Two members of the United States legislature, Senators Rob Portman (R-OH) and Gary Peters (D-MI), the Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee respectively, introduced legislation designed to assist in protecting federal and private critical infrastructure information systems. They will protect by enforcing a strengthening of the security of open-source software that may be used in such systems. After a hearing convened by the two legislators on the Log4j security vulnerability disclosure that occurred at the end of 2021, the senators created this act. The purpose is to direct the Cybersecurity and Infrastructure Security Agency (CISA) to ensure open source software is used safely by the federal government, providers of critical infrastructure providers, and other critical service providers. The Log4j vulnerability’s impact was so far reaching that top cybersecurity experts have named it one of the most severe and widespread cybersecurity vulnerabilities ever experienced.

Said Senator Peters, “Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services. This commonsense, bipartisan legislation will help secure open-source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

"The computers, phones, and websites we all use every day contain open-source software."

Senator Portman added, “As we saw with the Log4shell [sic] vulnerability, the computers, phones, and websites we all use every day contain open-source software that is vulnerable to cyberattack. The bipartisan Securing Open Source Software Act will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

This critical legislation will, for the first time ever, codify open-source software as public infrastructure. If it is eventually signed into law it would be a historic step in the right direction, facilitating wider federal investment in measures to ensure the health and security of open source software.

This critical legislation will, for the first time ever, codify open-source software as public infrastructure.

As most—and some would say all—modern computers rely on open source code that is maintained by communities of individuals, it is obvious that the federal government must be able to manage its own risk and assist in supporting the security of the private sector.

The proposed law, titled the Securing Open Source Software Act, would instruct CISA to create a risk framework to guide the use of open source code by the federal government. The same framework could then be voluntarily used by critical infrastructure owners and operators, in the law’s current form. This legislation would also require CISA to find and hire professionals who are experienced in developing open source software, charging them with ensuring that government and the open source community work collaboratively. Additionally, the professionals’ commission will be to develop action plans to ensure the government and private stakeholders are better prepared to address broad-impact vulnerabilities like Log4j in the future.

Private organizations can and should be proactive in their open source software management—including maintaining awareness of where open source may be bundled in products provided by third parties. The best way to accomplish this is through the development and maintenance of a security program based on a well-recognized standard. Webcheck Security’s expert security leadership consultants—also known as Fractional Information Security Officers (FISOs) can lead security program creation and management for your organization regardless of size or industry. Contact Webcheck today to discuss your options!