phase in replacing troubled F-35 logistics system (January 2022)

AUKUS and REDSPICE

• Smart Company, Budget allots $9.9 billion towards REDSPICE program
• Australian Institute of International Affairs, Enhancing Australia’s National Security Through ASD’s REDSPICE
• Department of Defence, AUKUS partners launch Pillar II project (June 2026)

Procurement opacity

• Kamphorst, B.A., de Wilde de Ligny, S., Ferrari, F., & Schäfer, M.T. (2026). Opaque procurement: How transparency deficits compromise democratic digital sovereignty. Journal of Responsible Technology, 26, 100178.
• Susha, I., de Wilde de Ligny, S., Schotanus, F., & Schäfer, M.T. (2025). Data for sale: Uncovering public procurement of private sector data in the Netherlands. Information Polity, 30(3), 233–264.

Australian government technology

• iTnews, Services Australia to upgrade IBM mainframe for $28.5m
• CRN Australia, Infosys beats IBM, Accenture in Centrelink payments engine contract
• Computer Weekly, Australian government doubles down on AWS (January 2025)

CLOUD Act

• Wikipedia, CLOUD Act
• AWS, Clarifying Lawful Overseas Use of Data (CLOUD) Act

Collins class

• ANAO, Management of the Collins-class Operations Sustainment
• ANAO, Defence’s Collins Class Submarines Life of Type Extension — Planning and Implementation (May 2026)

Digital sovereignty comparisons

• e-Estonia, X-Road
• Sovereign Tech Agency, sovereign.tech
• NLnet Foundation, nlnet.nl
• EU AI Act, Article 11: Technical Documentation
• European Commission, Apply AI Strategy

Part of a series on digital sovereignty and the infrastructure Australia is actually building. See Sleepwalking Off a Digital Cliff for the surveillance layer, Open Weights, Closed Minds for AI transparency, and Unicorns Build Monocultures on what the venture-capital model produces at scale.

• Aukus
• Digital Sovereignty
• Australia
• Defence Spending
• Vendor Lock-In
• F-35
• Cloud Act
• Procurement