U.S. Rep. Greg Walden (R-OR) has asked the head of The Linux Foundation to explain the nonprofit’s efforts around securing the open source software (OSS) ecosystem against vulnerabilities that could make the sensitive information of hundreds of millions of users vulnerable to cyber attacks.
“As the last several years have made clear, OSS is such a foundational part of the modern connected world that it has become critical cyber infrastructure. As we continue to examine cybersecurity issues generally, it is therefore imperative that we understand the challenges and opportunities the OSS ecosystem faces, and potential steps that OSS stakeholders may take to further support it,” wrote Rep. Walden, chairman of the U.S. House Energy and Commerce Committee, and U.S. Rep. Gregg Harper (R-MS), chairman of the panel’s Subcommittee on Oversight and Investigations.
In the lawmakers’ April 2 letter to Jim Zemlin, executive director of The Linux Foundation, the members voiced support for OSS, which is software having source code that anyone may view, change and improve because its design is publicly accessible. But the lawmakers also sought a “deeper understanding of the current state of the ecosystem.”
Their letter to The Linux Foundation wasn’t a random choice. The San Francisco-based nonprofit calls Linux the largest, most important and most pervasive OSS project in history. Linux kernel development is ongoing and protected at The Linux Foundation, which supports building other stable open source communities through financial and intellectual resources, infrastructure, services, events and training.
Use of Linux is practically universal, according to The Linux Foundation, which reports it is the operating system for more than 95 percent of the top 1 million domains; all of the top 500 supercomputers in the world; and most of the global financial markets, including the New York Stock Exchange and NASDAQ. Linux is also the preferred infrastructure for world-leading ecommerce companies like Amazon, eBay, PayPal, and Walmart, among others, according to the foundation.
Such global use has increased potential cybersecurity threats. “While the extent of OSS adoption clearly demonstrates the value that the ecosystem provides, its pervasiveness also creates widespread, distributed, and common points of potential risk across organizations when OSS vulnerabilities are found,” the lawmakers wrote.
Reps. Walden and Harper pointed to a vulnerability known as Heartbleed, a 2014 cybersecurity weakness discovered in the OSS programming library OpenSSL, which had been installed in an estimated 60 percent of all websites at that time, according to their letter. Heartbleed enabled sensitive information to be stolen from unpatched systems, they wrote, noting that at least three organizations “cited the Heartbleed vulnerability as the root cause of later cybersecurity incidents.” One such company included Community Health Systems, the nation’s second-largest for-profit hospital chain, which reported that 4.5 million patient records had been hacked via the Heartbleed crypto bug.
“The widespread impact of the Heartbleed vulnerability through the deployment of a piece of OSS forced individuals and organizations outside of the information technology community to recognize what members within the community had long known: software is no longer written, but assembled,” according to their letter. “Software libraries that reliably handle basic programming staples such as transport-layer encryption, network time management or data storage are available through the OSS ecosystem, providing organizations which leverage them a solid foundation upon which they may then build their own unique products.”
As a result of Heartbleed, Reps. Walden and Harper wrote that “the sustainability and stability of the OSS ecosystem is essential to the sustainability and stability of organizations’ cybersecurity generally.”
The lawmakers also acknowledged that mega companies like Microsoft, Adobe and Apple have the funding, time, processes and procedures in place to address such vulnerabilities. They said they also realize that’s not always true regarding OSS cyber liabilities because OSS creators or maintainers may be volunteers located all over the world working unrelated full-time jobs who don’t get compensated for their OSS work.
“In recognition of this very fact,” the lawmakers noted, The Linux Foundation established the Core Infrastructure Initiative (CII) in the wake of Heartbleed as a multimillion-dollar project to fund and support OSS projects and initiatives designed to root out such vulnerabilities in the global information infrastructure. Since then, CII has undertaken audits to identify such weaknesses, provided tools for testing and analyzing OSS programming, and established best practices and educational resources for OSS developers, they wrote, noting their appreciation for such work.
“More work remains to be done, however,” the lawmakers concluded. “OSS adoption will continue to grow, making the sustainability and stability of the OSS ecosystem even more vital.”
Toward that end, the lawmakers listed four questions they seek responses to from Zemlin pursuant to U.S. House of Representatives’ Rules X and XI that include whether CII has performed a comprehensive study on which components of OSS are most critical to the global information infrastructure; whether statistics are available on OSS usage; and on how sustainable and stable the OSS ecosystem is and how it could be made more stable and secure.
Reps. Walden and Harper have asked Zemlin to respond to their questions by April 16.