Google has asked the US government to take a more proactive approach in identifying and protecting open-source cybersecurity tools that are essential to the internet’s security.
The firm’s blog post following the White House’s Log4j vulnerability summit on Thursday noted that the country needs a public-private partnership to establish such a program.
Kent Walker, chief legal officer at Google and Alphabet, said: “We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.”
Google calls for government help for more secure open-source projects
The post stressed the necessity of more public and private investment to safeguard the open-source environment, particularly when software is utilized in infrastructure projects. The private sector, on the whole, manages funding and evaluation of these initiatives.
“Open source software code is available to the public, free for anyone to use, modify, or inspect … That’s why many aspects of critical infrastructure and national security systems incorporate it,” wrote Walker. “But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.”
After the discovery of a major flaw in the Log4j Java library, which quickly became the most serious cybersecurity vulnerability of recent years, concerns about a lack of financial and technical resources for open-source development have long been raised. The Log4j library was also primarily developed and maintained by volunteer work.
Private sources, such as individual donations or corporate sponsorship, are responsible for the majority of open-source projects’ funding. Google has contributed $1 million to the Secure Open Source (SOS) rewards program, a pilot project run by the Linux Foundation to financially reward developers working to strengthen open-source projects’ security.