As open source tools and software are becoming a more integral part of the government’s technology base, a host of agencies are at work formulating strategies to take best advantage of that trend, according to Allan Friedman, senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency (CISA).
At an event hosted by the Center for Strategic and Internal Studies (CSIS) on Jan. 10, Freidman talked about some of the important implications that open source software can have for government technology capabilities.
“Open source is a critical part of the organization of the ecosystem that we have today,” the CISA official said. As the use of open source becomes more ubiquitous, a variety of agencies are still figuring out how to best implement those tools.
“The U.S. government is still in the process of organizing and coordinating our strategy,” Friedman said. “A lot of that work is being led by the Office of the National Cyber director, pulling together experts” from CISA, the National Institute of Standards and Technology, and the Federal Trade Commission, among others, he said.
“We’re trying to make sure we have a big tent,” he said, adding that “some of the great work that’s happened is tracking visibility across the U.S. government and promoting specialized but very important advances such as memory safety.”
Freidman also underscored the importance that open source software is having on critical infrastructure.
“One thing that we’re interested in here at CISA is what are the pieces that are particularly relevant to critical infrastructure,” he said.
“A lot of the great work that’s happened is focused on data for modern applications, that’s where the data is,” he said. “So we’re looking and trying to plan some research projects with our colleagues at DHS S&T [Science and Technology] to sort of say, well, ‘what’s unique,’” stated Friedman.
On the open source risk front, Friedman said there’s still plenty of ground to cover.
“As we learn more about the security of this domain, it’s important to acknowledge that we should expect it to get worse before it gets better, or rather, greater visibility into different types of risks means that we’re going to see more risks,” stated Friedman.
“That doesn’t mean the problem is getting worse,” he said. “That means that we are in a better position to understand what the risks are, and how we collectively can deal with.”