On Wednesday, May 12th, in the wake of the recent Colonial Pipeline ransomware attack that shut down one of the largest US pipelines for nearly a week, President Biden signed an executive order placing strict new standards on the cybersecurity of all software sold to the federal government. This order is part of a broad, multi-layered initiative to improve national security by incentivizing private companies to practice better cybersecurity or risk being locked out of federal contracts. 

For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market.

The new order also requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted.

This order addresses a disconcerting trend: cyberattacks - the vast majority of which are email-borne - are rapidly evolving to become more sophisticated, prevalent and far-reaching than ever before. Many of these attacks target critical infrastructure - a point most recently highlighted by the Colonial Pipeline ransomware outbreak. Over the past year, approximately 2,400 ransomware attacks have hit corporate, local and federal offices.

Biden’s new executive cybersecurity order recognizes the critical importance of Open Source in securing the software supply chain, stating that the government must ensure "to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product." It is not surprising that the report specifically addresses open-source security. After all, according to open-source company Tidelift, 92% of applications contain open-source components. 

Luckily, the open-source community itself is already combating this issue with the Software Package Data Exchange (SPDX), which aims to enable software transparency through a Software Bill of Materials (SBOM) - a formal record containing the details and supply chain relationships of various components used in building software - that already meets the executive order's requirements.

In addition, The Linux Foundation’s Open Source Security Foundation (OpenSSF) has also been working to secure open-source software and its components through its mission of “collaboration to secure the open-source ecosystem”. Also, the Linux Foundation recently announced a new open-source software signing service: the sigstore project, which seeks to improve software supply chain security by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. Besides sigstore, the Linux Foundation oversees multiple projects designed to maintain trusted source code supply chains including in-toto, The Update Framework (TUF) and OpenChain (ISO 5230).

The open-source community is also addressing the order’s call for the encryption of data at rest and in transit with the renowned open-source project Let's Encrypt, the world's largest certificate authority for TLS certificates.

The bottom line is that Open Source shows significant promise in meeting today and tomorrow’s most significant cybersecurity challenges. It has become clearly apparent that cybersecurity needs to be a top priority - not just for the federal government, but for everyone. David A. Wheeler, the Linux Foundation's Director of Open Source Supply Chain Security, emphasizes the importance of community involvement in securing the open-source supply chain, "We couldn't do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all.  We are always delighted to work with anyone to improve the development and deployment of open-source software."

I’m pleased to see this type of legislation put into place. Cybersecurity and data privacy are serious, universal concerns that must be addressed individually by businesses, as well as at the national level. This order offers vendors a great enough incentive that it is hard to imagine they would choose not to comply. While there is no silver bullet, it is encouraging to see that the open-source community is well on its way to meeting this order’s critical demands.