The U.K. government on Friday agreed to participate in Microsoft Corp.’s Government Security Program (GSP), which gives agencies access to Windows source code in an effort to help ensure their systems are safe, Microsoft said Friday.
The GSP will give the security community in the government controlled access to Windows source code and other technical information, Microsoft said in a statement.
Andrew Pinder, head of the government unit that looks after IT security, signed the agreement in his role as central sponsor for information assurance. In a Cabinet Office statement Friday, Pinder said the U.K. government would benefit from a clearer view of the security design of Microsoft products and the opportunity to influence future products.
Governments that join the GSP will be given smart cards that allow authorized staff to view the code over a secure channel. They will have access to both the source code and to Microsoft’s cryptographic code and a cryptographic development kit, Microsoft’s U.K. Chief Security Officer Stuart Okin said Monday.
Government departments will be allowed to alter the code, but only to evaluate any vulnerabilities, Okin said. They will not be allowed to package or distribute the altered code. Instead, they can take it to Microsoft and “we would take that under advisement,” he said.
Asked on Monday how the government can be sure it is seeing the true source code, Cabinet Office spokeswoman Kathryn Fisher said the U.K. government has “entered the agreement on a basis of trust.”
The agreement will allow the U.K. government to influence the design of future products, Fisher said, by going back to Microsoft with suggested modifications.
Two units will use the source code: the Central Sponsor for Information Assurance (CSIA), within the Cabinet Office, which is run by Pinder, and the Communications and Electronics Security Group (CESG) IT security group within the Government Communications Headquarters (GCHQ), Fisher said.
Pinder will discuss similar agreements with other software vendors, Fisher said.
Russia and the North Atlantic Treaty Organization (NATO) have already signed up for the program, Microsoft said when it announced the GSP on Jan. 14.
Microsoft views any government that uses its software as a trusted partner, and the GSP allows governments to assess the security and integrity of its products, it said in a statement. However, Okin qualified that by saying only those governments with a minimum level of intellectual property laws would be accepted. “We think there are 60 or so governments that qualify,” he said.
The U.K. government agencies can simulate threats and assess vulnerabilities in addition to inspecting the code line by line, Microsoft said in its statement Friday. They also are invited to work with Microsoft security professionals in the U.K. as well as the company’s hometown of Redmond, Washington. They will be able to review Windows source code development, testing and deployment processes and give feedback directly to Microsoft.
