CISA director details plan to address security risks in open source software

The Cybersecurity and Infrastructure Security Agency is ramping up federal efforts to address security challenges associated with open source software, the director of the agency said on Thursday, with a focus on collaboration between government and industry. 

CISA Director Jen Easterly said the nation’s cyber defense agency was hiring an open source security lead and establishing new public-private sector initiatives through the Joint Cyber Defense Collaborative as part of an effort to “advance security for arguably one of the most important ecosystems that we have to power the federal government and critical infrastructure.

“We have a requisite investment in ensuring the security and the resilience and the sustainability of the open source ecosystem,” said Easterly at an Atlantic Council cybersecurity event.

The new JCDC project is focused on identifying and mitigating risks from open source software to industrial control systems, the CISA director added. Addressing open source software security risks was featured as a key priority in the JCDC’s planning agenda for 2023, which aims to develop “shoulder-to-shoulder approaches to confront malicious actors and significant cyber risks” for the federal government and its private sector partners. 

In addition to running the government's coordinated vulnerability disclosure program —

 which aims to offer simultaneous reporting and remediation of newly-identified vulnerabilities in software and technology products and services — Easterly said that CISA was also working with the Office of the National Cyber Director, the Office of Management and Budget and the Open Software Security Foundation to make progress on building software repositories and package managers. 

Those tools can be used hand-in-hand to provide secure and accessible software packages, while automating processes to ensure products and services have been regularly updated or, if necessary, removed from public libraries. 

“There is still an ability to download vulnerable – even malicious – code from” open source software libraries, she said, “so that’s incredibly important and something we’re trying to move the ball on this year.” 

CISA requested nearly $425 million in its fiscal 2024 budget to build a Cyber Analytics and Data System to serve as a single internal repository for its analysts and to help prevent breaches before they occur. The agency has also been working with OMB to develop a standardized self-attestation form for software providers to confirm their technology complies with supply chain security standards.