The top Democrat and Republican on the Senate Homeland Security Committee have introduced new legislation aiming to protect open-source software from cyberattacks while evaluating how federal agencies throughout the government are using open source code.
The Securing Open Source Software Act would provide a series of new directives for the Cybersecurity and Infrastructure Security Agency to hire open-source experts and develop a framework to assess open-source code risks within one year.
The nation's cyber defense agency would also be tasked with conducting annual government-wide monitoring of open-source code components, and studying whether its new open-source risk framework could be applicable to the private sector and critical infrastructure industries within two years of the framework's publication.
The legislation is a response to the havoc wreaked by the Log4Shell security flaw – a vulnerability discovered last year in the popular Log4J open source logging service. The flaw affected millions of computers and still poses serious risks to unpatched networks.
In statements announcing the newly-introduced legislation, Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (R-Ohio) said the software flaw exposed serious vulnerabilities within many of the networks and critical infrastructure systems Americans rely on for essential services.
"Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it," Peters said. "This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”
Peters also said the new bill will help ensure the government "anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”
Under the legislation, the Office of Management and Budget would be responsible for issuing guidance on the secure usage of open source software, and the CISA Cybersecurity Advisory Committee would gain a new subcommittee dedicated to software security.