Partnership to assist critical infrastructure operators in meeting growing legislative obligations to prove the integrity and security of their software supply chains
CSIRO, Australia's national science agency, and Google today announced a research partnership to close crucial gaps in how Australia's critical infrastructure (CI) operators find, understand, and fix vulnerabilities in their software supply chains.
A part of Google's Digital Future Initiative and CSIRO's Critical Infrastructure Protection and Resilience developing mission, the partnership will see Google and CSIRO work together to develop tools and frameworks that help Australian CI operators meet critical obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and Australia's Cyber Security Strategy.
The tools and frameworks will focus on accurately identifying and fixing vulnerabilities in open source software components that have become an increasingly important part of digital transformation for Australia's critical infrastructure, which includes everything from public utilities and hospitals to freight networks and groceries. To maximise the impact of this partnership, all project findings will be publicly available, allowing critical infrastructure sectors free and easy access.
CSIRO's Project Lead, Dr Ejaz Ahmed, said the creation of new and homegrown technologies will enhance the security of software used in Australian critical infrastructure.
"Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness," Dr Ahmed said. "This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO's expertise."
A roadmap to more secure software
The partnership will see CSIRO work with the Google Open Source Security Team (GOSST) and Google Cloud to develop novel AI-powered tools for automated vulnerability scanners and data protocols that can quickly and precisely identify and assess the impact of open source vulnerabilities on Australian CI operators' software supply chains.
The tools will tap on existing resources including Google's OSV database for the most up-to-date intelligence on vulnerabilities. CSIRO's applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.
Similarly, CSIRO and Google will collaborate on designing a secure framework that gives Australian CI operators clear guidance on how to meet current requirements and a baseline for future ones. The framework will adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO's Australian industry practices, to define multiple levels of software supply chain maturity as well as steps to achieve each one.
Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning and Big Data capabilities as well as domain specific large language models, to accelerate the partnership's research and translate it into tools or as-a-service offerings for CI operators.
"Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks," said Stefan Avgoustakis, Security Practice Lead, Google Cloud, Australia & New Zealand.
"The tools and frameworks we're developing will give Australia's CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research. Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security."