Senators Introduce a Bill To Protect Open-Source Software

An anonymous reader quotes a report from the Washington Post: When researchers discovered a vulnerability in the ubiquitous open-source log4j system last year that could've affected hundreds of millions of devices, the executive branch snapped into action and major tech companies huddled with the White House. Now, leaders of the Senate Homeland Security and Governmental Affairs Committee are introducing legislation to help secure open-source software, first reported by The Cybersecurity 202. Chairman Gary Peters (D-Mich.) and top ranking Republican Rob Portman (Ohio) plan to hold a vote next week on the bill they're co-sponsoring.

The Peters/Portman legislation would direct the Cybersecurity and Infrastructure Security Agency to develop a way to evaluate and reduce risk in systems that rely on open-source software. Later, CISA would study how that framework could apply to critical infrastructure. The log4j 'incident presented a serious threat to federal systems and critical infrastructure companies -- including banks, hospitals, and utilities -- that Americans rely on each and every day for essential services,' Peters said in a written statement. 'This common-sense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.' Here's how the Peters-Portman legislation works, as outlined in the report:
- It directs CISA to hire open-source experts 'to the greatest extent practicable.'
- It gives the agency a year to publish a framework on open-source code risk. A year later and periodically thereafter, CISA would perform an assessment of open-source code components that federal agencies commonly use.
- Also, two years after publishing the initial framework, CISA would have to study whether it could be used in critical infrastructure outside the government and potentially work with one or more critical infrastructure sectors to voluntarily test the idea.
- Other agencies would have roles as well, such as the Office of Management and Budget publishing guidance to federal chief information officers on secure use of open-source software.

Read more of this story at Slashdot.