White House details $11M plan to help secure open source

The Department of Homeland Security plans to invest $11 million toward improving security in open source software, a key area of focus under the Biden administration’s national cybersecurity strategy, National Cyber Director Harry Coker Jr. said.

Coker, speaking Saturday at the Def Con conference in Las Vegas, said the investment will back a program called the Open Source Software Prevalence Initiative, which will assess the prevalence of open source software used in operational technology settings by critical infrastructure providers.

“We know that open source underlies our digital infrastructure, and it's vital that as a government we contribute back to the community as part of our broader infrastructure efforts,” Coker said, according to a readout of his presentation.

The funding will come from DHS as part of the Bipartisan Infrastructure Law.

Coker detailed the investment plans just one day after a report from Office of the National Cyber Director outlined new recommended steps following a 2023 request for information on open source software security.

The report called for the administration to leverage key federal agencies in order to accelerate open source security. These include expanded development of software bill of materials as well as establishing a U.S. Government Open Source Program Office.

The report offered additional steps the federal government should take to improve open source security and proposed the government:

Offer new incentives to boost the adoption of memory-safe programming languages.
Fund the development of open source tools and libraries to secure the open source software ecosystem.
Research the use of artificial intelligence, including large language models and machine learning.
Pursue public-private partnerships within open source.
Make investments to develop new and existing talent in the developer community to help secure open source.

Coker, during his remarks at Def Con, stressed the government can only provide so much help. The broader community also needs to make an effort to change how it approaches coding practices and addresses larger security concerns.

He noted that vulnerabilities in border gateway protocol have been known for years, yet much of U.S. internet traffic is still subject to being hijacked.

“Memory-safe programming languages have similarly been around for years, still, critical software that underlies our society is written in C simply because that’s what’s convenient,” Coker said.

The “tragedy of the commons” around open source development is the problems are well understood, however vitally important packages are maintained by volunteers that operate on “less than shoestring” budgets, Coker said

Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, said Coker’s presentation at Def Con represents a turning point in the public understanding of open source security.

“Calls for more secure open source development practices are important, but such calls need to recognize that open source is fundamentally different from commercial software and simply pouring money into select open source projects might not have the desired outcome,” Mackey said via email. “Open source thrives because of the diversity of its development teams and the freedoms those teams have to address their chosen functionality.”