Sep 12, 2023 - Technology

Biden administration, tech industry draft a long-term plan to secure open source software

Illustration of a quill resting in a computer as if it were an ink well.

Illustration: Aïda Amer/Axios

Roughly 90 government officials and private sector executives are convening in Washington this week to draft a new, long-term plan for securing publicly available open-source code.

Why it matters: Most software contains at least some open-source code, but open-source project developers are typically volunteers who don't have the bandwidth to keep up with security upgrades.

Driving the news: The Open Source Security Foundation (OpenSSF) is hosting a two-day summit in Washington, D.C., starting Tuesday to discuss some of the security issues that still plague the open-source community.

  • Government officials from the White House, the Defense Department, the Cybersecurity and Infrastructure Security Agency, the National Science Foundation and other offices will participate in the summit — alongside a range of companies, including Amazon, Apple, JPMorgan Chase & Co. and GitHub, a senior administration official told Axios.

Catch up quick: This week's summit builds on a set of White House meetings and tech sector initiatives last year in the wake of the widespread Log4j critical vulnerability.

  • The White House hosted the first summit in January 2022 and had a follow-up meeting last May to discuss policy and private sector solutions.
  • Tech companies pledged $30 million to fund a 10-point plan to better secure open-source software, such as establishing new OpenSSF courses to educate the open-source community and providing third-party code reviews for some of the most critical projects.
  • Since May 2022, more than 20,000 developers have participated in OpenSSF's security education courses, the senior administration official told Axios.

What they're saying: "We set very aggressive goals last year, because the Log4j incident highlighted how much open source matters and how there were systemic issues with open source that needed to be addressed to improve security," Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told Axios.

  • "The administration knows that you can't just kick off an effort and expect everything to get done — you need to check in and continue to spark momentum and progress."

Details: Participants will start the summit Tuesday discussing the current state of open-source security and providing updates on the projects they launched last year, Omkhar Arasaratnam, general manager at OpenSSF, told Axios.

  • On Wednesday, the summit will establish charters for a set of new task forces focused on various open-source security topics based on what's discussed Tuesday, he added.
  • These task forces will operate inside OpenSSF throughout the year and will provide periodic updates to the White House. OpenSSF hopes to hold another summit next fall.
  • By the end of tomorrow, summit participants will walk away with a new call to action and plans for future public-private initiatives.

The intrigue: The last set of open-source security initiatives happened before the current AI boom, and participants are likely to discuss the ways that AI could help identify the open-source tools inside companies' products, the senior administration official said.

What's next: Arasaratnam and the Biden administration are hoping to hear from anyone who works with open-source technologies — even if they weren't at the summit — about the best ways to protect these projects.

  • "This is open source; you don't have to be a big bank or large government entity," Arasaratnam said. "There is an equal opportunity for members of the general public all the way up to large international corporations to get behind this."

Sign up for Axios' cybersecurity newsletter Codebook here

Go deeper