Sep 23, 2022 - Technology

Lawmakers introduce bill to tackle open-source software

Sens. Gary Peters and Rob Portman at a hearing

Sens. Rob Portman and Gary Peters at a congressional hearing in September 2021. Photo: Greg Nash/Getty Images

A pair of influential senators have devised a plan to beef up the federal government’s approach to securing open-source software, or tools that developers create for free public consumption.

Driving the news: Senate Homeland Security Committee leaders Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced a bill Thursday requiring CISA to develop a risk framework laying out how the federal government relies on open-source code.

Between the lines: Since last year’s Log4j vulnerability, both the federal government and industry have been scrambling to figure out how to toughen open-source software.

  • Open-source developers often don’t have the time to constantly update and patch their creations against new vulnerabilities.
  • But companies rely heavily on these free resources when building out their own tools since they cover basics like logging tasks.
  • The Open Source Security Foundation rolled out a project to better secure at least 10,000 open-source projects, and the White House hosted a meeting in January with private- and public-sector partners to discuss the issue further.

Details: Peters and Portman’s Securing Open Source Software Act would require CISA and other federal offices to tackle the issue in a few ways:

  • CISA would need to develop a risk framework within a year for federal government uses of open-source software.
  • CISA would also have to hire a set of open-source security developers to better defend against future cyber threats targeting this code.
  • The Office of Management and Budget would issue guidance for how federal agencies secure open-source software.

The intrigue: Peters and Portman have been behind some of the most influential pieces of cybersecurity legislation in the last few years, so this bill could stand a good chance of making it through Congress.

  • Earlier this year, President Biden signed into law a bill from the duo requiring all critical infrastructure operators to report cyber incidents to the federal government within 72 hours.
  • The lawmakers plan to hold a committee vote on the bill next week, according to the Post.

Yes, but: Congress faces a truncated legislative schedule as the midterm elections approach, leaving little time for the lawmakers to get their bill passed before a new session begins.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper