Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, have proposed a bill with the intent to strengthen the U.S. government’s security defenses against open source software vulnerabilities.
The introduction of the Securing Open Source Software Act was prompted by the discovery of vulnerability in the Log4j logging platform, which exposed federal systems and critical infrastructure to remotely executable malicious attacks, the Senate Homeland Security and Governmental Affairs Committee said Thursday.
The legislation would direct the Cybersecurity and Infrastructure Security Agency to establish a risk framework that could be voluntarily utilized by government entities and critical infrastructure owners and operators that use open source systems.
Under the bill, CISA would commission a team of IT experts to facilitate a collaborative response between the government and community in cases such as the Log4j vulnerability.
It will be the first legislation to codify open source software as public infrastructure, said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Laboratory. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software,” he added.
Peters is chairman and Portman a ranking member of the committee, which convened a hearing in February on the Log4j incident. It was deemed as one of the most severe and widespread cybersecurity risks to date.