Top executives from some of the world's largest
companies met with White House officials Thursday to discuss ways to boost the
of the open-source software behind everything from consumer
to massive industrial systems.
The White House said that those who participated, which included representatives from the likes of
and Microsoft, had a "substantive and constructive" discussion. It added that talks will continue over the coming weeks.
The meeting came in the wake of last month's discovery of Log4j, a massive security flaw in the popular open-source Java-logging library Apache Log4j. If left unpatched or otherwise unfixed, the bug could be exploited by cyberattackers, posing risks for huge swaths of the internet.
Thursday's discussion focused on how to prevent security vulnerabilities in open-source software, as well as how to improve the process for finding and fixing bugs and how to speed up the patching process, the White House said.
Executives who attended the meeting called it valuable and pledged to work with the government to boost open-source software security.
"All types of software face threats from cybercriminals and malicious actors, and in many ways open source software, with its inherent transparency, can be more secure than proprietary software," Jamie Thomas, general manager for strategy and development for
Systems, said in a statement after attending the event.
Kent Walker, president for global affairs and chief legal officer for Google and Alphabet, said that given its importance, it's time to start thinking about digital infrastructure the same way we do our physical infrastructure.
"Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges," Walker said in a statement after the event.
Red Hat, one of the largest open-source software companies, sent a trio of executives to the meeting and released a statement afterward calling on both open-source and proprietary software makers to maintain greater visibility into their software, take responsibility for its life cycle and make security data publicly available.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, has said that the sheer scope of the Log4j issue, which affects tens of millions of internet-connected devices, makes it the most serious she's seen in her career.
As of Monday, no federal agencies had been compromised as a result of the bug and no major cyberattacks had been reported in the US. So far, most of the attempts to exploit the bug have been focused on low-level crypto mining or on drawing devices into botnets, according to Easterly.
The top White House officials in attendance Thursday were Chris Inglis, national cyber director, and Anne Neuberger, the deputy national security advisor for cyber and emerging technology. Federal outfits represented included the Department of Homeland Security, CISA and the Department of Defense.
Other tech companies participating included Akamai, the Apache Software Foundation, Cloudflare, Meta, GitHub, the Linux Foundation, the Open Source Security Foundation, Oracle, RedHat and VMWare.