Exclusive: Feds to offer new support to open-source developers
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Shoshana Gordon/Axios
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency first told Axios.
Why it matters: Open-source projects are the foundation of most major software running today — but they're often riddled with easy-to-hack bugs because developers lack the resources to properly update and maintain their projects.
- Cash-strapped nonprofits run several widely used open-source projects, including the Python and Ruby programming languages and the Linux operating system.
Driving the news: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials.
- During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.
Zoom in: During the summit, CISA and a handful of package repositories — online forums where developers upload and share the applications they've built using these open-source languages — unveiled new initiatives to help secure open-source projects.
- CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident.
- The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.
- npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project.
- Additional repositories — including the Python Software Foundation, Packagist, Composer and Maven Central — are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.
What they're saying: "There's a lot of good work that's been done, but it's something that we think needs to have a synchronized approach across the board to help drive these security improvements," Jack Cable, a senior technical adviser at CISA, told Axios.
The big picture: A recent Harvard Business School and University of Toronto report found that the demand-side economic value generated from open-source software is about $8.8 trillion each year.
- That's because these programming languages and the projects they inspire are found across most software and technology products, the study points out.
Catch up quick: The Biden administration has been prioritizing open-source software security ever since 2021 when hackers exploited a security flaw in open-source logging tool Log4j.
- The flaw left hundreds of millions of systems vulnerable to an attack and both cybercriminals and nation-state hacking groups used the flaw in attacks.
Between the lines: After years of learning more about the community and where government resources can fit in, CISA now sees its role as a facilitator, rather than a regulator.
- "The [new] communication channel is really an opportunity for [open-source developers] to know that they can ask CISA to help in a crisis, which a lot of them didn't know they could do," Aeva Black, CISA's open source security lead, told Axios.
- During the tabletop exercise, many participants also learned new approaches to cybersecurity from one another as they responded to a fake "doomsday" incident, Black said.
What's next: CISA plans to share details from the summit's tabletop exercise in the coming days — including materials that other organizations can use to run similar exercises.
