Biden administration officials will meet with key software developers and major tech firms like Apple and Google on Thursday to discuss ways of making open-source computer code more secure after a critical vulnerability emerged last month that US officials said could have affected hundreds of millions of devices worldwide.
The virtual meeting, which will be attended by officials from the White House, the Defense Department, the Department of Homeland Security and other departments and agencies, will focus on “what has worked and what else can be done to secure the open-source software that we all fundamentally rely on,” a senior administration official told reporters.
The guest list includes executives from Amazon, Facebook parent company Meta, IBM and Microsoft, among other businesses, along with the Linux and Apache open-source software organizations, according to the White House. Open-source software is publicly accessible code that users across the internet can inspect and modify in the name of collaboration.
Analysts say the latter two non-profits are crucial to tackling the problem because countless software products sold by the world’s biggest tech firms rely on the open-source code.
The Apache Software Foundation, which is run by volunteers, manages Log4j, hugely popular software that organizations use to log data in their applications. The public disclosure of an easy-to-exploit bug in Log4j in December set off a race between hackers trying to break into vulnerable systems and corporations and government agencies trying to plug the hole.
To date, the impact of the vulnerability has not been as severe as some feared. US officials say there is no evidence that federal agencies have been breached using the Log4j flaw. But officials also warn that it could be months before they know the full scope of the impact of the bug, given how widely used the software is.
In a briefing with reporters Monday, Jen Easterly, head of DHS’ Cybersecurity and Infrastructure Security Agency, pointed to the 2017 hack of credit reporting agency Equifax as a cautionary tale.
The breach, which compromised the data of about 145 million US consumers, did not become public until September 2017 but was carried out using a flaw in open-source software that was discovered in March of that year. The Justice Department in 2020 accused four Chinese military officials of carrying out the hack to steal trade secrets and for espionage purposes.
The Federal Trade Commission warned US companies in a news release this month to address the Log4j vulnerability in order to “reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The agency cited the 2017 Equifax breach, after which the credit reporting agency had to pay about $700 million to settle legal actions brought by the FTC and US states.
“As a society, we need to fund critical open-source projects [that] technology providers rely on and make us all vulnerable when vulnerabilities are found,” said Chris Wysopal, a former member of an influential hacking collective that warned Congress about the inherent vulnerabilities of the internet in 1998.
“I hope that the White House invited members of the Apache Group or other prominent open-source maintainers so they could hear about the struggles these volunteer teams have and resources they could use the most,” Wysopal, who is now chief technology officer at the cybersecurity firm Veracode, told CNN.