Mar 7, 2024 - Technology

Exclusive: Feds to offer new support to open-source developers

Illustration of a US eagle seal clutching cursors in its talons.

Illustration: Shoshana Gordon/Axios

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency first told Axios.

Why it matters: Open-source projects are the foundation of most major software running today — but they're often riddled with easy-to-hack bugs because developers lack the resources to properly update and maintain their projects.

  • Cash-strapped nonprofits run several widely used open-source projects, including the Python and Ruby programming languages and the Linux operating system.

Driving the news: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials.

  • During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.

Zoom in: During the summit, CISA and a handful of package repositories — online forums where developers upload and share the applications they've built using these open-source languages — unveiled new initiatives to help secure open-source projects.

  • CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident.
  • The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.
  • npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project.
  • Additional repositories — including the Python Software Foundation, Packagist, Composer and Maven Central — are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.

What they're saying: "There's a lot of good work that's been done, but it's something that we think needs to have a synchronized approach across the board to help drive these security improvements," Jack Cable, a senior technical adviser at CISA, told Axios.

The big picture: A recent Harvard Business School and University of Toronto report found that the demand-side economic value generated from open-source software is about $8.8 trillion each year.

  • That's because these programming languages and the projects they inspire are found across most software and technology products, the study points out.

Catch up quick: The Biden administration has been prioritizing open-source software security ever since 2021 when hackers exploited a security flaw in open-source logging tool Log4j.

Between the lines: After years of learning more about the community and where government resources can fit in, CISA now sees its role as a facilitator, rather than a regulator.

  • "The [new] communication channel is really an opportunity for [open-source developers] to know that they can ask CISA to help in a crisis, which a lot of them didn't know they could do," Aeva Black, CISA's open source security lead, told Axios.
  • During the tabletop exercise, many participants also learned new approaches to cybersecurity from one another as they responded to a fake "doomsday" incident, Black said.

What's next: CISA plans to share details from the summit's tabletop exercise in the coming days — including materials that other organizations can use to run similar exercises.

Go deeper