Security agency calls for responsible bug reports

The new director of the government's National Infrastructure Security Co-ordination Centre, which is responsible for...

The new director of the government's National Infrastructure Security Co-ordination Centre, which is responsible for co-ordinating protection for the UK's critical services, has called on IT suppliers and security professionals to take a more responsible approach to reporting security vulnerabilities.

Roger Cumming, in his first interview since taking up the post as head of the NISCC in February, said it was important that organisations should not be forced into a "mad scramble" to patch their systems every time a vulnerability is announced.

His comments follow last week's disclosures in Computer Weekly that hackers are using automated tools to develop virus and hacking code within days of software vulnerabilities being made public.

The NISCC acts as a broker between IT users and more than 100 IT suppliers to ensure that organisations that might be affected by new vulnerabilities receive patches as soon as a vulnerability is made public, or in some critical cases, before it is announced, Cumming said.

He encouraged security professionals to report vulnerabilities to the NISCC rather than publishing them, so that organisations, particularly those that support critical services such as gas, water or transport, are given advance warning to protect their systems.

"We fully recognise the difficulty involved in the process of patching and the amount of time it takes. The whole point is to negotiate with people who have become aware of the vulnerability, to give suppliers time to come up with the patches and, more importantly, to give time to conduct comprehensive testing on legacy systems," he said.

Confidentiality agreements allow the NISCC, which operates the Uniras early warning alert system for viruses and other threats, to co-ordinate alerts about new vulnerabilities with the release of patches by IT suppliers.

"We think a mad scramble where various suppliers are trying to gain competitive advantage over the others is not the way to do things," Cumming said.

"That involves having trusted relationships with organisations to make sure they sign up to publish the vulnerability on a particular date and work towards a technical solution."

The NISCC, which was created by the Home Office in 1999, works in partnership with private and public sector organisations to protect IT systems behind the UK's critical services. It provides advice and an emergency response service to organisations that come under attack.

Read more on Hackers and cybercrime prevention