The new director of the government's National
Infrastructure Security Co-ordination Centre, which is responsible
for co-ordinating protection for the UK's critical services, has
called on IT suppliers and security professionals to take a more
responsible approach to reporting security
vulnerabilities.
Roger Cumming, in his first interview since taking up the post as
head of the NISCC in February, said it was important that
organisations should not be forced into a "mad scramble" to patch
their systems every time a vulnerability is announced.
His comments follow last week's disclosures in Computer Weekly that
hackers are using automated tools to develop virus and hacking code
within days of software vulnerabilities being made public.
The NISCC acts as a broker between IT users and more than 100 IT
suppliers to ensure that organisations that might be affected by
new vulnerabilities receive patches as soon as a vulnerability is
made public, or in some critical cases, before it is announced,
Cumming said.
He encouraged security professionals to report vulnerabilities to
the NISCC rather than publishing them, so that organisations,
particularly those that support critical services such as gas,
water or transport, are given advance warning to protect their
systems.
"We fully recognise the difficulty involved in the process of
patching and the amount of time it takes. The whole point is to
negotiate with people who have become aware of the vulnerability,
to give suppliers time to come up with the patches and, more
importantly, to give time to conduct comprehensive testing on
legacy systems," he said.
Confidentiality agreements allow the NISCC, which operates the
Uniras early warning alert system for viruses and other threats, to
co-ordinate alerts about new vulnerabilities with the release of
patches by IT suppliers.
"We think a mad scramble where various suppliers are trying to gain
competitive advantage over the others is not the way to do things,"
Cumming said.
"That involves having trusted relationships with organisations to
make sure they sign up to publish the vulnerability on a particular
date and work towards a technical solution."
The NISCC, which was created by the Home Office in 1999, works in
partnership with private and public sector organisations to protect
IT systems behind the UK's critical services. It provides advice
and an emergency response service to organisations that come under
attack.