The Department of Homeland Security (DHS) is whipping out its wallet to secure open-source software, according to National Cyber Director Harry Coker, Jr.
Speaking at the DEF CON 32 conference in Las Vegas this month, Coker announced the Open Source Software Prevalence Initiative, which will pull from $11 million in funding under the $1.2 trillion infrastructure act passed by Congress in 2021.
“We know that open source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts,” Coker told the audience.
As CIO Dive noted, Coker’s office recently released a report calling for the federal government to incentivize wider usage of and education in memory-safe programming languages, especially with respect to translating older code.
The report also called for funding and support into open-source security, including artificial intelligence tools that can automatically translate older languages into memory-safe ones. Priorities in the report included securing repositories, further supporting the use of software bills of materials (SBOMs), and more public-private collaboration on software vulnerability severity metrics.
“They may seem easy to some of you, but the president can’t simply issue an order and solve those problems,” Coker told the audience.
“We’ve known about vulnerabilities in the Border Gateway Protocol for decades. Still, much of the US internet traffic is subject to hijack,” he added. “Memory-safe programming languages have similarly been around for years. Still, critical software that underlies our society is written in C simply because that’s what’s convenient.”
Additionally, Coker hit on a point mentioned by Cybersecurity and Infrastructure Security Agency (CISA) chief Jen Easterly during her own DEF CON talk—that more liability should fall on the shoulders of software developers rather than customers.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Coker mentioned his office is working on a “software liability regime,” meaning legal reforms that would hold developers accountable for defects. Developers have historically been very successful at dodging liability for their products via contract language and user agreements.
“We are increasingly aiming to leverage this unique community as part of novel policy solutions,” Coker said. “Our reliance on all of you does, however, come with a commensurate increase in responsibility.”
“In the President’s National Cyber Security Strategy, we call for more of the responsibility for defending cyberspace to fall upon the more capable actors in the ecosystem,” Coker told the audience. “That means technology producers, yes, [and] certainly the federal government, but it also means all of you.”
Coker also discussed the White House’s strategy for filling what it says are 500,000 open cybersecurity jobs across the country. He characterized the problem as a recruitment issue rather than a talent gap.
“I’d imagine that just about everybody in here knows folks that don’t have four-year degrees that are making substantial contributions to cybersecurity,” Coker said, adding degree requirements for new hires are a “legacy bad practice.”
“We’re getting that word out on the federal employee, government, civil servant side,” Coker added. “We’re working with our partners at the Office of Personnel Management to do the same thing, to go towards skills-based hiring.”