In a keynote speech at Black Hat USA 2023, Kemba Walden, the acting national cyber director in the Office of the National Cyber Director (ONCD), discussed the White House’s efforts to address security concerns surrounding open source software. Walden revealed that 95% of the federal government’s technology stack relies on open source software, highlighting the widespread use and importance of this technology.
The need for addressing open source software security became apparent to Walden after reading the Cyber Safety Review Board’s report on the Log4Shell vulnerability. Log4Shell, also known as CVE-2021-44228, was a flaw in the popular Java logging framework Log4j and was widely exploited by hackers. Walden expressed her concern about the lack of security training within the developer community, stressing the importance of incorporating secure-by-design principles at the atomic level of software development.
Walden emphasized that addressing open source security is part of the National Cybersecurity Strategy established by President Joe Biden’s administration. She mentioned that her team has been discussing ideas to improve open source security, including the use of memory-safe programming languages. However, she recognized the need to collaborate with the community to create realistic and actionable policies.
To gather insights and feedback from the community, Walden announced the publication of a request for information (RFI) in collaboration with CISA, the Defense Advanced Research Projects Agency, and other offices. This RFI aims to better understand open source security and develop strategies and policies to enhance it. Walden encouraged the audience to submit their ideas and feedback within the 60-day comment period.
During the discussion at Black Hat USA 2023, concerns about surveillance and spyware use were raised, even from allied nations such as India and Mexico. Walden addressed these concerns by referring to a recent executive order issued by the Biden administration, which prohibits federal agencies and departments from using commercial surveillance technologies. However, she acknowledged that the executive order is not perfect and welcomed feedback from the infosec community to improve future policies.
Despite the challenges faced by the ONCD and the White House in strengthening cybersecurity across the government and the industry, Walden remained optimistic. She referred to the ONCD as a startup within the White House with a clear direction for making cybersecurity improvements. Prior to the establishment of the ONCD, cybersecurity efforts were divided among different offices, but now the office has 78 dedicated staff members and plans to hire more.
Walden underscored the importance of collective efforts in strengthening cybersecurity. She expressed her optimism for the future but also recognized that achieving nationwide cybersecurity improvements is a challenging task. She called for collaboration from the infosec community, academics, civil society, and others to support the federal government’s efforts.
In conclusion, Kemba Walden’s keynote speech at Black Hat USA 2023 highlighted the White House’s commitment to addressing security concerns related to open source software. Recognizing the widespread use of open source technology within the federal government, Walden stressed the need for secure-by-design principles and collaboration with the community to enhance open source security. Through initiatives like the request for information, the White House aims to gather valuable insights and feedback from various stakeholders in order to develop effective strategies and policies. Despite the challenges, Walden remained optimistic about the future of cybersecurity and emphasized the importance of collective efforts to achieve comprehensive improvements.