Google has announced a research partnership with Australia’s national science agency Commonwealth Scientific and Industrial Research Organisation (CSIRO) to secure the country’s critical infrastructure (CI) from risky software components.
As part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience programme, the collaboration will address the critical gaps in how Australia’s CI operators identify, understand, and resolve vulnerabilities in their software supply chains.
It will also focus on developing tools and frameworks to help Australian CI operators comply with software supply chain security requirements outlined in the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy.
The tools will be designed to identify and address vulnerabilities in open-source software components, which are increasingly integral to the digital infrastructure of Australia’s critical sectors, including public utilities, hospitals, freight networks, and groceries. All findings from the project will be made publicly available, ensuring free and easy access for critical infrastructure sectors, said Google.
CSIRO-Google alliance
CSIRO will collaborate with Google’s Open Source Security Team (GOSST) and Google Cloud to create innovative artificial intelligence (AI)-driven tools for automated vulnerability scanners and data protocols.
These tools will leverage Google’s OSV database to provide up-to-date intelligence on vulnerabilities, while CSIRO will contribute applied research to ensure that the tools and recommendations align with local regulatory and operational contexts.
“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” said the CSIRO project lead, Ejaz Ahmed. “This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise.”
Guarding against software supply chain vulnerabilities
Additionally, CSIRO and Google will develop a secure framework to guide Australian CI operators in meeting current and future security requirements. This framework will build upon Google’s Supply-chain Levels for Software Artifacts (SLSA) framework, incorporating insights from CSIRO’s knowledge of Australian industry practices. It will define various levels of software supply chain maturity and outline steps to achieve each level.
“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks,” said Google Cloud Australia and New Zealand security practice lead Stefan Avgoustakis. “The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research.
“Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”
Google Cloud will support the partnership by providing secure and scalable infrastructure, including machine learning, big data capabilities, and domain-specific large language models, to expedite research and translate it into practical tools or services for CI operators.
Read more: Australian spy agency chooses AWS to stash its intelligence secrets
