White House hosting tech giants on Open-source software security

White House hosting tech giants on Open-source software security

The White House is hosting leading tech companies, along with a number of relevant government agencies, to discuss ways to improve security for open-source software libraries, with senior administration officials calling it a key national security concern. There are representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudfare, Facebook Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMWare, among others.

They'll discuss how private-public collaboration could drive improvements to security.

Senior software experts from leading organizations, including the Departments of Commerce and Homeland Security, the Pentagon, the Cybersecurity and Infrastructure Security Agency, the Department of Energy, and more, will be among the business leaders at the White House.

Anne Neuberger, a deputy national security adviser for cyber and emerging technologies, is expected to host the meeting.

A senior administration official told Fox Business that the meeting was intended to focus on President Biden's executive order on cybersecurity. That order put a focus on software security and spurred a number of efforts across the U.S. government and the private sector.

The administration anticipates additional discussions with the companies and other organizations that are not represented, according to the official. The White House invited major software companies and developers to talk about initiatives to improve open-source security.

The fact that it is widely used and maintained by volunteers is a key national security concern, as we are experiencing with the log 4 j vulnerability, a senior administration official said.

The official said that recent incidents, including the SolarWinds hack, were a reminder that strategic adversaries are actively exploiting vulnerabilities for malicious purposes, and that is essential to national and economic security. A vulnerability in software known as Log 4 j was discovered last month by officials, which they said presents an urgent challenge to network defenders, given its broad use. Log 4 j is a flaw that lets internet-based attackers take over control of everything from industrial control systems to web servers and consumer electronics. It is a challenge to identify which systems use the utility, as it is often hidden under layers of other software.

The affected software, written in the Java programming language, logs user activity. It is highly popular with commercial software developers because it is managed and managed by a handful of volunteers under the auspices of the Open-source Apache Software Foundation. It runs across many platforms — Windows, Linux, Apple's MacOS — powering everything from webcams to car navigation systems and medical devices, according to Bitdefender.

CISA officials said that the vulnerability poses a serious risk and that private sector organizations should work with the federal government to take action.