Kemba Walden: We need to secure open source software

During her Black Hat USA 2023 keynote, the acting national cyber director said the White House wants to develop realistic policies to improve the security of open source software.

LAS VEGAS -- The White House is moving to address the looming security concerns around open source software.

Kemba Walden, acting national cyber director in the Office of the National Cyber Director (ONCD), discussed efforts to secure open source software as well as other national cybersecurity initiatives during a keynote at Black Hat USA 2023 Thursday. In a discussion with Jason Healey, a senior research scholar at Columbia University, Walden said 95% of the federal government's technology stack relies on open source.

After reading the Cyber Safety Review Board's report on the Log4Shell vulnerability that was disclosed in late 2021, Walden said, it was clear to her that the White House needed to address open source software. Log4Shell, tracked as CVE-2021-44228, was a flaw in Log4j, a popular and pervasive Java logging framework developed by the Apache Software Foundation. The vulnerability was exploited on a wide scale against many organizations.

"I was stunned to find out that the developer community isn't necessarily or always trained on secure-by-design [principles]," she said. "And it seems like at that atomic level, we should have security by design."

Walden noted that addressing open source security is a component of the National Cybersecurity Strategy from President Joe Biden's administration and said her team has been discussing ideas to improve it. One of those ideas was posed by a staff member who suggested using memory-safe programming languages.

How do we make policy that's realistic and actionable?
Kemba WaldenU.S. acting national cyber director

"But I need to understand from this community how to do that," she said. "How do we make policy that's realistic and actionable?"

To that end, Walden announced that her office, along with CISA, the Defense Advanced Research Projects Agency and other offices, published a request for information (RFI) Thursday morning to better understand open source security and to develop strategies and policies to improve it. She encouraged the audience to submit ideas and feedback to the RFI, which is open for comment for 60 days.

Making progress on cybersecurity

During the discussion, Healey asked about concerns regarding surveillance and spyware use, even from allied nations such as India and Mexico. Several security vendors have observed a rise in commercial spyware such as NSO Group's controversial Pegasus product.

Walden highlighted the Biden administration's recent executive order (EO) to address spyware and surveillance tools. She noted that the EO -- which she admitted "is not perfect" -- prohibits the use of such commercial surveillance technologies by federal agencies and departments.

"That's a first step. It's a good step," Walden said, adding that she welcomed feedback from the infosec community on improving policies going forward.

Overall, Walden said she was optimistic about her office's efforts and the White House's long-term cybersecurity strategy. She noted that the ONCD is still a very new entity. "We are a startup in the White House, and startups take a lot of energy and a lot of time," she said.

That said, Walden added that her office and the administration overall have a clear direction for making cybersecurity improvements across the federal government and the industry as a whole. Prior to the creation of the ONCD, Walden said, 10 or 12 people within the White House were devoted to cybersecurity across different offices. Currently, the office has 78 people and is looking to hire more.

Despite all the doom and gloom around numerous cyber attacks and growing threats, Walden said she has a positive outlook for the future, though she acknowledged that a nationwide strengthening of cybersecurity is an enormous task. In that regard, she said the effort will require help from the infosec community, academics, civil society and more to assist federal government efforts.

"I'm optimistic that we can get there, but I'm realistic that it's not going to be easy," Walden said.

Rob Wright is a longtime technology reporter who lives in the Boston area.

Dig Deeper on Security operations and management