White House announces plan to strengthen open-source software security
The White House and DHS have launched an $11 million initiative to enhance the security of open-source software in critical infrastructure, emphasizing collaboration between the government, private sector, and cybersecurity community.
The White House and the Department of Homeland Security (DHS) have announced an $11 million initiative to explore and enhance the security of open-source software (OSS) used in critical infrastructure sectors such as healthcare, transportation, and energy production. This effort, known as the Open-Source Software Prevalence Initiative (OSSPI), aims to map out the use of open-source software across these vital areas, enabling the federal government and private sector to bolster national cybersecurity.
The initiative was officially announced by the White House, and further details were shared over the weekend at the DEF CON cybersecurity conference by National Cyber Director Harry Coker. A key component of this initiative is the formation of a public-private working group, set to be established later this year, to develop strategies for enhancing the security of OSS. Although specific details about the initiative are not known yet, the White House released a summary report last year containing a dozen recommendations from the cybersecurity community on areas for federal focus in open source security.
The report outlines several ongoing and planned activities, including:
- Securing software package repositories
- Strengthening collaboration between the federal government and open-source communities
- Expanding the use of Software Bill of Materials (SBOMs)
- Enhancing the security of the software supply chain
- Establishing an ‘Open-Source Program Office’
- Implementing vulnerability severity metrics
- Boosting educational initiatives
- Phasing out legacy software
While the White House has clarified that it does not intend to penalise underfunded open-source developers, Coker has repeatedly stressed that software manufacturers must be held accountable when they prioritize speed over security. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly echoed these sentiments at the Black Hat cybersecurity conference, advocating for a software liability regime with clear standards of care and safe harbor provisions for vendors who prioritise secure development practices.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.