https://ift.tt/GAJCtWS
National science agency CSIRO and Google have entered into a research partnership to close gaps in how Australia’s critical infrastructure (CI) operators find, understand and fix vulnerabilities in its software supply chains.
Both organisations will develop tools and frameworks that help local CI operators meet critical obligations around software supply chain security. This includes those in the amended Security of Critical Infrastructure Act and Australia’s Cyber Security Strategy.
The tools and frameworks will focus on identifying and fixing vulnerabilities in open-source software components that have become an increasingly important part of digital transformation for Australia’s critical infrastructure.
Under the partnership, the CSIRO will also work with Google’s open source security team and Google Cloud to develop AI-powered tools for automated vulnerability scanners and data protocols.
The tools will tap into existing resources, including Google’s OSV database for intelligence on vulnerabilities.
CSIRO and Google will also collaborate on designing a secure framework that gives Australian CI operators clear guidance on how to meet current requirements and providing a baseline for future ones.
The framework will adapt and extend the Supply Chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO’s industry practices, to define levels of software supply chain maturity and steps to achieve them.
Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning and Big Data capabilities and domain-specific large language models, to accelerate the partnership’s research and translate it into tools or as-a-service offerings for CI operators.
Google Cloud Australia and New Zealand (A/NZ) security practice lead Stefan Avgoustakis said software supply chain vulnerabilities are a global issue and Australia has taken legislative measures to control and combat them.
“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research,” he said.
All project findings will be publicly available, allowing critical infrastructure sectors free and easy access.
CSIRO project ;ead Ejaz Ahmed said software developed, procured, commissioned and maintained within Australia will also better align with local regulations, promoting greater compliance and trustworthiness.
“This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise,” he added.
The partnership is part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience developing mission.