White House convenes open-source security summit amid Log4j risks
Summary
- Widespread use of open-source technologies and their maintenance by small groups creates national-security concerns, officials say
The Biden administration hosted a meeting of major technology companies, federal agencies and nonprofits Thursday to discuss cybersecurity problems with open-source technology, amid concerns that free, but flawed, software could leave critical infrastructure open to attack.
The issue is regarded as being so serious that a senior administration official described the widespread use of open-source software, which is often maintained by small groups of volunteers, as a key national security concern.
Thursday’s meeting was prompted in part by the discovery of a flaw in Log4j, an open-source logging tool used in thousands of commercial products, which hackers can exploit with relative ease to gain wider systems access. The vulnerability, disclosed in early December, set off a global scramble among companies, government agencies and software developers to patch the weakness.
The virtual summit, led by deputy national security adviser Anne Neuberger, included executives from Apple Inc., Alphabet Inc., Meta Platforms Inc. and Microsoft Corp., among others, along with specialist open-source software organizations such as GitHub Inc., the Apache Software Foundation and the Linux Open Source Foundation.
The Cybersecurity and Infrastructure Security Agency, the Commerce Department, the Defense Department and the Energy Department were among the federal agencies present.
Attendees said they focused on practical ways in which the public and private sector can work together to enhance security standards in open source, in part by building on community efforts already under way such as frameworks developed by the Open Source Security Foundation. The OpenSSF includes major banks, technology companies and academic institutions in its membership, which works to improve security in the open-source supply chain.
Apache, which distributes Log4j, is pushing for more expert help from technology companies that use free software. “We believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software," the foundation said in a statement after the meeting.
Alphabet’s Google suggested setting up a marketplace to match volunteers with open-source projects deemed critically important by a public-private sector partnership, based on where and how they are used.
“If we’re going to solve a lot of these grand challenges, it’s going to take all of us," said Mike Hanley, GitHub’s chief security officer, who attended Thursday’s meeting. Following the meeting, a number of participants issued statements expressing support for the White House’s attention to the issue but warned that security in open-source software remains fragile.
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that many eyes were watching to detect and resolve problems," said Kent Walker, chief legal officer at Google in a blog post published after the meeting. “But in fact, while some projects do have many eyes on them, others have few or none at all."
Compounding the problem of vulnerabilities in open-source software is that these components are baked into other products. This means that technology providers often have to come up with individual patches to fix something like the Log4j vulnerability, which can lengthen the time companies are exposed to hackers.
In a call with reporters on Monday, CISA Director Jen Easterly, who described the Log4j vulnerability as the most severe she had seen in her career, warned that problems stemming from the flaw could linger for years.
Log4j cast the problems with open-source software security into sharp relief, but experts have long warned that underinvestment in open-source would create problems. In an executive order on cybersecurity in May, President Biden referred to open-source vulnerabilities and said the government will require technology providers to list such components used in their products in the future.
Smaller open-source projects are often maintained by small teams of part-time volunteers, which creates major supply-chain risks, said Casey Ellis, founder and chief technology officer at Bugcrowd Inc., which runs a platform for ethical hackers to find and report security holes in company systems.
“The internet isn’t just one of these supply-chain dependencies," he said. “At this point, it is literally built on thousands of them."
The White House and tech organizations are expected to meet again about the matter, GitHub’s Mr. Hanley said.
