A committee examined the problems posed by the fact that much of the digital world is built on open source software. In the wake of the SolarWinds and Log4j hacks that occurred in large part because of weaknesses in open source software, the United States (U.S.) government has been grappling with how to drive better security in software development. However, open source software that is developed by many experts has many advantages, not least of which is the fact that developers can use open source software as building blocks for new software and applications. However, the widespread availability of this software makes it vulnerable to tampering and security problems. And so, U.S. policymakers have a tough problem to solve, but they have multiple efforts to do so.
The government responses that followed the SolarWinds and Log4j hacks are not the first to delve into open source software. Starting in 2018, the U.S. National Telecommunications and Information Administration (NTIA) convened “a multistakeholder process to develop greater transparency of software components for better security across the digital ecosystem” and explained in their first notice about the effort:
Most modern software is not written completely from scratch, but includes existing components, modules, and libraries from the open source and commercial software world. Modern development practices such as code reuse, and a dynamic IT marketplace with acquisitions and mergers, make it challenging to track the use of software components. The Internet of Things compounds this phenomenon, as new organizations, enterprises and innovators take on the role of software developer to add “smart” features or connectivity to their products. While the majority of libraries and components do not have known vulnerabilities, many do, and the sheer quantity of software means that some software products ship with vulnerable or out-of-date components. Many technical solutions to aid in this have already been developed by industry and the standards community.
The current administration has accelerated efforts to address software vulnerabilities. In May 2021, President Joe Biden signed Executive Order 14028 “Improving the Nation's Cybersecurity” and tasked the National Institute of Standards and Technology (NIST) with directives regarding software supply chains, software bill of materials, and open source software. Indeed, in Section 4, the President stated the reasons why these policy areas are crucial:
The security of software used by the Federal Government is vital to the Federal Government's ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software”—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
NIST detailed the tasks it has completed under EO 14028:
§ NIST consulted with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then defined “critical software” by June 26, 2021.
§ NIST published guidance outlining security measures for critical software by July 11, 2021, after consulting with CISA and OMB. By that same date, after consulting with the NSA, NIST published guidelines recommending minimum standards for vendors’ testing of their software source code.
§ NIST issued preliminary guidelines by November 8, 2021, based on stakeholder input and existing documents, for enhancing software supply chain security.
§ After consulting heads of various agencies by February 6, 2022, NIST issued additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.
§ Regarding cybersecurity labeling for consumers, by February 6, 2022, NIST identified:
§ NIST issued additional information about its software supply chain guidance plans, including review and update procedures, by May 8, 2022.