Microsoft has set up a Security Cooperation Programme (SCP) along with New Zealand’s Centre for Critical Infrastructure Protection (CCIP).
The SCP, a recently established Microsoft programme, formalises the business of reporting to government partners “information on threats and vulnerabilities,” said Microsoft’s chief privacy strategist, Peter Cullen, while on a visit to New Zealand earlier this month.
The programme aims to mitigate against threats to national security. It also incorporates an element of “citizen outreach” — communicating with the public about the benefits of the programme.
The security of computers today is a significant challenge and Microsoft has been rightly criticised for falling short of expectations in terms of exploitable vulnerabilities in its software, Cullen says.
Despite a continuing run of such bugs, and a controversy earlier this month about delays in issuing a patch to a zero-day exploit, Cullen contends that Microsoft is making significant investments, and advances, in making its applications more secure.
As evidence of this, he says exploits are “moving up the stack”, with an increasing number of them using vulnerabilities in applications that run on Microsoft platforms but are produced by other companies.
As Microsoft learns its security and privacy lessons, it will be sharing them, Cullen says.
The company has published a book on the “security development lifecycle” it has developed, and has followed this up with a set of privacy guidelines. These advise developers on appropriate ways of seeking consent when asking a customer to supply personal information in connection with their application.
Microsoft’s guidelines also include briefs on what information is retained by products, such as its Internet Security and Acceleration (ISA) server, and how to configure servers to provide appropriate protection to users.
The SCP idea represents another phase in the company’s plan for paying closer attention to security matters, says Cullen.
“Prevention of cyber disruptions and improving our capacity to respond to incidents in a timely manner are essential to the security of the nation, the economy and public health and safety,” says CCIP manager Richard Byfield.
“Partnerships between the public and private sector, or initiatives like the Security Cooperation Programme, are fundamental to ensuring better preparedness, and for developing innovative solutions for securing New Zealand’s cyber-based systems and assets.”
The types of data to be exchanged include: information about publicly known and reported vulnerabilities that Microsoft is investigating; information about forthcoming and already released software updates; security incident metrics and information on Microsoft product security.