White House Hosts Open-Source Security Summit With Big TechAgencies, Departments Attend Meeting Led by the National Security Council
Stay tuned for updates on this developing story.
In the wake of the explosive Apache Log4j vulnerabilities, the White House hosted tech leaders and federal agencies in a summit to discuss ways to improve open-source software security.
U.S. National Security Adviser Jake Sullivan in December invited major tech companies to attend the gathering, which was led by Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, a senior administration official told Information Security Media Group.
The official told ISMG in a statement prior to the event that "the objective of this meeting is to facilitate an important discussion" around open-source software, which is widely used and can be inspected, modified and enhanced by developers. They also said the meeting focused on "brainstorming how new collaboration could rapidly drive improvements."
Organizations in attendance included: Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMWare.
U.S. agencies and departments in attendance included: the departments of Commerce, Homeland Security, Energy and Defense; the U.S. Cybersecurity and Infrastructure Security Agency; the Office of the National Cyber Director; the National Institute of Standards and Technology; the Office of Science and Technology Policy; and the National Science Foundation.
Firms Describe Meeting
In a statement shared with ISMG following the meeting, Kent Walker, president of global affairs and chief legal officer at Google and Alphabet, said of the summit: "Open-source software is a connective tissue for much of the online world. It deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step toward addressing it."
Mike Hanley, CSO for GitHub and a summit attendee, told ISMG in a statement: "Just one or two lines of vulnerable [open-source] code can have a global ripple effect across the billions of developers and services that rely on it. As the world’s largest developer platform, GitHub takes those risks seriously and understands its responsibility to support the millions of developers on our platform in securing open source. ... Addressing software supply chain security is a team sport. ... And today’s discussion is an important step in securing the world’s code together."
In a statement provided to ISMG after the meeting, Akamai CSO Boaz Gelbord, who also attended, said, "Akamai was delighted to have contributed its perspective and recommendations on how to drive forward security in open-source software. We believe that greater collaboration between government and the private sector is critical to the security and future of the entire internet ecosystem.
"A key takeaway from today's meeting was the collective recognition that ... more needs to be done to support the open-source community to thrive within our ever-evolving threat landscape."
Building On the Cyber EO
The administration official said the meeting continues the work of President Joe Biden's executive order on cybersecurity, issued in May 2021, which placed a focus on software security and drove a range of efforts across the U.S. government and private sector. The mandate requires that only companies that use secure software development life cycle practices and meet specific federal security guidance can sell to the federal government.
The executive order also instituted the use of software bills of materials, or SBOMs, for federal vendors. SBOMs are comprehensive listings of specific software components, and they can reduce manual identification processes in the wake of damaging vulnerability disclosures.
Prior to the gathering, the administration official also outlined other open-source concerns.
"The fact that it is broadly used and maintained by volunteers is a ... key national security concern, as we are experiencing with the Log4j vulnerability," they said. "Software security is essential to our national and economic security. And the SolarWinds and Hafnium incidents serve as recent reminders that strategic adversaries actively exploit vulnerabilities for malicious purposes.
"This problem is not new. At this meeting, together, we will discuss existing efforts to address it, what has worked and what else can be done to secure the open-source software that we all fundamentally rely on."
Google's Walker said that during the meeting, the tech giant shared several proposals, on topics including identifying critical open-source projects; establishing security, maintenance and testing baselines; and increasing public and private support. The latter includes the formation of a new organization that would serve as a marketplace for open-source maintenance, matching volunteers with critical projects, he said.
National Security Risk
Commenting on the summit, Grant Geyer, CISO at industrial cybersecurity company Claroty, said severe open-source software vulnerabilities will not disappear, because administrators "aren't always aware of where these open-source components live inside either commercial or homegrown software applications."
Geyer also agreed that "many open-source projects are under-resourced and poorly funded; these challenges often don't come to light unless a critical vulnerability surfaces."
And while Log4j has brought continued attention to the adoption of SBOMs, the concept has been in the works for a time. Following Biden's May 2021 executive order, the National Telecommunications and Information Administration outlined minimum elements of an SBOM. And CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters this week that CISA is now in its "operational phase" for facilitating SBOM adoption across federal networks (see: CISA: Federal Response to Log4j Has Been 'Exceptional').
"Albeit reactionary to the Log4j vulnerability, [the] White House meeting should serve as more impetus to mandate visibility into software running on key critical infrastructure systems, and the adherence to minimum secure development standards," added Geyer.
To Ron Brash, vice president of technical research and integrations at aDolus Technology, which focuses on software intelligence for critical infrastructure and partners with CISA and the wider DHS, the biggest impact of Thursday's summit will be in public and private leaders recognizing a shift in focus toward the supply chain - since implications of today's software use now extend beyond asset owners and solution providers.
This week, it was reported that attackers are wielding Night Sky ransomware to exploit vulnerabilities in the widely used Apache software. This comes just weeks after Apache's first public alert, on Dec. 10, 2021, that a critical flaw in the Java Naming and Directory Interface API in versions of the Log4j logging utility prior to 2.15.0 could be exploited to take control of a vulnerable system (see: Night Sky Ransomware Distributed via Log4j Exploits).
CISA Director Jen Easterly this week said that federal activity to patch or mitigate Log4j has been "exceptional" and that "we're really tackling the challenge with an unprecedented level of operational collaboration."
Easterly also said that there has been widespread exploitation of Log4j by criminal actors, and that adversaries may have already compromised systems and could be waiting to leverage their access once network defenders are on "lower alert."
[Update: Jan. 13, 2:50 p.m.]: This story has been updated to include commentary from summit attendees, including Google and GitHub.
[Update: Jan. 13, 5 p.m.]: Additional commentary added from Akamai, a summit attendee.
[Update: Jan. 14, 9 a.m.]: The White House later confirmed in a statement: "Participants had a substantive and constructive discussion on how to make a difference in the security of open-source software, while effectively engaging with and supporting the open-source community." Officials said the discussion focused on three areas: preventing security defects and vulnerabilities in code and open-source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. The White House said participants will "continue discussions" in the coming weeks.