Senate Group Wants CISA to Protect Open-Source Software

Senate Homeland Security Committee leaders Gary Peters (D-Michigan) and Rob Portman (R-Ohio) have introduced a bill requiring a risk framework for open-source code. The proposed legislation would require the Cybersecurity and Infrastructure Security Agency to develop the risk evaluation process for open-source software being used by federal agencies and critical infrastructure. The move follows the discovery in December of a vulnerability in the Apache Software Foundation’s popular Log4j Java logging utility. Peters said the Log4j incident presented a serious threat to banks, hospitals, and utility companies, among other national security operations.

“Open-source software — which volunteers can see, modify, build and maintain — is nearly everywhere, from the ‘Minecraft’ video game to Apple iCloud to devices used in sectors ranging from health care to energy,” explains The Washington Post.

In November, an Alibaba engineer discovered the Log4j intrusion, dubbed Log4Shell, reporting it to the Apache Foundation. In December, security workers on the Java version of Microsoft’s “Minecraft” reported hackers had embedded it in the game code, allowing them to take control of players’ computers.

An ensuing CISA assessment revealed the problem was estimated to have affected millions of Internet-connected devices that use open-source Apache code, prompting what WaPo calls “a pretty big government response.”

CISA simultaneously briefed industry leaders and issued an emergency order, demanding federal agencies immediately patch the hack. The agency then published an alert in conjunction with the National Security Agency, the Federal Bureau of Investigation, and governments around the world. By January, Biden administration officials had met with industry leaders from companies including Microsoft and Apple.

WaPo writes that Log4Shell is not yet known to have caused any “serious damage,” citing the government’s swift response and “the effectiveness of a program to share information between agency and industry leaders.”

In February, the Senate Homeland Security panel held a hearing on the Log4Shell problem. “This common-sense, bipartisan legislation will help secure open-source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation,” Peters said in a statement.

Axios notes that “open-source developers often don’t have the time to constantly update and patch their creations against new vulnerabilities, even though public and private companies as well as federal agencies “rely heavily on these free resources when building out their own tools since they cover basics like logging tasks.”

WaPo says that “some industry pros have curtailed their use of open-source software — even though many believe open-source software to be broadly as secure as, or more secure than, closed-source software because more people are vetting it publicly.” So far this year the Open Source Security Foundation has held two summits announcing $150 million devoted to solutions to the 10 top open-source problems over two years.

Cybersecurity Help offers a regularly updated list of vendors and software affected by Log4Shell and patch availability.

No Comments Yet

You can be the first to comment!

Sorry, comments for this entry are closed at this time.