In our digital age, securing critical infrastructure must be THE key focus, given its foundational role in national security, economic stability, and public safety. For the past several months my team and I have been involved with the Open-Source Software Security Initiative (OS3I). The OS3I convenes Federal agencies and considers input from the open-source software community, civil society, and private sector stakeholders across the open-source software landscape to deliver policy solutions to secure and defend the open-source software ecosystem. This initiative underscores a collaborative effort to fortify the backbone of our society against escalating cyber threats, leveraging the collective expertise and innovation inherent in the open-source community to ensure a resilient and secure infrastructure for the future.

Critical Infrastructure and OSS

Critical infrastructure often uses open-source software (OSS) due to its flexibility, cost-effectiveness, and robust community support. OSS can allow for rapid innovation, customization to meet specific operational needs, and the ability to scrutinize and enhance security through community contributions. However, risks involve potential vulnerabilities due to less stringent security practices in some OSS projects and the challenge of managing updates and patches across the open-source ecosystem. Balancing these factors is crucial for maintaining the security and efficiency of critical infrastructure systems.

OS3I

In 2023, under the guidance of the Biden-Harris Administration's National Cybersecurity Strategy, significant strides were made in securing the OSS ecosystem through the OS3I. Everyone involved with OS3I collaboratively worked together to achieve significant milestones in enhancing the security of the OSS ecosystem.

As detailed in the recently released Securing the Open-Source Software Ecosystem end of year report by OS3I, the key efforts started by working to unify Federal departments and agencies by articulating a cohesive stance on OSS security and facilitating coordinated efforts across government sectors. OS3I then developed a strategic approach for the Federal Government's approach towards securing the use of OSS, alongside identifying measures to fortify the broader ecosystem's security.

This included releasing the Open-Source Software Security Roadmap by the Cybersecurity & Infrastructure Security Agency (CISA) to guide departments and agencies in managing OSS risks effectively. OS3I continued to work on OSS security by underscoring the importance of long-term, sustained security investment in the OSS ecosystem, highlighted by the National Science Foundation’s (NSF) call for proposals on securing OSS. Finally, OS3I deepened engagements with the OSS community, seeking to build trust and collaboration through various initiatives, including a Request for Information that gathered valuable insights from over a hundred responses.

In 2024, OS3I and its participants plan to leverage the insights and feedback received through the NSF call for proposals to address systemic risks and enhance the sustainability of OSS communities. OS3I plans to publish a summary of the RFI submissions to share key findings and guide future actions. The OS3I will continue to foster collaboration across the Federal Government, OSS community, civil society, and private sector stakeholders, aiming to improve the security of the OSS ecosystem and support its long-term resilience and innovation.

Public-Private Partnerships

The integration of OSS in critical infrastructure demands a concerted effort between public and private sectors to enhance cybersecurity. Collaborative security strategies are crucial for safeguarding national security and protecting the U.S. economy. By pooling resources and sharing intelligence, we can address vulnerabilities within OSS more effectively, ensuring the resilience of systems vital to our societal and economic well-being. This partnership is essential for developing robust defenses against cyber threats, highlighting the interconnected nature of modern infrastructure and the collective responsibility for its protection.

Why OSS Security Matters

The evolving cybersecurity landscape underscores a significant shift in adversaries targeting U.S. critical infrastructure, as highlighted in this week’s House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party where NSA, CISA, ONCD, and the FBI discussed China-linked cyber operations targeting U.S. critical infrastructure. This trend, exemplified by the activities of the Volt Typhoon group, highlights a strategic pivot towards disruption-readiness, indicating Beijing's intention to bolster its capabilities for a potential broader conflict.

The concerns raised by U.S. officials underscore the complex threat posed to national security and economic stability. The sophisticated tactics employed, such as exploiting small-office routers, blending malicious activities with legitimate operations, and manipulating the OSS ecosystem necessitate a robust and informed cybersecurity response across both public and private sectors to safeguard critical infrastructure effectively.