Bipartisan legislation aims to make open source public infrastructure

WASHINGTON, D.C. – New bipartisan legislation introduced on Sept. 22, 2022, seeks to protect critical infrastructure through strengthening the security of open source software (OSS).

The Securing Open Source Software Act (SOSSA) was introduced by Senators Rob Portman (R-OH) and Gary Peter (D-MI) alongside members of the Governmental Affairs Committee and Homeland Security as a means of enhancing open source software in light of serious security issues. In particular they note Log4J incident last December that sent security experts scrambling to secure millions of vulnerable systems.

“Open source software is the bedrock of the digital world and the Log4j vulnerability demonstrated just how much we rely on it. This incident presented a serious threat to federal systems and critical infrastructure companies – including banks, hospitals, and utilities – that Americans rely on each and every day for essential services,” said Senator Peters. “This commonsense, bipartisan legislation will help secure open source software and further fortify our cybersecurity defenses against cybercriminals and foreign adversaries who launch incessant attacks on networks across the nation.”

Open source software is a critical element for our connected and modern technological world. Browsers like Firefox and operating systems like Linux are both open source, and several platforms and programs like zoom and Microsoft products utilize open source components. The SOSSA, sponsors hope, will work to be ahead of the curve in recognizing and removing risks and exploits in critical open source code.

“As we saw with the log4shell vulnerability, the computers, phones, and websites we all use every day contain open source software that is vulnerable to cyberattack,” said Senator Portman. “The bipartisan Securing Open Source Software Act will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”

SOSSA would direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a risk framework and evaluate the use of open source code by the government, and in so doing find ways to mitigate risk in critical systems. In addition it would require the Office of Management and Budget (OMB) to issue guidance on secure usage of OSS and to establish a subcommittee  on the CISA Cybersecurity Advisory Committee.

 “This important legislation will, for the first time ever, codify open source software as public infrastructure,” Trey Herr said, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, the Atlantic Council. “If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software. I am encouraged by the leadership of Senators Peters and Portman on this issue.”

The full text of the introduced bill can be read at www.congress.gov.