This week, the IST team submitted a response to a request for information (RFI) from the Office of the National Cyber Director (ONCD), the Cybersecurity Infrastructure Security Agency (CISA), the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Office of Management and Budget (OMB) on areas of long-term focus and prioritization in open-source software security. Requests for Information are the government’s way of eliciting feedback from stakeholders as they develop new rules and regulations; given IST’s mission to bridge the gap between technologists and policymakers, we see requests for information as one crucial way to achieve this aim
This RFI requests input on the direction of future efforts by ONCD’s Open-Source Software Security Initiative (OS3I), which will heavily influence the future of the open-source software ecosystem. IST drew on our breadth of experience across our Future of Digital Security and Innovation and Catastrophic Risk pillars, as well as our knowledge of cybersecurity, the open-source software ecosystem, and artificial intelligence in responding to this RFI.
IST’s work on open-source software in particular has been ongoing since January 2022, when, in the aftermath of the Log4j vulnerability, we noted that many of the challenges present with its management and mitigation seemed to be structural rather than event-specific. In April 2023, IST released its seminal report Castles Built on Sand, putting forward a series of recommendations towards securing the open-source software ecosystem, relying on feedback from peer reviewers and drawing on insight gained from our initial research into the Log4j vulnerability.
Open-source software is a key enabler of software, products, and service development, and a driver of innovation in the industry. However, uncertainty around open-source software liability and responsibility, a lack of incentives for security by design, and inadequate support for open-source developers and consumers make open-source software especially vulnerable to attacks. For this reason, IST calls for prioritizing secure open-source software foundations, sustaining open-source software communities and governance, and developing behavioral and economic incentives to secure the open-source software ecosystem.
In our response, we recommend incorporating automated development to track security issues identified in open-source software libraries, designing tools to enable secure, privacy-preserving security attestations from software vendors, and creating a database of products known to contain vulnerable dependencies. Further, IST calls for shifting open source software security to a shared responsibility model, and revisiting existing structures of liability around vulnerability management and mitigation. We suggest the U.S. government make shifting the economic incentive structure around open-source software development and proliferation a priority, as existing market incentives allow developers to treat security as an afterthought.
We look forward to supporting the initiation of OS31 and eagerly anticipate the ONCD’s next steps in progressing open-source software security. At IST, we will continue to engage in this field and socialize our recommendations with both industry and government stakeholders.
- Which of the potential areas and sub-areas of focus described below should be prioritized for any potential action? Please describe specific policy solutions and estimated budget and timeline required for implementation.
Of the potential areas of focus outlined below, we recommend prioritizing securing open-source software foundations, sustaining open-source software communities and governance, and developing behavioral and economic incentives to secure the open-source software ecosystem.
- To begin securing open-source software foundations, we encourage:
- Strengthening the software supply chain, specifically by incorporating automated tracking and updates of complex code dependencies, and designing tools to enable secure, privacy-preserving security attestations from software vendors, including their suppliers and open-source software maintainers. It is important that developers build these tools with automated identification of up-stream and down-stream integrity risks in mind.
- The U.S. government should also create a database of products known to contain vulnerable dependencies. A number of private sector companies are working on similar projects, such as Sync’s vulnerability database, but a central repository is critical to the government’s ability to map the state of vulnerabilities in the open-source ecosystem and begin to identify technical and policy solutions to reduce or eliminate these vulnerabilities and prevent their recurrence.
- Further, the U.S. government could use artificial intelligence (AI) to identify vulnerabilities and other issues at scale to further illuminate the ecosystem. AI could also be leveraged to aid in making software documentation more accessible, and empower developer and consumer education.
- We also advocate for reducing entire classes of vulnerabilities at scale, specifically by identifying methods to incentivize scalable monitoring and verification efforts of open-source software by voluntary communities and/or public-private partnerships. We encourage support for research into promising new methodologies to identify and monitor vulnerabilities, and the creation of tools to make these efforts more accessible and scalable. In particular, we encourage the U.S. government to marry this effort with aforementioned efforts to strengthen the software supply chain, including by developing parallel tools and approaches for finding vulnerabilities, and populating a database of known vulnerable software.
