Biden Administration Allocates $11 Million for Open Source Software Security

Open Source Software Security

$11 Million for Open Source Software Security

The White House and the Department of Homeland Security (DHS) are taking significant steps to improve national cybersecurity by launching an $11 million initiative focused on open-source software. This project, named the Open-Source Software Prevalence Initiative (OSSPI), aims to better understand how open-source software is used in critical sectors like healthcare, transportation, and energy production, and to develop strategies for securing these vital areas.

The White House formally announced the initiative on Friday, and further details were shared by National Cyber Director Harry Coker during the DEF CON cybersecurity conference over the weekend. Coker explained that the DHS would be funding this effort as part of the 2021 Bipartisan Infrastructure Law. The primary goal of OSSPI is to assess the prevalence of open-source software across key infrastructure and collaborate with government and private sector partners to enhance national cybersecurity.

Open-source software, which is freely available for anyone to use and modify, is a fundamental component of the digital infrastructure that supports various critical industries. However, its widespread use also presents unique challenges for security, as vulnerabilities in open-source software can have far-reaching consequences. Coker highlighted the importance of this initiative, stating that the government must contribute to the open-source community as part of broader efforts to protect the nation’s infrastructure.

As part of the OSSPI, a working group comprising public and private sector members will be established later this year. This group will be tasked with developing recommendations on how to better secure open-source software. Although the White House has not released detailed information about the initiative, the announcement was accompanied by a summary report that included a dozen recommendations from the cybersecurity community. These recommendations outline key areas where the federal government should focus its efforts to improve the security of open-source software.

During his speech at DEF CON, Coker expressed his gratitude to the cybersecurity community for their contributions and encouraged researchers to continue sharing their ideas and findings. He emphasized that many of the recommendations extend beyond what the government can achieve alone and stressed the importance of collaboration with security researchers. Coker believes that the same commitment to responsible vulnerability disclosure that drives the cybersecurity community will motivate researchers to continue contributing to the protection of the internet.

In addition to the OSSPI, Coker revealed that his office is working on developing a software liability regime. This regime would shift the responsibility for defending cyberspace onto technology producers, particularly those who profit from the software. The concept of a software liability regime was introduced in last year’s National Cybersecurity Strategy and has been a subject of debate. The White House has made it clear that it does not intend to penalize underfunded open-source developers, but Coker has argued that software manufacturers must be held accountable when they rush insecure code to market.

The idea of a software liability regime has gained traction within the cybersecurity community. During the Black Hat cybersecurity conference last week, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly also discussed the importance of holding technology vendors accountable. She announced her plans to meet with Rep. Mark Amodei, chairman of the House Homeland Security Appropriations Subcommittee, to advocate for clear standards of care and safe harbor provisions for vendors who prioritize secure development processes.

Easterly believes that focusing on the vendors, rather than solely on threat actors or victims, is where the battle for cybersecurity will be won. By holding technology producers to higher standards, she argues, significant progress can be made in securing critical infrastructure and protecting the nation from cyber threats.

The OSSPI represents a crucial step in the ongoing efforts to improve the security of open-source software and, by extension, the cybersecurity of the nation’s critical infrastructure. Through collaboration between the government, private sector partners, and the cybersecurity community, the initiative aims to address the unique challenges posed by the widespread use of open-source software and ensure that the digital foundations of critical industries are secure.

👁 Post Views = 27k

Share this post :

Facebook
Twitter
LinkedIn
Pinterest