CSIRO and Google develop AI tools to secure Australia’s software supply chains

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and Google have initiated a strategic partnership to bolster the security of Australia’s critical infrastructure (CI) against rising cyber threats. This collaboration is particularly focused on addressing vulnerabilities in software supply chains, a crucial element of the digital transformation sweeping across sectors like healthcare, utilities, and transportation.

Addressing Critical Gaps in Software Supply Chain Security

The partnership forms part of Google’s broader Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience program. Together, they aim to close significant gaps in how CI operators identify, understand, and mitigate vulnerabilities within their software supply chains. The amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy have intensified the need for robust security measures, making this collaboration timely and essential.

CSIRO and Google collaborate to secure Australia’s critical infrastructure from software supply chain vulnerabilities with AI-driven tools and publicly available resources.

Development of AI-Driven Tools

CSIRO and Google are leveraging advanced technologies to develop AI-powered tools that can automatically detect and rectify vulnerabilities in open-source software components. These tools will be underpinned by Google’s Open Source Vulnerability (OSV) database, providing the most current information on potential risks. CSIRO’s applied research will ensure these tools are not only effective but also aligned with Australia’s unique regulatory and operational context.

Building a Secure Framework

In addition to tools, the partnership is focused on creating a secure framework that will guide CI operators in meeting both current and future security obligations. This framework will adapt Google’s Supply-chain Levels for Software Artifacts (SLSA) and incorporate insights from CSIRO’s extensive knowledge of Australian industry practices. The goal is to define multiple levels of software supply chain maturity, offering clear steps for operators to enhance their security posture.

Public Accessibility and Broader Impact

A key aspect of this collaboration is the commitment to making all findings, tools, and frameworks publicly available. This open-access approach is intended to foster widespread adoption of best practices across Australia’s critical infrastructure sectors, thereby enhancing the resilience of the nation’s essential services.

Google Cloud’s infrastructure will support this initiative by providing scalable solutions, including machine learning and Big Data capabilities. This will enable rapid development and deployment of the tools, potentially making them available as services that CI operators can easily integrate into their existing systems.

A Global Standard for Software Supply Chain Security

Australia has taken a leading role globally in implementing legislative measures to secure software supply chains, and this partnership reflects the country’s commitment to mitigating cybersecurity risks. Stefan Avgoustakis, Security Practice Lead at Google Cloud for Australia & New Zealand, emphasized that this collaboration will provide CI operators with a consistent roadmap to achieving software supply chain maturity, bolstered by CSIRO’s in-depth industry knowledge.

This partnership between CSIRO and Google marks a significant advancement in the protection of Australia’s critical infrastructure. By focusing on securing software supply chains, the collaboration not only strengthens national security but also sets a standard for global efforts to protect critical digital assets.