An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world.

While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it.

“What we’re seeing is years of lack of investment sustainment in open-source software that is finally starting to catch up to us, where it seems like every week there’s a new supply chain compromise,” said Jack Cable, who held a role at the Cybersecurity and Infrastructure Security Agency where he worked on open-source security before departing under Trump.

The advancements of frontier artificial intelligence models stand to exacerbate the risk further, while simultaneously illustrating what makes defending open source difficult: Project Glasswing said shortly after its announcement that it had uncovered 6,202 high- or critical-severity vulnerabilities in a scan of more than 1,000 open-source projects, but that it had disclosed only 502 of them to open-source project maintainers and only 75 had been patched as of May 22 (albeit some due to typical patching lagtimes).

At the same time, there are questions about how much the government can help, even as overseas governments seek to focus on open-source security.

The evolution of open-source risk 

There are a series of factors contributing to the current threat to open-source software, experts say.

One is simply that attackers go to the area where they can get the highest return on their work. Compromising open-source software gives them the chance to get into the supply chain and exploit additional targets.

“Twenty years ago, open source was still fairly niche,” said Æva Black, who also worked on open-source security at CISA but left when Trump came back into power. “The potential blast radius if you managed to compromise open source was relatively small, because back then the world didn’t run on open source. Now almost everything runs on open source,” she said, from modern cars to satellites.

Another part is the nature of open-source software itself.

“It’s a symptom [of having] lots of open source [that] is a little bit under-maintained or not cared for enough, so that we spend too little effort and money and infrastructure on them,” said Daniel Stenberg, who is the creator and maintainer of cURL, a popular open-source project. “Lots of open source is being maintained by small teams, lots of volunteers, and I think that that’s a tough situation.”

That doesn’t mean the maintainers are to blame, Stenberg said. The companies that rely on open-source need to be diligent about using it, Black said.

“What we’re seeing in that realm right now is not new; it is more advanced and far more widespread,” she said. “The problem remains that companies who use open source — because open source is by far the most efficient way to collaborate on non-product value features — most companies are not implementing a responsible and safe utilization pathway.”

Open-source projects lack a systematic way to handle coordinated vulnerability disclosures, unlike companies or industry groups with formal processes, said Dan Lorenc, CEO and co-founder of Chainguard. Project maintainers sometimes aren’t reachable, and those who are available are flooded with reports, many of them unverified findings from AI tools that waste their time without adding value..

Of course, some of those vulnerability reports turn out to be legitimate. “Mythos and AI models have contributed to an uptick in the number of vulnerabilities and things that we’re able to find” in open-source software, said Alex Zenla, chief technology officer for the cybersecurity company Edera.

All of that leaves more room for companies, non-profits and world governments to improve open-source security.

A moment of momentum

While open-source software security isn’t a new issue, the 2021 discovery of the Log4j flaw sounded alarms within the cybersecurity community. Jen Easterly, then the director of CISA, called it “one of the most serious I’ve seen in my entire career, if not the most serious,” with the potential to affect hundreds of millions of devices given the ubiquitous nature of the popular open-source logging library.

A year later, the Cyber Safety Review Board released its report on the incident, concluding that swift action from industry and government averted a disaster. But the incident “called attention to security risks unique to the thinly-resourced, volunteer-based open source community,” it wrote. “This community is not adequately resourced to ensure that code is developed pursuant to industry-recognized secure coding practices and audited by experts.”

The U.S. government actions after included some steps focused specifically on open-source software such as creation of the Open-Source Software Security Initiative and hires of well-regarded open-source security experts at CISA such as Black, but also some steps that could be applied more generally and still help with open-source security, such as greater promotion of secure-by-design, memory-safe languages and software bills of materials (SBOMs).

Some of the Biden administration work on open-source security started before Log4j, such as provisions from an executive order he issued in 2021 that directed CISA along with the Office of Management and Budget and General Services Administration to issue guidance to agencies. 

The administration’s 2023 cybersecurity strategy also stepped into the long, thorny discussions over software liability, with a mention of open-source security: “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.“ The Biden administration always indicated that addressing software liability would take a prolonged battle ahead.

Under Trump, many of the Biden administration’s efforts have languished. CISA’s splashy hires on open-source are gone, including Black, Tim Pepper and Anjana Rajan. Also departed are leading figures on secure-by-design and SBOMs, with CISA personnel cutbacks slicing deep. 

No one has seen any sign that the national cyber director-led Open-Source Software Security Initiative is active, with few participants remaining in government today. The Trump administration cyber strategy doesn’t mention open-source.

“The loss of open-source experts at CISA “is unfortunate, and it will be hard for the government to try to rebuild capacity, but I do think now more than ever CISA has a core role to play to secure open source software,” Cable said.

The pressure is mounting

It’s not that the issue is getting zero attention from those in a position to make a difference. Nick Andersen, the acting director of CISA, said last month that open-source security was an area of particular concern for him.

