Senators introduce a bill to protect open-source software

When researchers discovered a vulnerability in the ubiquitous open-source log4j system last year that could’ve affected hundreds of millions of devices, the executive branch snapped into action and major tech companies huddled with the White House.

Now, leaders of the Senate Homeland Security and Governmental Affairs Committee are introducing legislation to help secure open-source software, first reported by The Cybersecurity 202. Chairman Gary Peters (D-Mich.) and top ranking Republican Rob Portman (Ohio) plan to hold a vote next week on the bill they’re co-sponsoring.

Open-source software — which volunteers can see, modify, build and maintain — is nearly everywhere, from the “Minecraft” video game to Apple iCloud to devices used in sectors ranging from health care to energy. 

The Peters/Portman legislation would direct the Cybersecurity and Infrastructure Security Agency to develop a way to evaluate and reduce risk in systems that rely on open-source software. Later, CISA would study how that framework could apply to critical infrastructure.

• The log4j “incident presented a serious threat to federal systems and critical infrastructure companies — including banks, hospitals, and utilities — that Americans rely on each and every day for essential services,” Peters said in a written statement. “This common-sense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.” 

An engineer working for Chinese tech firm Alibaba in November discovered the log4j bug, known as Log4Shell, and reported it to the Apache Software Foundation, which runs the project. In December, staff for the “Minecraft” video game reported the flaw in a version of the game that hackers could use to take over players’ computers, causing the problem to spill out into the public.

There was a pretty big government response.

• CISA briefed industry leaders, issued an emergency order for federal agencies to patch the issue and jointly published an alert with the FBI, National Security Agency and governments around the world.
• By January, the White House had brought in leaders from Apple, Microsoft and other major tech companies.
• The Senate homeland security panel held a hearing on it in February.
• That same month, the Federal Trade Commission warned companies to remediate the flaw or face potential legal action.

And yet, Log4Shell has not caused any known widespread damage so far.

• The Cybersecurity 202 previously explored some of the reasons for that; for example, attacks may have happened but gone unreported.
• CISA officials have since said that proved the effectiveness of a program to share information between agency and industry leaders.
• Another potential factor is that some industry pros have curtailed their use of open-source software — even though many believe open-source software to be broadly as secure as, or more secure than, closed-source software because more people are vetting it publicly.

That doesn’t mean Log4Shell doesn’t still pose risks. In July, the federal Cyber Safety Review Board called the log4j bug “endemic” and said it would pose a danger for decades. And House Energy and Commerce Committee members sought an update in August from agencies on how they were addressing the vulnerability.

“Log4j is one of the most serious software vulnerabilities in history,” Department of Homeland Security Undersecretary of Policy Robert Silvers said this summer. 

Here’s how the Peters-Portman legislation works:

• It directs CISA to hire open-source experts “to the greatest extent practicable.”
• It gives the agency a year to publish a framework on open-source code risk. A year later and periodically thereafter, CISA would perform an assessment of open-source code components that federal agencies commonly use.
• Also, two years after publishing the initial framework, CISA would have to study whether it could be used in critical infrastructure outside the government and potentially work with one or more critical infrastructure sectors to voluntarily test the idea.
• Other agencies would have roles as well, such as the Office of Management and Budget publishing guidance to federal chief information officers on secure use of open-source software.

Portman said the bill “will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

At least one notable cyber expert supports the legislation.

“If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software,” Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, said in a written statement.

Whatever comes of the Peters-Portman legislation in a Congress where there is still plenty of work to be done before the year ends, some of the potential fixes for what ails open-source software security fall outside the realm of government responsibility. 

Five dozen civil rights organizations pleaded with Facebook parent Meta, Twitter, TikTok and YouTube to bolster the content moderation systems that the civil rights organizations believe allowed Trump’s baseless claims about election rigging to spread, but with less than two months until midterm elections, members of the Change the Terms coalition say they’ve seen little in the way of a response from the companies, Naomi Nix reports. 

In memos, the coalition said Facebook parent Meta still allows posts supporting the idea that the 2020 election was stolen, Twitter’s ban on 2020 disinformation isn’t being consistently enforced and YouTube isn’t investing enough resources to fight problematic content in languages other than English.

“The comments by civil rights activists shed light on the political pressures tech companies face behind the scenes as they make high-stakes decisions about which potentially rule-breaking posts to leave up or take down in a campaign season in which hundreds of congressional seats are up for grabs,” Naomi writes. “Civil rights groups and left-leaning political leaders accuse Silicon Valley platforms of not doing enough to remove content that misleads the public or incites violence during politically cautious times.”

The social media companies defended their practices. 

• YouTube enforces its “policies continuously and regardless of the language the content is in, and have removed a number of videos related to the midterms for violating our policies,” YouTube spokeswoman Ivy Choi said in a statement.
• TikTok has responded to questions from the coalition and values its “continued engagement with Change the Terms as we share goals of protecting election integrity and combating misinformation,” TikTok spokeswoman Jamie Favazza said.
• Twitter is focused on promoting “reliable election information” and “vigilantly enforcing” its policies, Twitter spokeswoman Elizabeth Busby said. “We’ll continue to engage stakeholders in our work to protect civic processes.”
• Facebook spokesman Andy Stone declined to comment on the claims by the coalition, but he pointed to an August press release on how the company said it planned to promote accurate midterm election information.

A group of senators from both parties asked Director of National Intelligence Avril Haines to review the security threat posed by Apple’s plan to use memory chips from Chinese chipmaker YMTC in its new iPhone 14, Ellen Nakashima reports. 

Apple previously said YTMC chips aren’t used in its products and that it was “evaluating” whether to use the chips for some iPhones sold in China. All user data stored on such chips is “fully encrypted,” the company said. The company reiterated to The Post that it wasn’t planning to use the chips in iPhones sold in China. It declined to comment on the letter.

But the senators fear that the phones could make their way into the global market, according to a Senate aide who spoke on the condition of anonymity because they were not authorized to comment on the record.

“The senators also want Haines to look at what they said was YMTC’s role in aiding other Chinese firms, including the telecom equipment manufacturer Huawei, which is under strict U.S. export controls,” Ellen writes. “And they want her to examine YMTC’s alleged links to the Chinese military.”

The hackers, who called themselves “Homeland Justice,” had access to the Albanian government’s networks during that time and stole some emails, the FBI and CISA said. They eventually put ransomware on the networks, and when Albanian authorities began to respond, the hackers deployed malware intended to delete data from the networks.

Albania cut ties over the hack, and that marked the first time a government had made such an aggressive response to a cyberattack.

“In September 2022, Iranian cyber actors launched another wave of cyberattacks against the Government of Albania, using similar [tactics, techniques and procedures] and malware as the cyberattacks in July,” the FBI and CISA said in their report. “These were likely done in retaliation for public attribution of the cyberattacks in July and severed diplomatic ties between Albania and Iran.”