Bill Would Help Prevent Exploitation of Vulnerabilities Like One Found In Log4j That Could Compromise Critical Systems
WASHINGTON, DC – Bipartisan legislation authored by U.S. Senators Gary Peters (D-MI) and Josh Hawley (R-MO) to help protect federal and critical infrastructure systems by strengthening the security of open source software has advanced in the Senate. The legislation would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others. A software vulnerability first discovered in 2021 in Log4j – which is widely used open source code – affected millions of computers worldwide, including critical infrastructure and federal systems. This led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen. The bill was advanced by the Senate Homeland Security and Governmental Affairs Committee where Peters serves as Chair, and now moves to the full Senate for consideration.
“The Log4j incident showed how vulnerabilities in open source software can put our networks at risk of cyber-attacks from foreign adversaries and cyber criminals who seek to disrupt our national and economic security,” said Senator Peters. “This bipartisan bill will help bolster our cybersecurity defenses and secure open source software that is widely used across government and the private sector.”
“At a time when our adversaries, particularly the Chinese Communist Party, continue to attack and exploit our federal agencies’ software vulnerabilities, it is imperative that Congress work to bolster our national cybersecurity,” said Senator Hawley. “The Securing Open Source Software Act is a great step toward better understanding the risk associated with software deficiencies, and better defending the U.S. government and its critical infrastructure from cyberattacks by our enemies.”
“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, the Atlantic Council. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software. I am encouraged to see the partnership of Senators Peters and Hawley on this issue.”
The overwhelming majority of computers in the world rely on open source code – freely available code that anyone can contribute to, develop, and use to create websites, applications, and more. It is maintained by a community of individuals and organizations. The federal government, one of the largest users of open source software in the world, must be able to manage its own risks and also help support the security of open source software in the private sector and the rest of the public sector.
The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source softwareto ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.