After Log4j, Open-Source Software Is Now a National Security Issue thumbnail

After Log4j, Open-Source Software Is Now a National Security Issue

Image for article titled After Log4j, Open-Source Software Is Now a National Security Issue

Photo: Dünzlullstein bild (Getty Images)

For years, developers of free, open-source software have been telling anyone who will listen that their projects needs better financial assistance and more oversight. Now, after a number of disastrous incidents involving open-source code, the federal government and Silicon Valley may finally be listening.

A meeting at the White House on Thursday saw executives from some of the tech sector’s biggest companies meet with administration officials to discuss the need for better security in the open-source community. The list of attendees included big names like Google, Facebook, Microsoft, Amazon, Oracle, and Apple, among others.

Unlike proprietary software, open-source software is free, publicly inspectable, and can be used or modified by anybody. Because of how useful open-source tools can be, big corporations will often utilize them for development purposes. But, unfortunately, open-source projects need oversight and funding to remain secure—and they don’t always get it. For years, open-source developers have complained that their software needs better support from Big Tech and other institutional actors—an issue that is finally gaining some mainstream attention.

It’s not hard to see why the White House has convened its meeting right now. Just a month or so ago, a pernicious bug was found in the popular open-source Apache logging library log4j. The troubled program, which is used by just about everybody, led to widespread panic throughout the tech industry, as companies scrambled to patch the systems and products that relied upon the library for success. (Officials from the Apache Software Foundation were also present at Thursday’s meeting.)

Log4j isn’t the only open-source debacle to occur lately. Just last week, the creator of two widely used software tools decided to inexplicably disable them via a number of bizarre software updates. Marak Squires, the man behind popular JavaScript libraries Faker and Colors, weirdly blitzed the programs and managed to take down thousands of other software projects that relied on them for success.

In short: There’s clearly room for improvement and, thankfully, attendees of the recent White House meeting seem fairly amenable to it. At the meeting, White House national security advisor Jake Sullivan apparently called open-source software a “key national security issue.” Similarly, Google’s President of Global Affairs and Chief Legal Officer Kent Walker published a statement to the company blog on Thursday arguing that he wanted to see better support for the open-source community.

“For too long, the software community has taken comfort in the assumption that open-source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems,” said Walker. “But in fact, while some projects do have many eyes on them, others have few or none at all.”

In his statement, Walker further suggests increased public and private support for open-source projects, the establishment of security and testing baselines, and the development of a rubric for identifying “critical” projects—the kind that get a lot of use (i.e., probably something like log4j).

What exactly the government and other members of Big Tech have in mind for better open-source security isn’t entirely clear at this point, but the fact that they’re talking about it seems like a good sign.