The White House Is Worried About Open Source Software Security
Chianese had built the code while working for a startup called LunchBadger Inc., where maintaining Express Gateway was part of his job. The company shut down in 2019, and he was faced with the prospect of keeping up the project by himself. Overwhelmed, Chianese sought help from well-known organizations that were using Express Gateway, including Dell Technologies Inc. and FIFA, the global soccer organization. “I said, ‘Hey, this is a situation,’” he says. “Their response was essentially zero.” Dell and FIFA didn’t respond to emails seeking comment.
Facing a new full-time job with its own responsibilities, Chianese abandoned the project. His decision to step back from the painstaking task of addressing each user’s complaints probably left flaws unresolved.
Open source software projects make up a key part of the code powering the desktop computers, mobile phones, and computer servers of the modern internet. This model of development has flourished for decades as an alternative to software sold by major tech companies, which can be expensive, regularly comes with onerous copyright restrictions, and is often tightly controlled by small enclaves of programmers.
Many developers take it as a point of faith that open source development results in software that’s more stable and secure. But a potential vulnerability is the reliance on volunteer coders, whose technical skills, personal whims, and changing schedules can determine whether a program is properly maintained.
Public officials have expressed new security concerns around open source software after a critical security flaw with Log4j was revealed in November. The project, which helps monitor activity in untold millions of pieces of software globally, is maintained by a group of unpaid programmers as part of the nonprofit Apache Software Foundation. Left unfixed, the flaw could allow hackers to overtake computers remotely, leading to a wide range of other consequences.
Anne Neuberger, the U.S. deputy national security adviser for cyber, told Bloomberg TV in December that open source was a “witch’s brew” that’s “built by volunteers, broadly used, and not managed.” On Jan. 13, senior Biden administration officials met with Apple, Alphabet, IBM, Meta, Microsoft, Oracle, and other companies to discuss improving security of open source projects. The White House said the summit focused on how to better prevent security defects, improve the process for finding them, and shorten the time it takes to get faulty code fixed.
U.S. cyber officials say the Log4j flaw remains a pressing concern, even if they can’t point to widespread hacks resulting from the vulnerability. “The scale and potential impact of this makes it incredibly serious,” says Jen Easterly, who heads the federal Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
Boaz Gelbord, the chief security officer of Akamai Technologies Inc., says the tech industry should offer more financial assistance to open source projects, and perform security reviews to search for vulnerabilities, because the incredible complexity and automation of modern software can make it difficult for people to understand fully how any system works. “I think in some way there’s almost less visibility today than there was in the past,” he says.
This would be a welcome change from the perspective of open source developers like Chianese, who complain that commercial companies are happy to use free software but have shown little interest in investing resources to shore it up.
Not all software built on open source code is a labor of love. Some of the world’s largest tech firms have contributed money and resources to the software, and have themselves built on open source code for their own uses. Google’s Android operating system, used in more than 3 billion devices, is based on the open source Linux operating system. But volunteer-written code is dispersed widely enough to make the competence and continued commitment of volunteer developers critical to the health of many software products. GitHub Inc., the popular code-repository platform, reported in 2019 that millions of projects rely on open source systems that have 40 or fewer direct contributors.
The whole idea of open source is that people who use the software will identify needed improvements and either suggest them or make them on their own. An employee at Alibaba Group Holding Ltd.’s cloud security team was the one who found the Log4j flaw and alerted the Apache team. But there’s no guarantee that the person to discover the next vulnerability would make the same move. Chinese regulators have targeted Alibaba for allegedly violating a law requiring that security issues in software be reported first to the government. Security experts outside the country took that as an ominous sign.
Read next: The Former NSA Official Vying to Steer Biden’s Cyber Policy
©2022 Bloomberg L.P.