The White House, along with several governmental entities, issued a call for experts to collaborate in formulating cybersecurity policies for open-source software. Their objective is to enhance software security through the promotion of more secure programming languages. The imperative for improved security in open-source software has intensified over the past two years, notably following the widespread Log4j vulnerability, which became a favoured target for both criminal actors and nation states.
Since the release of the National Cybersecurity Strategy earlier this year, government officials have embarked on a comprehensive endeavour to move beyond superficial cybersecurity measures and tools. Instead, they are targeting the underlying causes of cyber instability. In a joint effort, the White House's Office of the National Cyber Director (ONCD) collaborated with CISA, the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) to publish a Request for Information (RFI) that addresses open source software security and the adoption of memory safe programming languages.
The White House established an interagency working group named the Open-Source Software Security Initiative (OS3I), which recognizes the unique security risks posed by the widespread usage of open-source software across commercial, governmental, and military domains. This collaborative effort aims to identify and implement strategies for enhancing protections. Both the public and private sectors are invited to contribute to the development of initiatives and action plans to bolster the resilience of the open-source software ecosystem.
This initiative and the broader campaign to encourage the use of memory-safe languages took centre stage during discussions at the Black Hat security conference in Las Vegas. In a keynote address, Kemba Walden, acting director of ONCD, advocated for a paradigm shift in the US government's approach to cybersecurity. She underscored the need for policies that rebalance cybersecurity responsibilities and empower entities capable of mitigating risk.