UPDATED 18:34 EST / JANUARY 13 2022

SECURITY

Google calls on U.S. government to do more to secure critical open-source software

After meeting with White House officials today, Google LLC called for the U.S. government to take on a more proactive role in identifying and securing the world’s most critical open-source software projects.

The call came from Kent Walker, Google’s president of global affairs and chief legal officer, who said in a blog post that tighter collaboration between the private sector and the government is needed to ensure more funding and leadership for open-source software security.

“We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements,” Walker wrote.

In the longer term, that partnership needs to come up with new ways of identifying open-source software that might pose a systemic risk, based on how it is integrated with critical projects, so it can anticipate the level of security required to ensure its safety, Walker added.

Google also wants the government and industries to come together to establish baseline standards for security, maintenance, provenance and testing of open-source software. That’s to ensure national infrastructure and other important systems can rely on such projects. Walker said the standards must be developed through a collaborative process that emphasizes frequent updates, continuous testing and verified integrity.

Last, Walker requested more funding from both the government and private sector. He pointed out that many leading companies and organizations aren’t even aware of how much of their critical infrastructure is based on open-source projects.

To remedy that, he called for greater awareness as well as the creation of a marketplace for open-source maintenance that would match volunteers from companies and organizations with critical projects that need supporting. Walker promised Google stands ready to support such an initiative.

The lack of resources for open-source software maintenance and security is an issue that has been raised in the past, but it re-emerged this month following the discovery of a serious flaw in the Log4j Java Library, one of the biggest cybersecurity vulnerabilities spotted in recent years. The Log4j Library is open source, mostly developed and maintained by unpaid labor.

“Open-source software code is available to the public, free for anyone to use, modify, or inspect,” Walker wrote. “That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”

The majority of funding for open-source software usually comes from individual donations by supporters or from sponsorship by tech firms that rely on it. For instance, Google recently committed $100 million to the Linux Foundation’s Secure Open Source rewards program, which aims to provide financial compensation to developers who improve the security of key projects.

For its part, IBM Corp.’s Red Hat unit, whose executives attended the White House National Security Council meeting today, said it supports government efforts to improve security for all kinds of software. “A key theme of the meeting was the recognition that open source software has accelerated the pace of technological innovation, provides tremendous societal and economic benefits, and can contribute greatly to enhancing trust and cybersecurity,” Red Hat said in a statement. “We look forward to working with the Administration and a broad set of stakeholders on any next steps and will continue our focus on supporting our customers and strengthening the open source ecosystem.”

Image: Google

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU