Hardening the security around open source software has been a key part of the White House’s larger cybersecurity efforts since President Biden released his executive order for improving the United States’ security posture in May 2021, only months after taking office.
Now the Biden Administration and the Department of Homeland Security (DHS) are putting $11 million to launch a program aimed at assessing the use of open source software in critical infrastructure environments and how to better protect it.
Speaking at the Def-Con show late last week in Las Vegas, National Cyber Director Harry Coker Jr. announced the plan to launch the government’s Open Source Software Prevalence Initiative, which includes participation by the country’s National Laboratories.
“We know that open-source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts,” Coker said at the conference.
He added that while the government is creating the initiative and putting money behind it, it will need the participation of cybersecurity professionals.
“These policy proposals rely on the dedication of researchers and their willingness to freely share their findings in order to work,” Coker said. “In our conversations on developing a software liability regime, too, we are increasingly aiming to leverage this unique community as part of novel policy solutions.”
A key part of the Biden Administration’s cybersecurity push to improve the country’s cybersecurity is to shift the responsibility away from technology’s users and toward its creators through such efforts as its Secure By Design software message. Coker reiterated that during his talk, telling the audience of cybersecurity experts of the need for “more of the responsibility for cybersecurity to fall upon the more capable actors in the ecosystem. That means technology producers, yes, and certainly the Federal Government. But it also means all of you.… I know that the same value set that drives responsible vulnerability disclosure will lead you to continue to step up for the protection of the internet.”
Collaboration is Key
The government’s reach is only so long, he said. The president can’t solve problems by simply issuing an order. Coker noted that the government and tech industry has known for decades about security flaws in the Border Gateway Protocol, yet still much of the U.S. internet traffic is vulnerable to being hijacked. The same goes for using memory-safe programming languages like Rust and Go to eliminate a large percentage of vulnerabilities found in today’s software.
“Still, critical software that underlies our society is written in C, simply because that’s what’s convenient,” he said. “The ‘tragedy of the commons’ around open-source software development is a well-understood phenomenon; still, vital packages are maintained by tiny bands of volunteers operating on a less-than shoestring budget.”
Wait and See
Katie Teitler-Santullo, cybersecurity strategist with OX Security, said how effective a program like the Open Source Software Prevalence Initiative can be is uncertain.
“On the one hand, initiatives like this coming down from the White House and DHS signal to private industry that increased scrutiny is coming,” said Teitler-Santullo, whose company offers an application security posture management platform. “Given the growing reliance on open-source software – and the open-source components in most software – businesses must have a better understanding of the software, at all stages of its lifecycle.”
Still, government programs like this don’t come with feasibility or impact guarantees. A lot of organizations have trouble monitoring and triaging what she called the “long tail of software” and app security and development teams have trouble keeping pace with the rapid evolution of the open source ecosystem.
“What’s not in question is the importance of organizations, public and private, to understand and act on open source vulnerabilities as well as custom software built on top of open-source components,” Teitler-Santullo said. “Understanding your code at multiple levels and all throughout the software development lifecycle … is not a nice-to-have anymore. One small vulnerability could cause widespread damage.”
Marching Orders
Coker’s remarks at Def-Con came a day after the White House released a summary of responses to its request for information regarding what should be among the government’s long-term priorities for open source software security.
The creation of the Open-Source Software Prevalence Initiative is one of the government’s responses to what it heard from those who responded to the request for information.
The report called for the administration to leverage federal agencies to accelerate open source security. These include expanded development of software bill of materials as well as establishing a U.S. Government Open Source Program Office. According to the summary, the responses focused on a number of steps, including promoting the expanded use of software bills-of-materials (SBOMs), strengthening the software supply chain, and securing package repositories, which have been targets for bad actors looking to spread their malicious codes through organizations inadvertently installing and executing what appears to be legitimate software.
Memory-Safe Languages a Priority
They also recommended the government offer more incentives to use memory-safe languages.
“There was also consensus that implementing memory-safe programming would be significantly easier for new projects than for legacy projects,” according to the summary’s authors. “For the latter, many respondents supported using a tiered and prioritized approach as a way to optimize resources while focusing on the most critically important projects.”
The recent launch by DARPA (Defense Advanced Research Project Agency) of its TRACTOR (Translating All C to Rust) program for automating many of the tasks needed to rewrite C and C++ code into Rust is an example.
Other recommendations included funding the development of tools and libraries for securing the open source software ecosystem, creating private-public partnerships within the community, helping expand the developer talent pool, expanding international cooperation, and researching the use of AI, large-language models, and machine learning techniques.