Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, have proposed a bill to help protect federal and critical infrastructure systems by strengthening the security of open source software.
The legislation comes after a hearing convened by Peters and Portman on the Log4j incident earlier this year, and would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others.
A vulnerability discovered in Log4j – which is widely used open source code – affected millions of computers worldwide, including critical infrastructure and federal systems.
“Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services,” said Peters.
“This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation,” he added.
“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” said Portman. “The bipartisan Securing Open Source Software Act will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”
“This important legislation will, for the first time ever, codify open source software as public infrastructure,” said Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, the Atlantic Council. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software.”