Google has called on the US government to take a more proactive role in identifying and protecting open-source projects that are critical to internet security. In a blog post the company published following the White House’s Log4j vulnerability summit on Thursday, Kent Walker, president of global affairs and chief legal officer at Google and Alphabet, said the country needs a public-private partnership that will work to properly fund and staff the most essential open-source projects.
“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems,” he said. “But in fact, while some projects do have many eyes on them, others have few or none at all.”
According to Walker, the partnership would look at the influence and importance of a project to determine how critical it is to the wider ecosystem. Looking to the future, he says the industry needs new ways to identify software that may, down the line, pose a systemic risk to internet security.
Walker said there’s also a need for more public and private funding, noting Google is ready to contribute to an organization that matches volunteers from companies like itself to critical projects that need the most support. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” he said.
The importance of open-source software has been a topic of a lot of discussions following the discovery of the Log4Shell vulnerability. Log4j happens to be one of the most popular and widely used logging library, with services like Steam and iCloud depending on it. Security researcher Marcus Hutchins, who helped stop the spread of WannaCry, called the vulnerability “extremely bad” as it left millions of applications open to attack.