The virtual meeting, which will be attended by officials from the White House, the Defense Department, the Department of Homeland Security and other departments and agencies, will focus on “what has worked and what else can be done to secure the open-source software that we all fundamentally rely on,” a senior administration official told reporters.
The guest list includes executives from Amazon, Facebook parent company Meta, IBM and Microsoft, among other businesses, along with the Linux and Apache open-source software organizations, according to the White House. Open-source software is publicly accessible code that users across the internet can inspect and modify in the name of collaboration.
Analysts say the latter two non-profits are crucial to tackling the problem because countless software products sold by the world’s biggest tech firms rely on the open-source code.
To date, the impact of the vulnerability has not been as severe as some feared. US officials say there is no evidence that federal agencies have been breached using the Log4j flaw. But officials also warn that it could be months before they know the full scope of the impact of the bug, given how widely used the software is.
In a briefing with reporters Monday, Jen Easterly, head of DHS’ Cybersecurity and Infrastructure Security Agency, pointed to the 2017 hack of credit reporting agency Equifax as a cautionary tale.
“As a society, we need to fund critical open-source projects [that] technology providers rely on and make us all vulnerable when vulnerabilities are found,” said Chris Wysopal, a former member of an influential hacking collective that warned Congress about the inherent vulnerabilities of the internet in 1998.
“I hope that the White House invited members of the Apache Group or other prominent open-source maintainers so they could hear about the struggles these volunteer teams have and resources they could use the most,” Wysopal, who is now chief technology officer at the cybersecurity firm Veracode, told CNN.