Biden administration pledges $11 million to open source security initiative

The White House and Department of Homeland Security (DHS) are partnering on an $11 million initiative to gain an understanding of how open source software is used across critical infrastructure and to better secure it. 

The White House announced the measure on Friday, and at the DEF CON cybersecurity conference over the weekend, National Cyber Director Harry Coker said DHS will fund it under the 2021 Bipartisan Infrastructure Law. 

The effort — named the Open-Source Software Prevalence Initiative (OSSPI) — is designed to get a handle on the distribution of open-source software components in areas like healthcare, transportation and energy production, eventually allowing the federal government and private sector partners to strengthen national cybersecurity. 

“We know that open source underlies our digital infrastructure, and it's vital that as a government, we contribute back to the community as part of broader infrastructure efforts,” Coker told the DEF CON audience.

“There will also be a public and private sector working group that stands up later this year to take on recommendations on how to better protect open source software.”

The Office of the National Cyber Director was tightlipped about the specifics of the initiative but the announcement was made alongside the release of a summary report featuring a dozen recommendations submitted by the cybersecurity community about areas the federal government should prioritize and focus on when it comes to open source security. 

The report lists activities that are either planned for the future or in progress, including:

• Securing package repositories.
• Deepening ties between the federal government and open-source communities.
• Further developing the use of Software Bill of Materials.
• Strengthening the software supply chain.
• Creating an “Open-Source program office.”
• Sssigning vulnerability severity metrics.
• Increasing education initiatives.
• Replacing legacy software.

At DEF CON, Coker thanked the cybersecurity community for submitting its recommendations and urged researchers to continue reaching out with ideas on further securing open source software. 

“Many more of the recommendations go beyond what the government can do alone, and that's where you all come in. These policy proposals rely on the dedication of security researchers and their willingness to freely share their findings in order to work in our conversations,” he said. 

“I know that you all are up to it, and I know that the same value set that drives responsible vulnerability disclosure will lead you to continue to step up for the protection of the internet.” 

Coker  also noted that his office is working on developing a software liability regime, arguing that the responsibility for defending cyberspace “falls upon the more capable actors in the ecosystem” including technology producers. 

A software liability regime — which would shift the onus onto final-goods assemblers who profit from the software — was one of the most controversial measures mentioned in the National Cybersecurity Strategy last year. 

While the White House has repeatedly said it does not want to punish underfunded open source developers, Coker has previously said in speeches this year that software manufacturers need to be held accountable when they “rush code to market.”

At the Black Hat cybersecurity conference last week, Cybersecurity and Infrastructure Security Agency Director Jen Easterly also mentioned a software liability regime, telling reporters that she plans to meet with Rep. Mark Amodei (R-NV), the chairman of the House Homeland Security Appropriations Subcommittee, to press the importance of software liability that includes “articulable standards of care” as well as safe harbor provisions for technology vendors that “responsibly innovate using secure development processes.”

“I think there is more we can do but that is where the war will be won,” she said. “If we put aside the threat actors and we put aside the victims and we talk about the vendors.”