Log4j: Senators introduce bill centered on CISA open source security efforts

A bipartisan group of senators introduced a new bill this week intended to address the security risks of open source software in government.

The Securing Open Source Software Act — sponsored by Senators Gary Peters (D-Mich.) and Rob Portman (R-Ohio) — would require the Cybersecurity and Infrastructure Security Agency (CISA) to create a “risk framework” around the use of open source code within the government and critical infrastructure agency.   

CISA would need to find ways to “mitigate risks in systems that use open source software” as well as hire experienced open source experts to address issues like Log4j. The bill also requires the Office of Management and Budget (OMB) to publish guidance for agencies about how to use open source software securely. 

A “software security subcommittee” would be created within the CISA Cybersecurity Advisory Committee as a byproduct of the bill. 

Both Peters and Portman cited the Log4j vulnerability as one of the main drivers of the bill’s creation. A top Department Of Homeland Security (DHS) official said last month that cybersecurity officials may spend “a decade or longer” dealing with continued Log4j exposure. 

Two weeks ago, researchers from Cisco said they discovered several energy companies across the U.S., Canada, Japan and more were hacked this summer through Log4j. In recent months, several cybersecurity firms have warned that the vulnerability Log4Shell is still an issue despite the global campaign to patch it.

“Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services,” Peters said. 

“This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

DHS recently concluded a wide-ranging investigation into Log4j's origins led by the newly-formed Cyber Safety Review Board. The two senators lead the Committee on Homeland Security and Governmental Affairs.

Rob Silvers, the undersecretary for policy at DHS and review board co-chair, called the government's Log4j efforts “the largest mass scale cyber response in history” after the vulnerability was discovered in December 2021

“Log4j is not over,” Silvers said. “This was not a historic look back and now we’re in the clear.”

Peters and Portman convened a hearing earlier this year on Log4j and noted in statements this week that it is considered “one of the most severe and widespread cybersecurity vulnerabilities ever seen.”

The senators said the federal government is one of the world’s largest users of open source software and “must be able to manage its own risk” in addition to supporting private sector use. 

The Atlantic Council’s Trey Herr said the bill would “for the first time ever, codify open source software as public infrastructure.”

According to Portman, the bill is designed to ensure that the U.S. government “anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” Portman said. 

The two senators previously partnered on a successful effort to squeeze a critical infrastructure incident reporting provision into a larger bill and get cybersecurity funding for states through Congress. 

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

No previous article
No new articles