The U.S. Department of Commerce is sensitive to open-source software security concerns and is listening to what cyber experts have to say, U.S. Commerce Secretary Gina M. Raimondo said during a recent conference.
In her brief comments at the start of the White House Open-Source Software Security Summit, Raimondo addressed representatives from leading technology companies, including Apple, Facebook and Google.
"I appreciate everyone’s willingness to come together to discuss the importance of open-source software security," Raimondo said. "At the Commerce Department, we understand that we need to get this right. And that means working together with all of you in the private sector."
The conferenced at the White House included representatives from technology giants and federal agencies who met to discuss open-source software security, according to CyberScoop's coverage of the conference. The conference was called in response to a widespread vulnerability in Apache's Log4j, an open-source website logging framework that has some experts in the field worried.
The Federal Trade Commission recently warned that companies should remediate Log4j after "a serious vulnerability" in the popular Java logging package had been disclosed.
"When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms," the Federal Trade Commission said in a Jan. 4 news release. "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
Raimondo did not mention Log4j during her comments but did say she is listening to experts in the field.
"I'll be tracking how today's discussions lead to meaningful improvements in open-source software security," she said. "This is a priority for us at Commerce. Thank you in advance for your efforts. Let's get to work!"
Raimondo attended the White House Cybersecurity Summit in August, where she announced a National Institute of Standards and Technology effort on technology supply chain security. That initiative includes developing best practices and new tools to secure open-source software. Raimondo said she also recalled hearing about challenges experts face in the field.
"I’m excited to hear the ideas you have come up with during today's discussions," Raimondo said. "Of course, commitments must be backed up by action. For my part, I can tell you that NIST is ready, willing and able to seriously consider and follow up on the actions that you have identified."
