"The chairman of the Senate Intelligence Committee asked National Cyber Director Sean Cairncross in a Wednesday letter to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies. Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia."
""[Open-source software] is the backbone of U.S. government systems, including mission-critical defense systems, where we reap the numerous benefits of OSS to innovate, develop, and deploy technology quickly," Cotton wrote. The letter cited previous Nextgov/FCW reporting that revealed a Russia-based Yandex employee as the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built Defense Department software packages."
"Open-source projects - free software builds available for download online - largely rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers. Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed "Jia Tan" tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies."
Senate leadership requested the National Cyber Director to address vulnerabilities in open-source software that supports U.S. military and civilian systems. Concerns center on contributions to widely used projects from foreign adversaries such as China and Russia. Open-source projects depend on volunteer contributors and community maintainers to provide patches and updates, often assuming benevolent intent. That assumption was undermined when a user attempted to insert a backdoor into XZ Utils. Reporting also identified a Russia-based Yandex employee as sole maintainer of a tool embedded in numerous Defense Department packages. The Defense Department directed avoidance of hardware and software susceptible to adversarial influence.
Read at Nextgov.com
Unable to calculate read time
Collection
[
|
...
]