Following a summit on open-source security hosted at the White House Thursday, Google has called for increasing government involvement in identifying and securing critical open-source software projects.
In a blog post published shortly after the summit, Kent Walker, president for global affairs and chief legal officer at Google and Alphabet, said that collaboration between government and the private sector was needed for open-source funding and management.
“We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements,” Walker wrote.
The blog post also called for an increase in public and private investment to keep the open-source ecosystem secure, particularly when the software is used in infrastructure projects. For the most part, funding and review of such projects are conducted by the private sector.
The White House had not responded to a request for comment by time of publication.
“Open source software code is available to the public, free for anyone to use, modify, or inspect ... That’s why many aspects of critical infrastructure and national security systems incorporate it,” wrote Walker. “But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”
The shortage of funding and resources for open-source development has long been raised as a security concern and has re-emerged as a key issue after the discovery of a serious bug in the Log4j Java library, which quickly became the biggest cybersecurity vulnerability in recent years. The Log4j library was also developed and maintained largely by unpaid labor.
When open-source projects do receive funding, it generally comes from private sources like individual donations or sponsorship from tech companies. Google recently contributed $1 million to the Secure Open Source (SOS) rewards program, a pilot scheme being run by the Linux Foundation to financially compensate developers working to improve the security of open-source projects.
In a statement, Eric Brewer, VP of Infrastructure at Google, said:
“Though it was called a summit, today’s meeting was effectively a working session to develop concrete, pragmatic solutions to improve open source security. The participants broadly agreed on approaches to identify and secure critical projects, and in particular underwrite those efforts with real investment. It is especially crucial that those maintaining open-source projects are given the resources and support they need to ensure they are well maintained and are able to fix vulnerabilities quickly. We applaud the White House for their leadership on this important issue.”
Update Jan 14th, 8:50AM ET: This article has been updated to add a statement from Eric Brewer.