Microsoft creates plan for sharing security info with governments
- By William Jackson
- Feb 02, 2005
Microsoft Corp. chairman Bill Gates today announced a program to improve how the software giant and state, local and national governments exchange information about security vulnerabilities and incidents.
The Security Cooperation Program, announced at Microsoft's Government Leaders Forum in the Czech Republic capital of Prague, provides a framework for cooperation on national security threats. Much of the information covered in the SCP agreements, such as reported vulnerabilities, already is publicly available but not widely disseminated, said Stuart McKee, Microsoft's national technology officer.
'We may have a bulletin out on a vulnerability, but getting on a briefing call with Microsoft engineers and other security folks is something that would be new,' McKee said.
SCP is a follow-on to such Microsoft partnership programs as the Government Security Program, launched two years ago to provide national governments with controlled access to elements of Microsoft source code.
McKee said a goal of the arrangement is that governments will share what they see happening in their own environments, coordinate incident response through the SCP and participate in after-action evaluations of incidents. This could involve sensitive or proprietary data that many entities often are reluctant to release.
'As a former CIO [of Washington state], I can tell you that you are not inclined to share information about your environment outside of your environment,' McKee said. 'That's a risky situation.'
Founding participants in the program are Canada, Chile, Norway and the state of Delaware.
The U.S. government has not signed on, although, 'I do anticipate that we will have agencies in the federal government in the program,' McKee said.
Among types of data expected to be exchanged are:
- Information on publicly known vulnerabilities that Microsoft is investigating
- Information on MS software updates to facilitate resource planning and deployment
- Security incident metrics
- Information on critical IT incidents and emergencies
- Information on MS product security and incident response process.
Information shared through the program will remain confidential, although McKee said that mechanisms for ensuring confidentiality 'will evolve' as relationships develop. Information released by Microsoft will be annonymized and aggregated, and no identifiable data will be released.
No provisions have been made to shield data provided to governments from Freedom of Information Act requests, McKee said.
'Nothing we are doing is intended to circumvent FOIA,' he said.
William Jackson is a Maryland-based freelance writer.