3rd Party Risk Management,
Governance & Risk Management
Top Lawmaker Urges Review of Foreign Influence in Open-Source Software
The chairman of the Senate Intelligence Committee has called on the White House to address what he identifies as a significant national security risk arising from the open-source software ecosystem. This appeal comes in light of growing concerns that foreign adversaries, particularly from China and Russia, are exploiting the inherently trust-based nature of open-source development to introduce malicious code into critical software used across government networks.
In a recent letter to National Cyber Director Sean Cairncross, Senator Tom Cotton, R-Ark., expressed alarm at the potential vulnerabilities created by unregulated reliance on open-source software (OSS). “OSS serves as the backbone of U.S. military and government systems,” Cotton noted, emphasizing both its advantages and the risks that accompany its use without oversight.
Senator Cotton’s letter referenced the discovery of a backdoor within XZ Utils, a widely utilized compression library for Linux. The backdoor, reportedly inserted by a developer named Jia Tan, occurred after an elaborate manipulation of the utility’s maintainer over two years. This incident underscores how adversaries can cultivate trust before executing attacks that could compromise software supply chains entirely.
Concerns extend to foreign operatives exploiting vulnerabilities in software utilized by the Department of Defense (DoD). Cotton highlighted a Russian developer overseeing the fast-glob component integrated into various DoD applications as particularly troubling. Furthermore, he pointed to major Chinese companies, such as Alibaba and Huawei, ranking among the top contributors to open-source projects globally, raising flags over potential influences on U.S. cybersecurity.
The senator urged a proactive stance from the Office of the National Cyber Director to centralize efforts in monitoring foreign influences within open-source projects. He advocated for enhanced federal capabilities to trace the origins of OSS contributions, arguing that better oversight is essential to mitigate risks posed by developers located in adversarial nations. This strategy aims to secure not just civilian agencies but also vital defense systems and infrastructure.
The federal government’s ongoing struggles to balance the rapid deployment and cost benefits of open-source technology with associated security risks reflect a need for realignment. Recent Pentagon guidance illustrates a shift in approach, directing officials to minimize reliance on potentially compromised software susceptible to foreign influence.
John Scott, a senior vice president with Rivada Select Services, highlighted the existing gaps in government understanding of OSS utilized within their operations. He noted that the continuous influx of software updates, often lacking rigorous vetting, exacerbates the risks linked to unknown sources and vulnerabilities. Such vulnerabilities create fertile ground for potential adversary tactics outlined in the MITRE ATT&CK framework, including initial access and persistence, thereby posing a significant threat to national security.
