U.S. National Cyber Director Sean Cairncross has been urged by Senate Intelligence Committee Chair Tom Cotton, R-Ark., to combat risks associated with the growing involvement of China and Russia in open-source software development, CyberScoop reports.
Illicit code has already infiltrated popular open source codebases through state-backed software developers and cyberespionage operations, as evidenced by a test version of XZ Utils being compromised with a backdoor by suspected nation-state hacker Jia Tan, said Cotton in a letter to Cairncross.
Risks are also apparent with the Defense Department's use of an OSS solely maintained by a Russia-based developer, as well as Chinese tech firms Huawei and Alibaba being major OSS contributors, according to Cotton, who also asked federal cyber officials to improve visibility into where open-source code comes from and to track contributions tied to developers in adversary nations. He noted that open-source software is used across government and defense systems.
The letter follows earlier congressional warnings and stalled legislation on the issue, along with Pentagon guidance issued in July to limit foreign influence in department technology.
Illicit code has already infiltrated popular open source codebases through state-backed software developers and cyberespionage operations, as evidenced by a test version of XZ Utils being compromised with a backdoor by suspected nation-state hacker Jia Tan, said Cotton in a letter to Cairncross.
Risks are also apparent with the Defense Department's use of an OSS solely maintained by a Russia-based developer, as well as Chinese tech firms Huawei and Alibaba being major OSS contributors, according to Cotton, who also asked federal cyber officials to improve visibility into where open-source code comes from and to track contributions tied to developers in adversary nations. He noted that open-source software is used across government and defense systems.
The letter follows earlier congressional warnings and stalled legislation on the issue, along with Pentagon guidance issued in July to limit foreign influence in department technology.




