Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance

Homeland Security Committee advances bipartisan legislation that works on bolstering security of open source software

September 29, 2022
Homeland Security Committee advances bipartisan legislation that works on bolstering security of open source software

The U.S. Senate Homeland Security and Governmental Affairs Committee advanced on Wednesday bipartisan legislation that works to protect federal and critical infrastructure systems by strengthening the security of open source software. The bill would help prevent the exploitation of vulnerabilities similar to the Log4j cybersecurity incident, which had the potential to compromise critical systems, including critical infrastructure and federal systems. The legislation now moves to the full Senate for consideration.

The bill titled ‘Securing Open Source Software Act of 2022’ was introduced by U.S. Senators Rob Portman, a Republican from Ohio, and Gary Peters, a Democrat from Michigan, Ranking Member and chairman of the Senate Homeland Security and Governmental Affairs Committee. 

The legislation directs the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework to evaluate how the federal government uses open source code. CISA would also evaluate how critical infrastructure owners and operators could voluntarily use the same framework to identify ways to mitigate risks in open-source systems. 

The bill also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to provide guidance to federal agencies on the secure use of open source software. It also establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.

The legislation calls upon the CISA director to perform outreach and engagement to bolster the security of open source software, support federal efforts to strengthen the security of open source software, and coordinate, as appropriate, with non-federal entities on efforts to ensure the long-term security of open source software.

Additionally, the director shall serve as a public point of contact regarding the security of open source software for non-federal entities, including state, local, tribal, and territorial (SLTT) partners, private sector, international partners, open source software organizations, and open source software developers, while providing support to federal and non-federal supply chain security efforts.

The Senate advancement of the bill follows a February hearing convened by Portman and Peters on the Log4j incident. It would direct the CISA to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others. The senators said the Log4j breach led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever. 

“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” Senator Portman said in a media statement. “I’m pleased the bipartisan Securing Open Source Software Act has been passed by the Senate Homeland Security and Governmental Affairs Committee because it will ensure the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

“Open source software is critical to our country’s national and economic security, and we must ensure it is secure against cybercriminals seeking to exploit vulnerabilities like the one found in Log4j,” according to Senator Peters. “Now that this bipartisan bill has advanced in the Senate, I urge my colleagues to pass it as soon as possible so we can help secure open source software and continue strengthening our defenses against persistent and evolving cybersecurity threats.”

“This important legislation will, for the first time ever, codify open source software as public infrastructure,” Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab), said. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software. I am encouraged by the leadership of Senators Peters and Portman on this issue.”

Earlier this year, the Senate unanimously passed a ‘landmark legislative package’ introduced by Portman and Peters that would require critical infrastructure owners, operators, and civilian federal agencies to report to the CISA if they experience a substantial cyber-attack. The bill also allows for combating ongoing cybersecurity threats against critical infrastructure and federal government networks. It comes ‘in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.’

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience