After the log4j security breach was exposed, the White House convened executives from several tech giants to discuss how to improve the security of open source software behind everything from consumer electronics to large industrial systems. The White House revealed that the participants included representatives of Apple, Google, Microsoft and other companies, and engaged in substantive and constructive discussions with them. Similar discussions will continue in the coming weeks.
Infographic (via White House)
The Log4j vulnerability that came to light last month uncovered a huge security risk in the popular open source Java logbook Apache Log4j. If not fixed in time, cyber attackers can use this to make waves on the Internet.
As for Thursday's White House discussions, they focused on how to prevent security vulnerabilities in open source software, how to improve the process of finding and fixing bugs, and how to speed up the patching process.
Business executives in attendance made valuable comments and pledged to work with the government to improve the security of open source software.
(Screenshot viaNIST)
Jamie Thomas, general manager of strategy and development at IBM Systems, said in a post-meeting statement:
All types of software face threats from cybercriminals and malicious actors. And in many ways, open source software is inherently transparent and more secure than proprietary software.
Kent Walker, president and chief legal officer of google's global affairs, emphasized:
As the main point of connection in the online world, it's time to start treating digital infrastructure as a road and a bridge that deserves just as much money and attention.
Red Hat, one of the largest open source software companies, sent three executives to the meeting and issued a statement calling on open source and proprietary software manufacturers to maintain greater "visibility" of their products, take responsibility for the entire life cycle, and publish relevant security data.
(Screenshot viaCISA)
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), added: "The scope of the Log4j problem has spread to tens of millions of connected devices, making it a serious problem he has never seen in his career.
As of Monday, no federal agency had reported breaches and no major cyberattacks in the United States. Most exploit attempts are said to revolve around lower-level cryptocurrency mining, or incorporating devices into the side of a botnet.
Finally, senior White House officials who attended Thursday's meeting included Chris Inglis, director of national networks, Anne Neuberger, deputy national security adviser on cyber and emerging technologies, and representatives of federal agencies such as the Department of Homeland Security, CISA and Department of Defense.
Other participating tech companies include Akamai, Apache Software Foundation, Cloudflare, Meta (formerly Facebook), GitHub, Linux Foundation, Open Source Security Foundation, Oracle, RedHat, and VMWare.