The United States is betting on improving the quality and security of open source
The US senators Gary Peters and Rob Portman, Chairman and Senior Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to protect federal systems and critical infrastructure through strengthening the security of free software.
With the law of Security of the open source (Securing Open Source Software Act) CISA would be directed to develop a risk framework to assess how the federal government uses open source software, it would also assess how the same framework could be used voluntarily by critical infrastructure owners and operators.
This will identify ways to mitigate risks on systems using open source software. legislation it also forces CISA to hire professionals with experience in developing open source software to ensure that the government and the community work hand in hand and are prepared to address incidents such as the Log4j vulnerability. In addition, the legislation requires the Office of Management and Budget (OMB) to provide guidance to federal agencies on the safe use of open source software and establishes a subcommittee on software security in the Cybersecurity Advisory Committee. of CISA.
Legislation Follows a Hearing hosted by Peters and Portman about the Log4j incident earlier this year, and would require the Cybersecurity and Infrastructure Security Agency (CISA) to ensure that the federal government, critical infrastructure and others use free software safely.
And it is that the Log4j vulnerability has affected millions of computers around the world, including critical infrastructure and federal systems. This has led leading cybersecurity experts to speak out about one of the most serious and widespread cybersecurity vulnerabilities ever seen.
Google's open source team said it analyzed Maven Central, the largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. This includes Java packages that use versions of Log4j vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). The vulnerability has been characterized by Tenable as "the biggest and most critical vulnerability of the last decade."
“Free software is the foundation of the digital world and the Log4j vulnerability has shown how much we depend on it. This incident posed a serious threat to federal systems and critical infrastructure businesses, including banks, hospitals and utilities, that Americans depend on every day for essential services,” said Senator Peters. “This bipartisan, common-sense legislation will help protect free software and further strengthen our cybersecurity defenses against cybercriminals and foreign adversaries launching relentless attacks on networks across the country. »
"As we saw with the log4shell vulnerability, the computers, phones and websites that we all use every day contain open source software that is vulnerable to cyber attacks," said Senator Portman. “The bipartisan Open Source Software Security Act will ensure that the US government anticipates and mitigates security vulnerabilities in open source software to protect Americans' most sensitive data. »
The senators mention that has a great weight, the one that the vast majority of computers world in one way or another have open source software, in addition to that it is mentioned that the federal government, which is one of the world's largest users of free software, it must be able to manage its own risks and contribute to the security of free software in the private sector and the rest of the public sector.
Additionally, the legislation requires the Office of Management and Budget to issue guidelines to federal agencies on the safe use of free software and create a Software Security Subcommittee within CISA's Cybersecurity Advisory Committee.
Peters and Portman have led several efforts to strengthen our nation's cyber security. Its historic bipartisan provision requiring owners and operators of critical infrastructure to report to CISA if they experience a significant cyberattack or make a ransomware payment has been signed into law.
Legislation by the senators to strengthen cyber security for state and local governments was also signed into law. Also noteworthy is that the Peters and Portman bills to protect federal networks and ensure that the government can safely adopt cloud technology also passed unanimously in the Senate.
Finally If you are interested in knowing more about it, you can consult the details in the following link.