AusCert 2010: Microsoft to link critical infrastructure security agencies
- 19 May, 2010 12:08
Microsoft has launched a world-first global government security network to share information on vulnerabilities and exploits that affect critical infrastructure.
The Defensive Information Sharing Program, launched at AusCERT 2010, builds on the preceeding Government Security Program (GSP), and the Microsoft Security Program (MSP).
Microsoft Security Response Centre security program lead, Steve Adegbite, said the program will include all national government infrastructure owners.
"We just didn't react fast enough to the Google [China] attacks. We had this information that is violatile, and not putting it in the hands of defenders just doesn't make sense," Adegbite said.
"We will provide this information after our investigative and remediation cycle is completed to ensure that members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles.
"The program shares updates, the reasons behind them, stack traces, source code, and technical details ahead of the [patches] so entities can take rememdial action."
It includes a Critical Infrastructure Protection Program under which non-disclose agreements will be abolished to allow disparate government agencies to share information on solving security infrastructure risks. The program will also partner infrastructure agencies across the world to help them resolve similar problems.
Participants can access the network via a Microsoft web portal. It has been in development for 18 months and will be run as a year-long trial.
The program could inflame rivalry in the ranks of national security agencies, according to AusCERT representatives.
Membership of the program will only be extended to one national CERT, which participates in the GSP, and MSP, in a move seen to inflame what former a AusCERT official identifies as a hatred between Australia's Critical Emergency Response Teams (CERTs).
The former official said the Australian agencies AusCERT and GovCert "hate each-other", and compete for resources and responsibilities. It is understood the GovCert and AusCert have each membership to the MSP and GSP.
Scott McIntyre, security officer for the Netherlands CERT, said the program should include industry groups such as telecommunications providers, and noted that country does not have "nor wants", a national CERT agency.
Adegbite said problems will be address during the program pilot.