The White House on Thursday is hosting leading tech companies, along with a number of relevant government agencies, to discuss ways to improve security for open-source software libraries, with senior administration officials calling it a “key national security concern.”
Meeting with Biden administration officials will be representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudfare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMWare.
They’ll discuss how new private-public collaboration could “rapidly drive improvements” to security.
Joining the business leaders at the White House will be senior leaders and senior open-source software experts from leading agencies, including the Departments of Commerce and Homeland Security, the Pentagon, the Cybersecurity and Infrastructure Security Agency, the Department of Energy and more.
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, is expected to host the meeting.
The meeting is intended to center on President Biden’s executive order on cybersecurity, a senior administration official told Fox Business. That order put a focus on software security and drove a range of efforts across the U.S. government and within the private sector.
The official said that the administration anticipates “additional discussions” with the companies and other organizations not represented. The White House invited major software companies and developers to discuss initiatives to improve open-source security last month.
“Open-source software has accelerated the pace of innovation and has driven tremendous societal and economic benefits, but the fact that it is broadly used and maintained by volunteers is a combination that is a key national security concern, as we are experiencing with the log4j vulnerability,” a senior administration official said.
“Software security is essential to our national and economic security,” the official continued, noting that recent incidents, including the SolarWinds hack, serve as “recent reminders that strategic adversaries actively exploit vulnerabilities for malicious purposes.”
Last month, officials discovered a vulnerability within software known as “Log4j,” which they said presents “an urgent challenge to network defenders given its broad use.”
Log4j is a flaw that lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems use the utility is a challenge; it is often hidden under layers of other software.
The affected software, written in the Java programming language, logs user activity. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is highly popular with commercial software developers. It runs across many platforms — Windows, Linux, Apple’s MacOS — powering everything from webcams to car navigation systems and medical devices, according to the security firm Bitdefender.
Officials within CISA said that the vulnerability poses “a severe risk” and urged private sector organizations to work with the federal government to take action.
The Associated Press contributed to this report.