Major Tech, Financial Companies Pony Up $10M to Help Drive U.S. Cybersecurity Efforts
Working together to bolster the security of open source software for enterprises in the U.S. and around the world, a group of technology and financial companies has amassed $10 million in new investments to raise their game, particularly in the battle against devastating supply chain cyberattacks.
The money, which will come from companies including Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware, will be aimed at making open source software – which plays critical roles in business, the internet and more – even more secure.
The $10 million in new funding is being organized as a recurring annual investment in support of the Open Source Security Foundation (OpenSSF), which is a cross-industry group that brings together important open source security initiatives with the companies and developers that support them, according to the group. The OpenSSF, which launched in August 2020, is one of the many open source groups and initiatives hosted by The Linux Foundation. One of the most important goals of the group is to work with upstream and existing communities to advance open source security for the world.
The new funding was announced Oct. 13 (Wednesday) at the annual KubeCon North America conference, which is being held in Los Angeles and virtually. Additional funding will come from additional OpenSSF members Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift and Wind River.
This initial funding is in response to several recent Biden administration initiatives which aim to dramatically bolster the nation’s cybersecurity, particularly in light of a rash of serious and crippling malicious attacks on a wide range of public and private companies. In May, President Biden issued an executive order to modernize federal government defenses and improve IT security, while in July he issued a National Security Memorandum establishing voluntary cybersecurity goals that are outlined for owners and operators of critical infrastructure.
“While we have been tracking these issues for a while … the White House Executive Order highlighted specifically the importance of securing the software supply chain in improving the state of the nation’s and the world’s cybersecurity posture,” Brian Behlendorf, the creator of the Apache web server and the general manager of the OpenSSF community, told EnterpriseAI. “The group has been hard at work, establishing important projects like the Security Scorecard and the Best Practices badge, among others. Until now, though, there was no formal funding to underwrite this work.”
The first $10 million investment from the group’s donor companies will allow the OpenSSF to accelerate this work and apply it to a wider range of open source projects, said Behlendorf.
“Individuals and corporate volunteers will continue to be the bedrock of the community, but the additional funding will help us direct and focus their efforts better, build operational services that the open source community can depend upon, and direct funding towards closing specific security deficiencies in the open source ecosystem,” he said. “We want to accelerate work on open source security to dramatically improve the global software supply chain. OpenSSF gives us the necessary forum to host cross-industry collaboration to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices and vulnerability disclosure practices.”
The work within the OpenSSF includes improving developer tooling to make it easier to support a secure software supply chain, identifying critical projects based on how widely they are used and ensuring they have the resources to anticipate and respond to security challenges, as well as developing educational resources and best practices guides to raise the bar for secure software development practices among the wider open source community, said Behlendorf.
“These all started before today,” he said. “There is much more to do, and it is great to have the resources to go deeper … and to consider new ways we can tackle our mission.”
An important part of the new efforts will be to stay ahead of these types of attacks and the cybercriminals who lead them, said Behlendorf.
“We are just getting started,” he said. “The bad guys are constantly getting better at what they do, at finding new ways to compromise the open-source-based digital infrastructures we have built society upon. We have got to fight that, but that is not just about better software. We have to fight the cynicism so often aimed at efforts like this and realize there are lots of very practical things we can do – lots of low-hanging fruit – to make attacks more and more difficult and costly.”
That will involve better education in secure coding practices, better tooling and more use of memory-safe languages, while also working with the global open source community to improve processes and knowledge-sharing,” he added.
Jim Zemlin, the executive director of The Linux Foundation, told EnterpriseAI that this effort will be substantial and has been needed for some time.
“I have been tilting at this windmill since we raised money in response to [the] Heartbleed [security flaw] more than five years ago,” said Zemlin. “I want people to help raise the baseline for security in the open source communities they depend on. This is a perfect way for companies to ‘pay forward’ support for open source communities they depend upon every day albeit in an indirect way.”
The funding announced today is the first payment toward the “tip of a $10 billion spear that the industry has collectively thrown in the direction of this problem, in their commitments to governments,” said Zemlin. “We have already identified initiatives we will be fundraising for on top of this funding.”
These efforts to fight such battles will take time, he said.
“This is a long game,” said Zemlin. “Even if every initiative we undertake exceeds its goals, there will always be new angles to consider. So long as our community is committed to addressing those new challenges, we are here to enable that.”
In addition to providing the funding, the companies involved in the new efforts will continue with their contributions to the OpenSSF’s working groups and projects, whether through technical contributions, content, planning or otherwise, according to Zemlin. “Some will have deep technical expertise to bring to the table; others will simply want to contribute financial resources to improve the projects they care about or improve the state of open source software in general.”
The companies that are providing this first phase of the funding are running their operations on digital infrastructure and an abundance of open source software, like nearly every major enterprise in the world, said Zemlin. “Seventy percent of that software is open source, so they are inherently invested in the security of open source software across the supply chain. And because they have deep experience collaborating on the development and sustainability of open source software projects, they know and value the power of a collective effort. This problem is bigger than any one company and they get that.”
Software supply chain attacks have increased by about 650 percent and are having severe impacts on a wide range of business operations, according to an industry study, the “2021 State of the Software Supply Chain” from supply chain software vendor Sonatype, according to the OpenSSF.
In the wake of increasing security breaches, ransomware attacks and other cybercrimes tied to open source software, government leaders worldwide have been calling for wider private and public collaboration, the OpenSSF reported. Open source software makes up at least 70 percent of all software used by enterprises, according to the “2021 Open Source Security and Risk Analysis Report, which was sponsored by chip design vendor, Synopsys.
OpenSSF combines the Linux Foundation’s Core Infrastructure Initiative (CII), which was founded in response to the 2014 Heartbleed bug, with the Open Source Security Coalition, which was founded by the GitHub Security Lab. The goal of the combined organizations is to build a community to support the open source security for decades to come.