Microsoft to give governments heads up on security vulnerabilities

Software giant starts pilot program for critical infrastructure protection

Editor's note: This article was updated on May 20 to correct the name of the Carnegie Mellon Software Engineering Institute.

Microsoft will share technical information on security vulnerabilities with some government organizations before it publicly releases security patches to help governments protect critical infrastructure.

Government organizations that participate in both of two existing Microsoft programs designed to share security information with governments can get advance access to the vulnerability data through a new pilot program named the Defensive Information Sharing Program (DISP).

Microsoft will start the pilot program this summer and begin the full program later this year, said Jerry Bryant, group manager, response communications for Microsoft, in an e-mail statement. Bryant said early access to that information would let the government organizations get an early start on risk assessment and mitigation.

“This will allow members [of DISP] more time to prioritize creating and disseminating authoritative guidance for increasing network defensive posture actions,” Bryant said.

DISP is one of two pilot programs that Stephen Adegbite, senior security program manager lead in the Microsoft Security Response Center, detailed in a blog post on May 17. Adegbite also described another program, the Critical Infrastructure Partner Program, to share with governments, insights on security policy such as approaches to help protect critical infrastructures.

“Looking at past Internet-based attacks, the trends are pointing to an increase in complex multi-dimensional computer attacks,” Adegbite wrote. “We believe that governments will see increased demands for swifter responses to vulnerabilities that threaten public assets. The need for information to aid in quicker and thorough risk assessments will be paramount.”

Jeffrey Carpenter, manager of the CERT Coordination Center at Carnegie Mellon Software Engineering Institute, said governments have been asking for more timely vulnerability information to better protect critical infrastructure. CERT works with about 40 countries’ computer security incident response teams.

Carpenter said governments want advance notice before security patches are released so they can understand  what a problem is and how it affects economies and critical infrastructure.

“I think this has been an evolving process where Microsoft has listened to the governments of countries around the world and this is working to meet the unique needs" of national computer security incident response teams, Carpenter said.

Only national government organizations will be eligible to participate in DISP. However, participants will be allowed to confidentially share the information with their regional and local entities if they can ensure it won’t be leaked.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.