In response to the potential exploitation of vulnerabilities in open source software, U.S. Sens. Gary Peters (D-MI) and Rob Portman (R-OH) last week introduced the Securing Open Source Software Act to evaluate and direct how open source code could be used by the federal government.
“Open source software is the bedrock of the digital world, and the Log4j vulnerability demonstrated just how much we rely on it,” Peters said, referring to a vulnerability found in the widely used open source code last year. “This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services. This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”
The Log4j issue, after it was discovered and assessed, was determined to be one of the most severe cybersecurity vulnerabilities to date, spanning millions of systems, private and governmental alike. Open source cannot simply be avoided, either – many systems and networks worldwide rely on such freely available code, some of which stretches back to the internet’s roots. The U.S. government is no exception, being one of the largest users of open source software – but the senators maintained that it must manage its risk and has a duty to support the security of the open source software in the private and public sectors.
The legislation would direct CISA to manufacture a risk framework for evaluating such code’s use by the federal government and to determine how it could be voluntarily used by critical infrastructure owners and operators. Overall, this would work to identify ways to counter risks posed to systems using open source software. However, it is likely to also raise some concerns among the tech community as to how this might impact the freewheeling nature of such code in general.
Additionally, the legislation, as proposed, would require CISA to begin hiring people with experience in developing open source software to check and guarantee the government and community are jointly prepared to address vulnerabilities. Complementing this effort, the Office of Management and Budget would have to issue guidance for federal agencies covering the secure usage of open source software. As part of this, a software security subcommittee would be created within the CISA Cybersecurity Advisory Committee to address secure usage.
“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” Portman said. “The bipartisan Securing Open Source Software Act will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”