A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
“Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.
“State-sponsored software developers and cyber espionage groups have started to exploit this communal environment, which assumes that contributors are benevolent, to insert malicious code into widely used open source codebases,” Cotton wrote.
Cotton asked Cairncross to “take steps to build up the federal government’s capability to maintain awareness of provenance and foreign influence on OSS and track contributions from developers in adversary nations.”
The Office of the National Cyber Director (ONCD) did not immediately respond to a request for comment on Cotton’s letter. ONCD is helping the White House develop President Donald Trump’s new national cyber strategy, but it remains unclear if OSS will play a role in the strategy.
Longtime area of concern
U.S. policymakers have been worried for years about the nation’s dependence on open-source software, which is often poorly maintained by overworked volunteers. The letter from Cotton, one of Congress’s senior-most national-security-focused lawmakers, reflects a fear in Congress that the government hasn’t done enough to shore up the open-source ecosystem.
The recent uproar around a critical vulnerability in the React open-source library could further heighten those concerns.
During the Biden administration, the Department of Homeland Security pledged to invest $11 million in open-source security. The national cyber director at the time said the government, which is a major user of open-source code, considered it “vital” to “contribute back to the community.”
It remains unclear whether ONCD will maintain its Biden-era commitment to open-source security as one of its top priorities. Private-sector pressure could be a determining factor — the tech industry has spent years encouraging the government to match the industry’s level of investment in open-source software.