Against the backdrop of continuing issues with Log4J, the White House recently met with tech stakeholders to discuss how to make open-source safer
Stakeholders in the tech industry ranging from hyperscalers to open-source developers attended a White House cybersecurity meeting last week. There they met officials from different federal agencies including Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security and the Department of Defense to discuss how to improve open-source software security.
“The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes,” said a statement from the White House.
The White House said the first focus of the discussion was to strengthen development tool security features. Prioritizing open source projects with sustainable maintenance can address the administration’s second major concern, it said.
Finally, the administration referenced a cybersecurity executive order it issued last May. The order defines establishes a baseline security standard for software sold to the government.
“All participants — private sector and government — will continue discussions to support these initiatives in the coming weeks, which are open to all interested public and private stakeholders,” said the administration.
Log4Shell remains a top cybersecurity problem
While the comments from the administration did not single out any specific open source software, this event comes barely more than a month after the Log4Shell exploit was first spotted in the wild.
The exploit is specific to certain versions of Log4J, an Apache Java-based logging software tool. It’s used very broadly on all sorts of devices capable of running Java, as part of basic diagnostic services. The exploit enables a bad actor to assume control of the device. The U.S. CISA rated Log4Shell as a critical vulnerability.
Pressuring businesses into prioritizing Log4J updates also prompted the U.S. Federal Trade Commission (FTC) to take the rare step of rattling legal sabers to encourage compliance, by reminding businesses of the 2019 settlement reached with credit reporting bureau Equifax.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” said the agency.
The exploit remains — and will remain — a continuing problem, according to Microsoft.
“This open-source component is widely used across many suppliers’ software and services,” said Microsoft. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
Private sector organizations participating in last week’s meeting included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, the Linux Foundation, the Open Source Security Foundation, Microsoft, Oracle, RedHat, VMWare.
Following the meeting, Kent Walker, Google president Global Affairs & chief legal officer Google & Alphabet, offered his perspective.
Walker said security through transparency falls flat these days. Especially if there aren’t resources in place to detect issues, resolve issues and maintain code. Walker explained that the use of open source software is foundational to digital infrastructure. He said it’s parallel to the real world infrastructure investments so central to this administration’s domestic policy.
“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” he wrote.