Senate Intelligence Committee Chairman Tom Cotton is raising the spectre of foreign adversaries playing too heavy a role in open-source software, and asking the national cyber director to counter the risks.
The Oklahoma Republican wrote to National Cyber Director Sean Cairncross Thursday, saying he was concerned about reports that “state-sponsored software developers and cyber espionage groups have started to exploit this communal environment, which assumes that contributors are benevolent, to insert malicious code into widely used open source codebases.”
Cotton cited last year’s alarms about a shadowy suspected nation-state hacker, Jia Tan, inserting a backdoor into a beta version of the compression utility XZ Utils. He also noted a Russia-based developer being the sole maintainer of a piece of open-source software (OSS) that’s in Defense Department software packages, and citations about Chinese tech companies Alibaba and Huawei being top OSS contributors.
“As the Office of the National Cyber Director holds responsibility for coordinating implementation of national cyber policy and government-wide cybersecurity, you are well-positioned to lead the U.S. government in addressing this cross-cutting vulnerability,” Cotton wrote. “I respectfully request that you take steps to build up the federal government’s capability to maintain awareness of provenance and foreign influence on OSS and track contributions from developers in adversary nations.”
Cotton’s letter adds to warnings from the Hill this year about the risks that Chinese involvement in open-source tech poses, following a letter from the House select committee on China on the subject to Biden-era Commerce Secretary Gina Raimondo. Legislation designed to improve open-source cybersecurity didn’t advance in the Senate after leading lawmakers introduced it in 2023.
The senator noted that open-source software is part of critical government and defense systems. Defense Secretary Pete Hegseth in July ordered the Pentagon’s chief information officer to take steps to guard against foreign influence in department technology.
“The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department,” he wrote.
At the same time, a Trump administration executive order this year puzzled experts by deleting language from a previous Biden administration executive order emphasizing the importance of open-source software.