Sen. Cotton urges top White House cyber official to protect open-source software
Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia.
Open-source projects — free software builds available for download online — largely rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers.
Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.
“[Open-source software] is the backbone of U.S. government systems, including mission-critical defense systems, where we reap the numerous benefits of OSS to innovate, develop, and deploy technology quickly,” Cotton wrote.
The letter cited previous Nextgov/FCW reporting that revealed a Russia-based Yandex employee as the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built Defense Department software packages.
Nextgov/FCW has asked the Office of the National Cyber Director for comment.
In July, Secretary of Defense Pete Hegseth signed a memorandum directing the Defense Department to “not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the department.”
Chinese, Russian and North Korean-affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly-available software used by countless organizations, developers and governments around the world, according to findings from Strider Technologies released earlier this year.
]]>