White House, CISA call for help with security of open source software

LAS VEGAS — The White House and a handful of government agencies on Thursday called for experts to help them create policies around the cybersecurity of open source software and promote the use of more secure programming languages.

Since the National Cybersecurity Strategy was published earlier this year, government officials have launched a multi-pronged effort to move beyond bolted-on cybersecurity services and tools while focusing on deeper root causes of cyber instability.

For months, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies have focused on practical solutions developers and manufacturers can use to make software and products secure by design, rather than forcing overworked individuals, small businesses and local governments to pore through cybersecurity manuals or spend thousands on cybersecurity products.

On Thursday, the White House’s Office of the National Cyber Director (ONCD) coordinated with CISA, the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) to publish a Request For Information (RFI) on open source software security and memory safe programming languages.

Calls for better open source software security have only grown over the last two years since the Log4j vulnerability caused international headlines and became one of the go-to vulnerabilities exploited by both criminals and nation-states.

There has also been movement – predominantly from CISA and ONCD – to push the cybersecurity onus on developers, with particular focus being given to products made with programming languages that by definition are insecure.

“In addition to its many benefits, the ubiquity of open-source software in commercial products, government systems, and military platforms presents unique security risks,” according to the White House, whichestablished the interagency working group Open-Source Software Security Initiative (OS3I) that found several areas where effort could be made to improve protections. The agencies are now calling for the public and private sector to contribute their opinions to the process as leaders on the federal level develop initiatives and action plans to “strengthen the open-source software ecosystem.”

Black Hat discusses the effort

The RFI and the larger initiative of promoting the use of memory safe languages was a major topic of discussion at the Black Hat security conference in Las Vegas on Thursday.

Kemba Walden, acting director of ONCD, gave a keynote speech where she discussed the need for a drastic shift in how the U.S. government approaches cybersecurity.

“We’ve been doing the same things over and over again. We have made some great progress, but what we’ve noticed is that we’ve allowed cybersecurity to resolve to those who are least capable,” she said, telling the crowd a story of her fears about her children using her devices to play Minecraft and causing a national security crisis.

“We need to figure out what our policy solutions are to rebalance things, to make sure that those who are more capable of bearing cybersecurity risk have the ability to bring down risk. I’m talking about producers, cloud service providers, large companies – even not large companies that really are key to technology – and the federal government. Those of us that are more capable to be able to buy down cybersecurity risk.”

She noted that some experts believe more than 90% of the technology used by the federal government relies on open source software in some way – making it a national security imperative for government leaders to find ways to promote better practices.

One effort, she explained, is the promotion of memory safe programming languages – which include languages like Rust, Go, and Python.

Memory safe languages prevent entire classes of vulnerabilities from existing – many of which allow hackers to access data or delete information.

“Here's what we want to understand. 95% of our technology relies on open source. How do we make it more secure is the fundamental question. How do we influence, encourage, require memory safe languages. Help us make smart policy about how to make open source technology more secure,” she said before mentioning a report on the Log4j vulnerability.

“How do we make open source software secure by design? Why are we using languages that are not safe? I need to understand from this community how to do that, how do you make policy that is holistic, that is actionable in order to encourage that?”

The RFI was addressed in another session run by CISA officials Bob Lord and Jack Cable.

The two gave a lengthy presentation comparing cybersecurity to the automobile industry, noting that in the early days of vehicles, attempts were made to offer add-on products that could make already-dangerous vehicles safe.

The products rarely worked, and before long U.S. officials set up bureaus to regulate the industry and outright ban lines of vehicles that were inherently untrustworthy.

“Two thirds of vulnerabilities in memory unsafe languages today are caused by memory safety vulnerabilities. That can be eliminated essentially by shifting to memory safe languages. Now again, there's going to be trade offs here because it's not a cheap task to go and rewrite your code in memory safe languages,” Cable said.

“But once you do that, you're done and you can reap the security benefits. So for instance, if you're a company designing a new product today, it makes a lot of sense to build that product in a memory safe language because you eliminate so many vulnerabilities just off the bat.”

Lord added that the effort went hand-in-hand with the larger initiative of moving the culpability of cyberattacks and breaches away from victims and toward the software manufacturers that develop inherently dangerous tools.

The government is trying to make sure that the “tech giants are doing their part to eliminate entire classes of vulnerability,” he explained.

“We want to make sure that we have vigorous conversations about how we can democratize [risk]. We want to make sure that it's not the literal top 1% of software development houses that can make sure that they eliminate memory safety vulnerabilities that can eliminate input sanitization problems,” Lord said. Cable went on to explain that open source is a public good, and as a public good, the government can play a role in making sure the ecosystem is as secure as possible so that everyone can depend on it.

CISA, he added, is promoting the RFI because they want the cybersecurity community to tell them where to focus their efforts. Cable questioned whether the federal government should be looking to help rewrite popular open source components in memory safe programming languages or beef up developer education.

“The federal government is one of the largest if not the largest user of open source software in the world. We have a responsibility to make sure that the code that we get so much benefit from is something we're also contributing to as well.”

Veracode co-founder Chris Wysopal, a longtime cybersecurity expert who contributed to the National Cybersecurity Strategy, told Recorded Future News that the emergence of artificial intelligence has made it imperative that the federal government act quickly, as the time to fix security issues will need to fall precipitously to keep up with the increase in automated attacks.

“When it comes to encouraging the adoption of memory-safe programming languages, incentivizing it is difficult, especially for mature OSS projects. Getting new projects on board with this is a good start. It should be an exception to start a project in a non-memory-safe language, but I don't think that is the biggest problem,” he said.

“The problem is getting critical attack surface components rewritten in memory-safe languages. Microsoft rewrote their Simple Mail Transfer Protocol gateway for exchange in C#. There are IoT toolkits that have libraries for auto-update and remote management written in Rust. Incentivize finding the critical areas of code and replacing them with memory-safe languages. Software labeling could be used to disclose if a product uses memory-safe languages or what portion of the product does.”