Log4j: Senators introduce bill centered on CISA open source security efforts

A bipartisan group of senators introduced a new bill this week intended to address the security risks of open source software in government.

The Securing Open Source Software Act — sponsored by Senators Gary Peters (D-Mich.) and Rob Portman (R-Ohio) — would require the Cybersecurity and Infrastructure Security Agency (CISA) to create a “risk framework” around the use of open source code within the government and critical infrastructure agency.   

CISA would need to find ways to “mitigate risks in systems that use open source software” as well as hire experienced open source experts to address issues like Log4j. The bill also requires the Office of Management and Budget (OMB) to publish guidance for agencies about how to use open source software securely. 

A “software security subcommittee” would be created within the CISA Cybersecurity Advisory Committee as a byproduct of the bill. 

Both Peters and Portman cited the Log4j vulnerability as one of the main drivers of the bill’s creation. A top Department Of Homeland Security (DHS) official said last month that cybersecurity officials may spend “a decade or longer” dealing with continued Log4j exposure. 

Two weeks ago, researchers from Cisco said they discovered several energy companies across the U.S., Canada, Japan and more were hacked this summer through Log4j. In recent months, several cybersecurity firms have warned that the vulnerability Log4Shell is still an issue despite the global campaign to patch it.

“Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services,” Peters said. 

“This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

DHS recently concluded a wide-ranging investigation into Log4j’s origins led by the newly-formed Cyber Safety Review Board. The two senators lead the Committee on Homeland Security and Governmental Affairs.

Rob Silvers, the undersecretary for policy at DHS and review board co-chair, called the government’s Log4j efforts “the largest mass scale cyber response in history” after the vulnerability was discovered in December 2021

“Log4j is not over,” Silvers said. “This was not a historic look back and now we’re in the clear.”

Peters and Portman convened a hearing earlier this year on Log4j and noted in statements this week that it is considered “one of the most severe and widespread cybersecurity vulnerabilities ever seen.”

The senators said the federal government is one of the world’s largest users of open source software and “must be able to manage its own risk” in addition to supporting private sector use. 

The Atlantic Council’s Trey Herr said the bill would “for the first time ever, codify open source software as public infrastructure.”

According to Portman, the bill is designed to ensure that the U.S. government “anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” Portman said. 

The two senators previously partnered on a successful effort to squeeze a critical infrastructure incident reporting provision into a larger bill and get cybersecurity funding for states through Congress. 

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Metropolitan Opera dealing with cyberattack that shut down website, box office

The Metropolitan Opera confirmed that it is dealing with a crippling cyberattack that has shut…

18 hours ago

South Korean authorities issue warning about disguised North Koreans getting IT jobs

South Korean authorities issued an interagency advisory Thursday warning companies about hiring North Korean IT…

21 hours ago

On hacking forums, even the scammers aren’t safe

Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software…

23 hours ago

Apple unveils new cybersecurity measure for iMessage, iCloud and more

Apple announced several new security features designed to better protect users from an array of…

2 days ago

Iranian hackers accused of targeting diamond industry with wiper malware

Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in…

2 days ago

Google: North Korean gov’t hackers used Internet Explorer zero-day to target South Korea users

Internet Explorer users in South Korea were targeted by a group of North Korean government…

2 days ago