The White House Office of the National Cyber Director released a request for information Thursday to get input from public and private sector stakeholders on key issues surrounding open source security, a critical piece of the Biden administration’s national cybersecurity strategy.
The security of open source became a global industry priority during the Apache Log4j crisis, when researchers discovered a critical vulnerability in late 2021 that could allow an unauthenticated hacker to take control of remote systems using a simple line of code.
The crisis revealed that 96% of applications depend on open source, however the people who maintain open source are mostly community-based, unpaid volunteers who lack the resources to properly manage the security of these applications.
“We can only fully realize the benefits of open source software when everyone – including the federal government – plays their part in supporting the ecosystem,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, and Camille Stewart Gloster, deputy national cyber director for technology and ecosystem security at ONCD, wrote in a blog post Thursday.
“The federal government is one of the largest users of open source software in the world and we must do our part to help secure it,” they said.
ONCD, in partnership with other federal agencies, is also asking for information on the development of memory-safe languages and more secure techniques of developing software.
CISA, the National Science Foundation, the Defense Advanced Research Projects Agency and the Office of Management and Budget are working in tandem with ONCD on the request for information.
Earlier during the Log4j crisis, ONCD along with OMB’s Office of the Federal Chief Information Officer established an interagency working group called the Open Source Software Security Initiative to better coordinate government resources and develop policy solutions on the issue.
The group has identified three areas of focus:
- Adoption of memory safe programming languages
- Designing implementation requirements for secure, privacy-preserving security attestations
- Identifying and promoting focused areas for prioritization
The emphasis on memory-safe languages stems from their outsized role in software vulnerabilities.
The National Security Agency, in guidance released in November, cited Microsoft data illustrating 70% of its vulnerabilities from 2016 through 2018 were tied to memory-safety issues. Google identified a similar percentage tied to Chrome vulnerabilities.
CISA Director Jen Easterly echoed the call for transitioning to memory-safe languages, like Rust or Go, during a speech advocating for secure-by-design principles at Carnegie Mellon University in February. Easterly later urged universities to incorporate memory safety into engineering and computer science course work.
Industry officials welcomed the RFI, as the White House has worked with the open source community and other stakeholders for several years to address key issues related to open source security.
The White House hosted a summit on open source security early on in the Log4j crisis, identifying key concerns about how the government and software industry benefit from the open source community, but did relatively little to properly compensate the community for the work.
Officials at Tidelift say the RFI presents a good opportunity to address issues around economic incentives.
“We do not expect suppliers in any other industry to provide products that are robust and secure for free – yet this is the expectation we have with open source,” said Luis Villa, co-founder and general counsel at Tidelift. “And it represents an existential risk to our shared technology infrastructure.”