Sen. Tom Cotton, R-Ark., is calling on the national cyber director to spearhead investigations into adversarial influence in open-source software (OSS) used by the federal government.
OSS is foundational to the digital infrastructure across the federal government and is used in every critical infrastructure sector, according to the Cybersecurity and Infrastructure Security Agency.
However, in a letter sent Dec. 17 to National Cyber Director Sean Cairncross, Cotton noted reports of state-sponsored software developers and cyber espionage groups that have exploited U.S. OSS by inserting malicious code.
“OSS is the backbone of U.S. government systems, including mission-critical defense systems, where we reap the numerous benefits of OSS to innovate, develop, and deploy technology quickly,” Cotton wrote. “However, leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks.”
The senator cited reports of Russian- and Chinese-connected developers with ties to U.S. OSS, with the Russia-based developer in particular being the sole maintainer of a piece of OSS embedded in multiple software packages used by the Pentagon. Chinese technology giants are among the top 20 contributors to the most recent Open Source Contributor Index, he noted.
“As you know, the Chinese Communist Party’s national security laws impose broad obligations on China-based entities, including compelling companies to provide technical assistance to further CCP goals,” Cotton wrote.
Cotton urged Cairncross to improve oversight of OSS, writing, “As the Office of the National Cyber Director holds responsibility for coordinating implementation of national cyber policy and government-wide cybersecurity, you are well positioned to lead the U.S. government in addressing this cross-cutting vulnerability.”
Those efforts include building the federal government’s capability to be aware of foreign influence on OSS and track contributions from developers in adversarial nations.
Recently, Defense Secretary Pete Hegseth called for better oversight of OSS used by the Pentagon. In a July memo, Hegseth said that the Pentagon “will not procure any hardware or software susceptible to adversarial foreign influence … and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department.”
Hegseth also called for a review of existing software and programs to determine whether any adversarial influence remained and suggest actions to address that remaining influence.