Senate panel approves open-source software bill, though future unclear
The Senate Homeland Security Committee on Wednesday easily approved legislation to better secure open-source software.
The panel okayed the legislation, dubbed the Securing Open Source Software Act, by voice vote as part of an en bloc package of bills during a business meeting. Approval came a week after committee leaders Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio) introduced the measure.
The bill was prompted by the widespread Log4j vulnerability. The flaw was discovered late last year and sent the private sector, as well as governments around the globe, scrambling to secure their networks before the ubiquitous code could be exploited by hackers.
The bipartisan legislation would require the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework within the next year that details how the federal government relies on open-source code.
Meanwhile, the Office of Management and Budget would issue guidance for how federal entities secure open-source software.
CISA would also have to hire a cadre of open-source security experts to strengthen defenses against future hacks that use such code.
Prior to the vote, Portman called the bill “critical to public safety” but noted that one of his Senate colleagues “has some questions about it.”
"That's one I think we should mark up today, but I think we should continue to look at before it goes to the floor,” he added. “The computers, phones and websites we use in our daily lives contain open source software that’s vulnerable to cyber attack."
The bill now goes to the full Senate for consideration. However, with few legislative days left before the midterm elections the measure likely will be hitched to another piece of legislation, such as the annual defense policy bill, which the Senate will take up next month.
The committee also approved the Industrial Control Systems Cybersecurity Training Act – which would require CISA to create a free training program for cybersecurity professionals working with critical infrastructure – and the President’s Cup Cybersecurity Competition Act, a bill that would ensure that the cyber event takes place annually.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.