Advanced Computing in the Age of AI | Wednesday, June 19, 2024

U.S. Cyber Effort Targets Open Source Software 

A growing list of cyber attacks targeting U.S. government employees has prompted the Obama administration to launch a high-profile cyber security effort that among others things will target Internet "utilities" such as open source software.

The Cybersecurity National Action Plan announced by the White House on Tuesday (Feb. 9) as part of its annual budget submission to Congress gives the Internet and its components equal status with other critical infrastructure. The initiative responds to massive data breaches such as last year's hack of the Office of Personnel Management. The personal data of 21.5 million federal employers may have been stolen in the breach.

President Obama's budget request includes $3.1 billion Information Technology Modernization Fund to overhaul government agency's often-outdated IT infrastructure. For example, the U.S. Internal Revenue Service (IRS) was forced to suspend electronic filing of federal tax returns last week after a hardware failure.

(The website Ars Technica reported this week that the IRS was hit by a malware attack that garnered more than 100,000 Social Security numbers.)

According to a White House fact sheet on the new cyber effort, "The Administration is requiring agencies to identify and prioritize their highest value and most at-risk IT assets and then take additional concrete steps to improve their security."

The initiative also would expand the Department of Homeland Security's intrusion detection system dubbed EINSTEIN for use across all civilian government agencies. The system monitors network gateways for unauthorized traffic.

The fiscal 2017 budget request also includes $62 million for training "cyber security personnel." Overall, the budget request includes $19 billion to boost government cyber security efforts.

The initiative also acknowledges expanding use of open source software in critical infrastructure. The White House said this week its cyber initiative would include collaboration with the Linux Foundation's Core Infrastructure Initiative, which includes a certification program and development tools designed to promote secure coding practices.

The effort also includes a "badge program" organizers said would provide guidelines for securing open source software while "ensuring that new projects depend only upon the healthiest open source projects, thus improving our global Internet infrastructure."

The administration will "work with organizations such as the Linux Foundation’s Core Infrastructure Initiative to fund and secure commonly used internet 'utilities' such as open-source software, protocols, and standards."

As banks, retailers and social media giants embrace open source software, groups like the Linux Foundation acknowledge that little has been done to support development efforts for software used for critical network infrastructure.

The Linux Foundation initiative was launched 18 months ago in response to the Heartbleed bug, the vulnerability in the OpenSSL cryptographic library. It also responds to the "chronic underinvestment that has endangered core Internet technologies," Jim Zemlin, executive director of the Linux Foundation, noted in a blog post.

"Many of those technologies are open source software projects developed by one or a handful of developers that have over time become the essential infrastructure of the Internet and modern commerce," Zemlin added.

Meanwhile, the founder of the Linux kernel that underpins the growing open-source movement stressed last year that cyber security remains an uphill battle. "Security is [about software] bugs," Linus Torvalds told an industry forum last summer. "Most of the security issues related to open source development have been "completely stupid bugs that no one really would have thought of as having security issues."

Added Torvalds: "You're never going to get rid of bugs [and] security is never going to be perfect." The alternative is trying to "mitigate them by having multiple layers of security so that if you have only one component [with a bug] the next component will catch it."

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).