Almost every serious conversation I have about Echidna Cams starts the same way. Not with our technology. Not with our customers. Not with what we’re building. But with an assumption.
“So… where are you manufacturing offshore?”
It’s usually asked casually. Sometimes with curiosity. Sometimes as advice. And for a long time, I didn’t think much of it. Because in modern technology businesses, offshoring production is treated as obvious, commercially sensible, and strategically unremarkable.
It’s almost what you’re expected to do.
But the more time I spent working with regulators, compliance teams and government operators, and in building our platform, the more that question began to trouble me. Not because offshore manufacturing is inherently wrong. And not because of any parochial instinct. But because of the kinds of systems government relies on, that assumption quietly ignores something fundamental.
These are not consumer devices. They are not gadgets. They are not disposable electronics. They are systems that:
- collect evidence
- inform enforcement
- influence regulatory decisions
- are essential to public and asset safety
- and sit inside critical public operations.
And in that world, where and how something is built is no longer just a cost decision.
It becomes a governance decision. A legal decision. And, increasingly, a sovereign capability decision.
When Surveillance Becomes Infrastructure
Across government operations (law enforcement, environmental compliance, transport, utilities, border protection, emergency management and local government), surveillance systems are no longer passive recording devices.
They are:
- instruments of regulatory power
- sources of evidence
- components of critical infrastructure
- and, increasingly, elements of national resilience.
In that context, supply chains are no longer a procurement issue. They are a governance issue. A legal compliance issue. A public trust issue. And, increasingly, a sovereign capability issue.
The Hidden Risk: Control, Not Malice
Much of the public conversation focuses on espionage. For government operators, the more serious and systemic risk is something different: Loss of control.
Control over:
- firmware updates
- communications pathways
- encryption and key management
- data routing and storage
- component availability and lifecycle support.
If any part of that chain sits outside your legal and sovereign control, then your compliance posture becomes fragile, your evidentiary integrity becomes contestable, and your operational continuity becomes dependent on external actors.
Not because anyone intends harm. But because jurisdiction, access rights and contractual power now matter more than intent.
When Control Pathways Become a Strategic Risk
This risk is no longer theoretical. In the past year alone, multiple public investigations and regulatory actions have revealed uncomfortable truths about modern infrastructure systems.
In one recent case, transport authorities identified that electric buses operating in a major public fleet contained remote shutdown functionality, a so-called “kill switch” capability, embedded within onboard control systems. The concern was not that the function existed. It was that:
- the capability had not been clearly disclosed
- the control pathway was external to the operator
- and the legal authority over its activation was ambiguous.
In response, the fleet has been temporarily removed from service. Not because the vehicles were unsafe. But because the system architecture created an unacceptable governance and continuity risk.
At the same time, regulators across Europe are now moving to systematically phase high-risk technology components out of public infrastructure, including transport, energy and communications systems. Again, not because of proven malicious use. But because:
- firmware provenance could not be fully verified
- update pipelines were not sovereign-controlled
- and long-term operational autonomy could not be assured.
These are not cybersecurity stories. They are governance stories. They are about a simple but confronting question:
"Should any external party retain the technical ability to disable, degrade or observe critical public systems?"
When Device Capability Becomes a Legal Risk
This becomes very tangible when viewed through the lens of surveillance law. In New South Wales, the Surveillance Devices Act 2007 defines a “listening device” as:
“any device capable of being used to overhear, record, monitor or listen to a conversation or words spoken to or by any person in conversation.”
That definition is deliberately broad. It is not limited to purpose-built audio bugs or microphones. It applies to any device capable of capturing or transmitting audio.
At the same time, there is now a widespread proliferation of surveillance and monitoring platforms that include:
- two-way audio
- full-duplex communications
- remote listening capability
- integrated microphones enabled by default
This typically occurs without any explicit governance controls, lawful-use enforcement or auditable activation logs. This creates a profound compliance tension.
To be honest, every time I see surveillance footage played on the news with audio recorded as clearly as day, I cringe.
Because under the Surveillance Devices Act 2007, it is an offence to manufacture, supply, possess, install, use or maintain a listening device to record a private conversation unless strict consent or statutory exceptions apply. Which means, a system may be perfectly functional… perfectly secure from a cybersecurity perspective… and yet unlawful by design in a regulated deployment.
For government operators, this matters deeply. It affects:
- whether material can be admitted as lawful evidence
- whether privacy obligations have been breached
- whether enforcement actions are vulnerable to challenge
- and whether the agency itself becomes exposed to liability.
This is the uncomfortable reality of modern systems: Capability itself can become the compliance risk.
Privacy, Surveillance Law and Evidentiary Integrity
For government agencies, surveillance operates at the intersection of:
- surveillance devices legislation
- privacy law
- administrative law
- criminal procedure
- freedom of information
- and judicial scrutiny.
That creates obligations far beyond basic cybersecurity. Because it is not enough for a system to “work”. It must also operate lawfully, preserve chain of custody, protect third-party privacy, withstand courtroom challenge, and remain auditable years after deployment.
If firmware provenance is unclear, update mechanisms are opaque, communications pathways are undisclosed, or device capabilities cannot be governed, then the system itself becomes a regulatory liability, not just a technical one.
Operational Continuity Is Now a Strategic Requirement
For government, resilience is not theoretical. It is measured in:
- continuity of service
- enforceability of law
- protection of communities
- and maintenance of public confidence.
In that environment, dependency creates strategic exposure. When critical components become unavailable, platforms lose vendor support, updates are withdrawn or restricted, systems are remotely disabled or degraded, or supply chains fracture under geopolitical stress, the consequences are not commercial. They are operational, legal and societal.
The real question for government operators is no longer: “Is this the best system on the market?” It is:
“Can this system still be trusted, governed and lawfully operated ten years from now?”
What Sovereign Capability Means for Government Operations
In public-sector terms, sovereign capability is not ideology. It is risk management. It means:
- transparent and auditable supply chains
- control over firmware and update pipelines
- visibility of communications pathways
- data residency aligned to domestic law
- architectures that can be inspected, tested and governed
- lifecycle certainty for long-term operations.
In practice, it ensures that agencies retain authority over their own systems, evidence remains defensible, privacy obligations remain enforceable, and operational control cannot be externally withdrawn.
This is not about isolation. It is about assured operational autonomy in systems that exercise public power.
Why This Matters Now
As governments expand the use of automation, AI-assisted monitoring, remote sensing and intelligent enforcement, the technology stack becomes inseparable from public authority itself. Which means, technology decisions are now institutional decisions.
They shape the enforceability of law, the protection of rights, the resilience of infrastructure, and the integrity of government operations. Sovereign capability is no longer a policy aspiration. It is becoming a core operational requirement. And for government operators, it will increasingly define what systems can be lawfully deployed, what evidence can be relied upon, and what organisations can be trusted with public responsibility.
This is no longer about cameras. It is about governance, trust, and the future resilience of public operations.