I have always wanted to say that. I am here at the AusCERT 2010 conference in the beautiful Gold coast, Australia. I am here with my fellow ecostrat colleague Karl Hanmore presenting our talk on “Engagement between National/Government CERTs and the vendor community; benefits and challenges”. This talk is going to highlight some of our experiences engaging and collaborating on multiple levels with governments around the globe. We are also going to talk about some key ideas and frameworks that can make the collaboration process between government and vendors more effective. We are also announcing some pilot programs for governments that we hope will help push the collaboration efforts to the next level with regards to shared information levels.
In dealing with governments around the world, the same questions seem to come out in conversations:
- How can Microsoft help us defend our critical infrastructure?
- How can Microsoft aid us in understand the threat to our Microsoft technology environment?
- How can Microsoft help us with information so that we can make defensive risk assessments decision quicker?
We here at Microsoft understand that most governments are placed in unique positions when it comes to dealing with vulnerabilities within technologies. On one hand, governments have the responsibility to protect their critical infrastructure and government assets from vulnerability attacks. Some of these critical infrastructures are so important to people's lives that any disruption would cause a negative impact that would be felt widely. On the other hand, governments serve as the entity to coordinate defensive actions between both private and public sectors to ensure that their constituents are protected as much as possible from computer based attacks. In order to do both of these roles effectively, they need access to critical information as early as possible to assess, plan and execute actions to protect people.
Looking at past internet based attacks, the trends are pointing to an increase in complex multi-dimensional computer attacks. We believe that governments will see increased demands for swifter responses to vulnerabilities that threaten public assets. The need for information to aid in quicker and thorough risk assessments will be paramount. However, the need to provide this information in a structured, repeatable and secure manner will be the key for success. So we are looking to use some of our well established government focused programs such as the Security Cooperation Program (SCP) to aid in providing two new pilot programs aimed to help governments. Microsoft is moving ahead with the offering of 2 programs aimed at sharing key technical information on Microsoft vulnerabilities and strategies to aid in securing critical infrastructure:
- The Defensive Information Sharing Program (DISP) will offer governments entities at the national level who are part of both the Government Security Program (GSP) and Security Cooperation Program (SCP) with technical information on vulnerabilities that are being updated in our products. We will provide this information after our exhaustive investigative & remediation cycle is completed to ensure that DISP members are receiving the most accurate information as we know it. This process varies from issue to issue due to the complex nature of vulnerabilities. However, this process is always complete just prior to our security update release cycles. DISP members will receive this information in this window.
- The Critical Infrastructure Partner Program (CIPP) will provide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures.
In the long run, Microsoft hopes that through these pilot programs we can gain valuable insight on ways to improve our collaboration efforts to aid in protecting the greater ecosystem at large.
That’s all from “down under”
*Postings are provided "AS IS" with no warranties, and confers no rights.*