top of page

White House and DHS Launch $11 Million Initiative to Secure Open Source Software in Critical Infrastructure

The White House and the Department of Homeland Security (DHS) have teamed up to launch an $11 million initiative aimed at enhancing the security of open-source software across critical infrastructure sectors. Announced on Friday and detailed further at the DEF CON cybersecurity conference over the weekend, the Open-Source Software Prevalence Initiative (OSSPI) will be funded under the 2021 Bipartisan Infrastructure Law.


The OSSPI is designed to better understand how open-source software is utilized in essential industries such as healthcare, transportation, and energy production. By gaining insights into the distribution and use of these software components, the federal government, alongside private sector partners, aims to bolster national cybersecurity.

“We know that open source underlies our digital infrastructure, and it's vital that as a government, we contribute back to the community as part of broader infrastructure efforts,” said National Cyber Director Harry Coker at DEF CON. He also mentioned that a public and private sector working group would be established later this year to develop recommendations for improving open-source software security.


Although the Office of the National Cyber Director has kept specifics of the initiative under wraps, the announcement was accompanied by a summary report. This report outlines a dozen recommendations from the cybersecurity community, highlighting key areas where the federal government should focus its efforts. Among the planned or ongoing activities are securing package repositories, strengthening the software supply chain, and creating an “Open-Source program office.”


Coker acknowledged the essential role of the cybersecurity community in shaping these policies and urged researchers to continue contributing their expertise. “Many more of the recommendations go beyond what the government can do alone, and that's where you all come in. These policy proposals rely on the dedication of security researchers and their willingness to freely share their findings in order to work in our conversations,” he stated.

The push for a more secure open-source ecosystem also comes amid discussions of a software liability regime, a concept that has stirred debate since it was introduced in last year’s National Cybersecurity Strategy. This regime would place greater responsibility on technology producers, particularly those who profit from software, to ensure the security of their products.


Coker emphasized that the responsibility for defending cyberspace falls on the "more capable actors in the ecosystem," including software manufacturers. He has previously argued that these entities must be held accountable when they "rush code to market."

At the Black Hat cybersecurity conference last week, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly echoed these sentiments. She highlighted the importance of software liability, including the need for “articulable standards of care” and safe harbor provisions for vendors that innovate securely.


Katie Teitler-Santullo, Cybersecurity Strategist at OX Security, weighed in on the OSSPI, noting the challenges and potential impacts of the initiative. "The efficacy of the Open-Source Software Prevalence Initiative is a big question mark. On the one hand, initiatives like this coming down from the White House and DHS signal to private industry that increased scrutiny is coming," Teitler-Santullo said. She emphasized the growing reliance on open-source software and the need for businesses to understand and manage software throughout its lifecycle.


However, she also cautioned that the success of such government-led initiatives is not guaranteed, citing the difficulties many organizations face in monitoring and managing software vulnerabilities. "What's not in question is the importance of organizations, public and private, to understand and act on open-source vulnerabilities... One small vulnerability could cause widespread damage, so full visibility, along with the ability to effectively and accurately prioritize based on exploitability, reachability, and business impact are what's needed. Now."


As the federal government and private sector continue to collaborate on securing the open-source software that underpins critical infrastructure, the OSSPI represents a significant step toward addressing the vulnerabilities that could threaten national security. Whether it will achieve its ambitious goals remains to be seen, but the initiative has certainly placed the spotlight on the crucial role of open-source software in today's digital landscape.

Komentar


bottom of page