Australia's national science agency is teaming up with Google to protect critical national infrastructure including public utilities, hospitals and more by automating the hunt for flaws in software throughout their supply chain.
The Commonwealth Scientific and Industrial Research Organisation (CSIRO), which is Australia's national science agency, will work with Google on a research partnership to help critical infrastructure operators spot and fix potential security vulnerabilities in third-party software and products in their supply chain.
Amid rising attacks against its critical national infrastructure, such as the recent Optus and Medibank cyber attacks, Australia last year set a goal to become the most cyber-secure country by 2030.
That's laid out via the country's Cyber Security Strategy, which includes setting up a 100-person team to hunt down hackers, efforts to strengthen critical infrastructure networks, and building up local security abilities.
"Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks," said Stefan Avgoustakis, Security Practice Lead for Google Cloud in Australia and New Zealand.
Automated flaw hunting
Set up to support that wider security work, the Google-CSIRO partnership will see the two organizations work together to create tools and frameworks to improve software security across the supply chain for critical infrastructure (CI) operators, which includes utilities, hospitals, freight networks and even grocery stores.
CSIRO will work with Google's Open Source Security Team to develop AI tools for automated vulnerability scanners to more quickly spot and assess flaws in software used by CI operators.
Those systems will make use of Google's own vulnerability database and make use of Google Cloud for infrastructure, machine learning, and to eventually offer any tools developed to CI operators. CSIRO will bring to the table its work on techniques to test for responsible AI, and ensure the systems meet legal requirements for reporting flaws.
Beyond developing flaw-spotting tools, the research will also design a framework to help Australian CI operators meet existing and future security rules.
"The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research," said Stefan Avgoustakis, Security Practice Lead, Google Cloud, Australia & New Zealand.
Locally sourced solutions
The CSIRO hopes the project will spark locally developed technologies, believing that will be safer for the country — that comes at a time when security and networking products from Russia and China have been banned in the US.
"Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness," said CSIRO’s Project Lead, Dr Ejaz Ahmed.
All of the project research will be published and freely available to ensure all critical infrastructure operators have ready access.
"Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security," said Avgoustakis.
