White House to study open source software in critical infrastructure
LAS VEGAS — A year after asking the hacker community how they can better help protect the open source software that is the foundation of the digital economy, the White House is looking to better secure the ecosystem through a new office dedicated to studying such components in critical infrastructure.
The Office of the National Cyber Director released new details Friday on several projects aimed at securing open source software. The report comes a year after the office asked attendees at DEF CON in 2023 to contribute to a request for information around how to better focus on securing open source software.
The new office runs out of the Department of Homeland Security and will examine the prevalence of open source software present in critical infrastructure and how to secure it, said Nasreen Djouini, senior policy advisor at the Office of the National Cyber Director. The program will have the support of the Department of Energy’s national labs, including at Los Alamos and Lawrence Livermore.
Cyberattacks on open source software by both criminal hackers and nation-backed threats are an increasing concern, as the transparent development process has become a target for malicious activity. What’s more, open source software is largely voluntary, so resources for digital security can be minimal and dependent on the individual contributor or project.
Friday’s report also included a summation of comments submitted to ONCD about how to best secure open source software.
The comments included requests for better resource assistance to developers and maintainers of the software supply chain. Other comments advocated for switching to memory-safe languages like Rust. That’s a transition the Defense Advanced Research Projects Agency is trying to do autonomously.
The Biden administration has made securing open-source software a priority after the Log4J vulnerability exposed the security risks of the open-source ecosystem in 2021.
Experts note that years later vulnerable versions of the Log4J software version are still commonly found in the wild.