Lawmakers advance cyber bills aimed at open-source, satellite vulnerabilities
The House Homeland Security Committee on Wednesday easily advanced legislation to ensure the federal government and critical infrastructure can tap open-source software securely.
The panel approved by voice vote bipartisan legislation to require the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework laying out how the federal government relies on open-source code.
The measure — a companion to legislation the Senate Homeland Security Committee passed in March — is a response to the security vulnerability researchers uncovered in popular open-source code Log4j in late 2021, which CISA estimates affected millions of devices worldwide.
“We are still responding to that hack today,” committee chair Mark Green (R-TN), one of the bill’s co-sponsors, said at the beginning of the panel meeting.
Today, open-source developers rarely have the time or resources to continually update and patch their creations against new vulnerabilities, even though public and private entities utilize them when creating their own internal tools.
The bill directs CISA to develop a risk framework for federal government uses of open-source software and require the agency to hire a new cadre of open-source security experts and developers to better defend the code against possible future digital threats.
The legislation, coupled with actions by the Biden administration to promote secure software development “will dramatically reduce the number of vulnerabilities in the system we rely on and, as a result, reduce the number of successful cyber attacks,” according to Rep. Eric Swalwell (CA), the top Democrat on the committee’s cyber subpanel and another sponsor of the measure.
The committee also approved a bill that would direct CISA to establish a program for Homeland Security Department employees not currently working in cybersecurity roles and offer them training for such positions. It also directs the DHS undersecretary for management to help recruit and identify individuals for the effort.
Senate bills advance
Not to be outdone, the Senate Homeland Security Committee on Wednesday also advanced pieces of cybersecurity legislation.
The panel voted 10 to 1 in favor of a bipartisan bill requiring CISA to give commercial satellite owners and operators information and resources to help them better defend against cyberattacks.
U.S. officials have warned in recent years of the growing digital threat that hostile nation states pose to the operations of commercial and government satellites. Last year Russian hackers were blamed for a strike that crippled a satellite broadband service used by Ukraine’s military ahead of Moscow’s invasion.
Sen. Rand Paul (R-KY) voted against the bill, arguing policymakers should be “circumscribing CISA’s powers, not expanding them.”
The panel also okayed, again by a vote of 10 to 1, bipartisan legislation to establish a civilian cybersecurity reserve pilot program, authorizing cybersecurity reservists to be temporarily called up to provide surge capacity for the federal government in response to significant incidents.
The Senate approved the legislation by unanimous consent last year but it was not taken up by the House.
All of the bills advanced on Wednesday now head to their respective chamber floors for a full vote.
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.