After Log4j, open source software is now a national security issue

Image for article titled After Log4j, Open-Source Software is now a national security issue

Photo: Dünzl ullstein picture (Getty Images)

For years, developers of free, open source software has told anyone who will listen that their projects need better financial assistance and more oversight. Now, after a series of catastrophic incidents involving open source code, the federal government and Silicon Valley can finally listen.

ONE meet in the White House on Thursday saw executives from some of the technology sector’s largest companies meet with administration officials to discuss the need for better security in the open source community. The list of participants included big names such as Google, Facebook, Microsoft, Amazon, Oracle and Apple.

Open source software differs from proprietary software in that it is free, publicly inspected and can be used or modified by anyone. Because of how useful open source tools can be, large companies will often use them for development purposes. But unfortunately, open source projects need supervision and funding to stay safe – and they do not always get it. For years, open source developers have complained that their software needs better support from Big Tech and other institutional actors – a problem that is finally getting some attention in general.

It’s not hard to see why the White House has convened its meeting right now. Just a month ago, a malicious error was found in the popular open source Apache log library log4j. The problematic program used by approx all, led to widespread panic throughout the tech industry as companies struggled to patch the systems and products that relied on the library for success. (THATApache Software Foundation officials were also present at Thursday’s meeting.)

Log4j is not the only open source debacle that has taken place lately. Just last week, the creator of two widely used software tools decided to inexplicable disable them via a series of bizarre software updates. Marak Squires, the man behind popular JavaScript libraries Faker and Colors, strangely refined the programs and managed to remove thousands of other software projects that relied on them for success.

In short: there is clear room for improvement, and fortunately participants in the recent White House meeting seem pretty receptive to it. At the meeting, White House National Security Adviser Jake Sullivan apparently called open source software a “key national security issue.” Similarly, Google’s President of Global Affairs and Chief Legal Officer Kent Walker published a statement to the company’s blog on Thursday, arguing that he wanted to see better support for the open source community.

“For far too long, the software community has taken comfort in the assumption thatsource software is generally secure due to its transparency and the assumption that ‘many eyes’ looked at to detect and solve problems, ”Walker said. “But actually, while some projects have many eyes on them, others have few or none at all.”

In his opinion, Walker proposes further increased public and private support for open source projects, the establishment of security and test baselines, and the development of a box to identify “critical” projects – the kind that are used a lot (ie probably something like log4j ).

What the government and other members of Big Tech have in mind for better open source security is not entirely clear at this time, but the fact that they are talking about it seems like a good sign.


Give a Comment