That White House Thursday hosts leading technology companies, along with a number of relevant government agencies, to discuss ways to improve the security of open source software libraries, with senior administration officials calling it a “key national security concern.”
The meeting with officials in the Biden administration will be representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudfare, Facebook / Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMWare.
They will discuss how new private-public cooperation can “quickly promote improvements” in security.
Along with White House business leaders, senior executives and senior open source software experts from leading agencies, including the Department of Commerce and Homeland Security, the Pentagon, the Cybersecurity and Infrastructure Security Agency, the Department of Energy and more.
Anne Neuberger, vice national security adviser for cyber and new technologies, is expected to host the meeting.
The meeting is intended to focus on President Biden’s executive order on cyber security, a senior administration official told Fox Business. This order focused on software security and drove a range of efforts across the US government and in the private sector.
The official said the administration expects “further discussions” with the companies and other organizations not represented. The White House invited major software companies and developers to discuss initiatives to improve open source security last month.
“Open source software has accelerated the pace of innovation and has led to enormous societal and economic benefits, but the fact that it is widely used and maintained by volunteers is a combination that is a key national security issue that we are experiencing with log4j. vulnerability, “said a senior administration official.
“Software security is critical to our national and economic security,” the official continued, noting that recent incidents, including the SolarWinds hack, serve as “recent reminders that strategic opponents are actively exploiting vulnerabilities for malicious purposes.”
Last month, officials discovered a vulnerability in software known as “Log4j,” which they said posed “an urgent challenge for network defenders given its widespread use.”
Log4j is a bug that lets Internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. It is a challenge simply to identify which systems are using the utility; it is often hidden under layers of other software.
The affected software, written in the Java programming language, logs user activity. Developed and maintained by a handful of volunteers under the auspices of the open source Apache Software Foundation, it is very popular with commercial software developers. It runs across many platforms – Windows, Linux, Apple’s MacOS – and drives everything from webcams to car navigation systems and medical devices, according to security firm Bitdefender.
CISA officials said the vulnerability posed a “serious risk” and urged private sector organizations to work with the federal government to intervene.
The Associated Press contributed to this report.