- Next, we encourage the U.S. government to focus on sustaining open-source software communities and governance.
- In particular, we advocate for shifting open source software security to a shared responsibility model, and revisiting existing structures of liability around vulnerability management and mitigation.
- Further, we commend the U.S. government for its stated goal to sustain the open-source software ecosystem (including developer communities, non-profit investors, and academia) to ensure that critical open-source software components have robust maintenance plans and governance structures. This maintenance and governance can draw from not only domestic expertise, but also the international cybersecurity community.
- Finally, we suggest that the U.S. government focus on developing behavioral and economic incentives to secure the open-source software ecosystem.
- In particular, we encourage a focus on developing frameworks and models for software developer compensation that incentivize secure software development practices, and further incentivize and support secure operational practices within open-source projects. Achieving security by design and managing incidents requires operational skill sets in combination with software development talent.
- We also encourage the U.S. government to assess applications of cybersecurity insurance and appropriately-tailored software liability as mechanisms to incentivize secure software development and operational environment practices.
- Finally, we encourage the U.S. government to leverage federal procurement to incentivize secure software development, and encourage SBOM adoption at scale.
- What areas of focus are the most time-sensitive or should be developed first?
We encourage the U.S. government to focus first on developing a centralized database of known vulnerabilities, along with tools and approaches to identify vulnerabilities at scale. It is critical to first understand the scale and scope of the open-source ecosystem and its associated security issues before identifying opportunities to increase its security.
We also encourage the U.S. government to reassess the incentive structure for those incorporating open-source code at scale in order to begin shifting the ecosystem toward a sustainable, shared, secure by design model.
At the same time, the U.S. government should continue to advance CISA’s Principles and Approaches for Security-by-Design and -Default so that products coming to market do not compound the vulnerabilities identified through the first priority identified above.
- What technical, policy or economic challenges must the Government consider when implementing these solutions?
The open-source community is composed largely of volunteer developers and corporate actors with overlapping and differing agendas. A key challenge in implementing solutions to secure the open-source software ecosystem will be ensuring solution design and implementation includes all stakeholders in the ecosystem. Identifying champions in the open-source community that can represent its views and empower them in identifying and implementing solutions is of critical importance to ensure solutions are both effective and feasible.
Further, different open-source stakeholders have differing agendas, which may complicate efforts to implement solutions. For example, our recommendation that the U.S. government create a centralized database of known vulnerabilities may be complicated by the fact that companies are able to freely consume and adapt open-source code, making it difficult to track even known vulnerable code. For this reason, it is critical that the U.S. government reassess the economic incentive structure around leveraging open-source code such that corporate actors recognize that it is in their organization’s best interest to ensure the security of open-source components in their products and services.
Actions to support or provide security to the ecosystem should be neutral in the agendas they work to uphold, and should center around the open-source community in order to ensure solutions are both effective and feasible.
- Which of the potential areas and sub-areas of focus described below should be applied to other domains? How might your policy solutions differ?
Of the potential areas and sub-areas of focus described in this RFI, several are applicable to efforts to secure artificial intelligence at scale. First, strengthening the AI supply chain to ensure secure by design practices will be critical to maintaining the security of products and services as AI is integrated at scale. Designing tools to enable secure, privacy-preserving security attestations from AI vendors including their suppliers and maintainers will be an important step in the right direction. Further, identifying methods to incentivize scalable monitoring and verification efforts in the AI space by voluntary communities and/or public-private partnerships will become increasingly necessary to ensure the security of artificial intelligence.
Finally, a focus on shifting the economic incentive structure around AI development and proliferation should be a U.S. government priority. Existing market incentives allow developers to treat security as an afterthought, and encourage widespread proliferation of cutting edge technologies before a clear understanding of the associated risks can be developed and understood. Without re-assessing these incentive structures, it will be extremely difficult to ensure the security of products and services that integrate AI tools at scale.