close
close

Biden administration allocates $11 million to open source security initiative

Biden administration allocates  million to open source security initiative

The White House and the Department of Homeland Security (DHS) are collaborating on an $11 million initiative to learn more about the use of open source software in critical infrastructure and better secure it.

The White House announced the measure on Friday, and at the DEF CON cybersecurity conference over the weekend, National Cyber ​​Director Harry Coker said DHS would fund it as part of the bipartisan 2021 infrastructure bill.

The project, called the Open-Source Software Prevalence Initiative (OSSPI), aims to address the proliferation of open-source software components in areas such as healthcare, transportation and energy generation, and ultimately enable the federal government and private sector partners to strengthen national cybersecurity.

“We know that open source is the foundation of our digital infrastructure, and it is critical that we as a government give back to the community as part of broader infrastructure efforts,” Coker told the DEF CON audience.

“In addition, there will be a working group from the public and private sectors later this year to develop recommendations on how to better protect open source software.”

The Office of the National Cyber ​​Director remained tight-lipped about the details of the initiative, but the announcement coincided with the release of a summary report outlining a dozen recommendations from the cybersecurity community on areas the federal government should prioritize and focus on with regard to open source security.

The report lists activities that are either planned for the future or already underway, including:

  • Securing package repositories.
  • Deepening relations between the federal government and open source communities.
  • Further development of the use of software parts lists.
  • Strengthening the software supply chain.
  • Creating an “Open Source Program Office”.
  • Assigning metrics to the severity of the vulnerability.
  • Increased educational initiatives.
  • Replacing legacy software.

At DEF CON, Coker thanked the community for submitting their recommendations and encouraged researchers to continue to come forward with ideas for further securing open source software.

“Many of the recommendations go beyond what the government can do alone, and that’s where all of you come in. These policy proposals are based on the commitment of security researchers and their willingness to freely share their findings to inform our conversations,” he said.

“I know you all have the ability to do this, and I know that the same values ​​that underpin responsible vulnerability disclosure will motivate you to continue working to protect the Internet.”

Coker also noted that his office is working to develop a software liability regime, arguing that the responsibility for protecting cyberspace lies with “the more capable actors in the ecosystem,” including technology producers.

A software liability regime that would shift responsibility to the end producers who profit from the software was one of the most controversial measures mentioned in last year’s National Cybersecurity Strategy.

While the White House has repeatedly stated that it does not want to punish underfunded open source developers, Coker has said in previous speeches this year that software makers must be held accountable if they “rush code to market.”

At the Black Hat cybersecurity conference last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, also mentioned a software liability regime. She told reporters that she plans to meet with Rep. Mark Amodei (R-NV), chairman of the House Appropriations Subcommittee on Homeland Security, to emphasize the importance of software liability that includes “articulable standards of care” as well as safe harbor provisions for technology vendors that “responsibly innovate using secure development processes.”

“I think we can do more, but that’s where the war is won,” she said. “When we put aside the threat actors and the victims and talk about the providers.”

Get more insights with the

Recorded future

Intelligence Cloud.

Learn more.

Leave a Reply

Your email address will not be published. Required fields are marked *