The White House is to host a meeting with tech executives over cyber-security in January, amidst an escalation in disruptive cyber-attacks over the past year.
White House national security adviser Jake Sullivan wrote to the chief executives of tech companies inviting them to the event, following the appearance of a critical vulnerability in Log4j, a widely-used software component.
In the letter, excerpts of which were shared with the press, Sullivan said open source software, which is critical to computing infrastructure but is maintained by volunteers, has become a “a key national security concern”.
The White House said software companies and cloud services providers were invited, without naming the firms.
“The SolarWinds and Hafnium incidents serve as recent reminders that strategic adversaries actively exploit vulnerabilities for malicious purposes,” Sullivan wrote in the letter.
The attack on software maker SolarWinds, discovered a year ago, gave attackers access to its many customers, including US government departments, while the cyber-gang Hafnium used a flaw in Microsoft’s email server software to attack more than 20,000 organisations.
The SolarWinds attack has been blamed on the Russian government, while Hafnium has alleged ties to the Chinese government.
The deputy national security advisor for cyber & emerging technology, Anne Neuberger, is to host a one-day discussion in January with company officials responsible for security and open source projects, the White House said.
Amidst the escalation in cyber-attacks, the administration in May issued an executive order creating a review board and new software standards for government agencies.
The order aims to set minimum security standards for software used by the governent, and in turn to spur investment in security.
President Joe Biden called cyber-security a “core national security challenge” at an August meeting with the executives of Microsoft, JPMorgan and other major US firms. At the time Google and Microsoft said they would invest billions of dollars in cyber-security initiatives.
The US Cybersecurity and Infrastructure Security Agency on 17 December issued an “emergency directive” ordering federal civilian agencies to update their systems to patch against the Log4j exploit, which is known as Log4Shell.
The bug affects hundreds of millions of internet-connected devies, with computer security firm Mandiant calling it “one of the most pervasive security vulnerabilities that organizations have had to deal with over the past decade”.
“Log4j is ubiquitous and used by applications and systems deployed across organizations of all sizes,” the company wrote in an advisory earlier this month.
“Organisations are struggling to assess the scope and impact of the exposure, given it is not obvious which applications and systems even use Log4j.
“Software vendors are actively determining whether their software uses Log4j and are communicating the impact to their customers.”
Mandiant said organisations should monitor for the availability of security patches and apply them “as quickly as possible”.