Andersen responded to concerns about CISA staffing levels on open-source security and spoke more broadly on the topic in a statement to CyberScoop.

“As artificial intelligence and other technologies have the power to transform how vulnerabilities are discovered and exploited, CISA recognizes that the open source software (OSS) that underpins much of the nation’s critical infrastructure will need to be hardened,” he said. “CISA actively collaborates with our partners on shared priorities, including OSS security, to ensure time and resources are spent where they matter the most.  We have an immensely talented team, but are also accelerating our hiring in critical areas, to strengthen the nation’s defenses against cyber threats.”

The Office of the National Cyber Director did not respond to requests for comment.

There’s been some activity on Capitol Hill, too. The Securing Open Source Software Act, which Cable worked on during a stint as a Senate staffer, would direct CISA and other agencies to take actions to mitigate open-source software security risks, but the legislation has stalled since its introduction in 2022. A portion of the bill, however, was included in the Department of Homeland Security funding law Trump signed in April, directing CISA to brief Congress on the value of establishing something like an open source program office, which some companies use to manage open source within a given firm.

Senate Intelligence Committee Chairman Tom Cotton, R-Ark., has pushed the executive branch to improve its awareness of foreign adversaries playing roles in open-source software used by national security-focused agencies.

The annual defense policy bill in the House calls on the Defense Department’s chief information officer to report to Congress on a plan to secure open-source software supply chains, saying lawmakers are “concerned that the Department lacks sufficient visibility into the origins, maintenance, and security of OSS applications and software dependencies.”

That defense authorization bill language is “really beneficial, and I think it signals acknowledgement of this changing of culture” around open-source security risks, said Hayden Smith, founder of HuntedLabs, whose company won a contract with the Space Development Agency on supply chain security — agency work that the defense bill singled out.

“The report language is the first time the Hill is trying to get a true handle on foreign influence in open source code where they have oversight,” he said, saying it was a “piece of the puzzle” along with Cotton’s letter and a memo from Secretary of Defense Pete Hegseth last year about foreign influence in the Pentagon supply chain. “It’s good and would trickle down into everyone who provides software to the department.”

Zenla, though, believes trying to isolate China from open-source systems isn’t in and of itself a good idea. 

“I don’t think that that makes a lot of sense, because they’re actually pretty good things that people contribute to open source,” she said. “Not everyone is malicious, and what are we going to do, spy on every single open source maintainer?” It’s more about doing things like making sure that highly-classified systems are set up in a separate way, she said.

Europe is also taking action to secure open-source software that the United States doesn’t seem ready or willing to do right now. Germany, for instance, devotes grants to the security of open-source projects, although Stenberg pointed out that sometimes money doesn’t equate to maintainers being able to fix flaws more quickly, depending on the project’s size.

The Cyber Resilience Act (CRA) adopted by the Council of the European Union in 2024 could offer another road on open-source security. The CRA requires those who use open-source software products as part of any commercial activity to take certain security measures. 

Black said that when she was at CISA, there were discussions between the agency and European counterparts about finding compatible ideas on open-source security, but that momentum died with the Trump administration.

But “Europe kept rolling, and now has in place a new legal framework that is set to really reshape open-source security for potentially the whole world, but certainly for anyone who wants to work with Europe on open source,” she said.

Lorenc recently wrote that “open source isn’t governable.” He said an organization like a neutral nonprofit, possibly using some government funding, should take responsibility for things like coordinating vulnerability disclosure into one pipeline. He also said there needs to be one authority in charge of “forking” — that is, taking a project and assigning stewardship elsewhere — when a maintainer isn’t responsive to vulnerabilities. 

There are differing opinions on how much past government warnings, advisories and guidance have helped. Smith gave some credit to government agencies that “have all responded to open source attacks using the means they have.”

Stenberg said that “I don’t think they make any big dent at all in the big scheme of things.” They might get some attention initially, “then two years later we all forgot about them, and they actually didn’t change much.”

Ideally, everyone could get on the same page, Zenla said. “The best way to do this is if people actually collaborated on a global scale on some sort of regulation around this, but that seems nearly impossible at the current moment,” she said. (The United Nations’ Open Source Week runs all this week.)

But if there’s an upside to the spate of attacks on open-source software, it’s the energy it gives to how better to secure it, Lorenc said, invoking the political saying to never let a good crisis go to waste.

“Everyone knows the industry has to change,” he said. “This is a really good crisis, and the right things are happening in the right places, and organizations are rethinking their culture around software development, and they know what they have to do. It’s just something that’s never been top of the priority list for the last 10 years. Now it is, and they’re doing it, and it’s, ‘Can we do it fast enough?’”

The post Open-source security is posing challenges governments can’t easily solve appeared first on CyberScoop.

Members of Congress responded with skepticism and caution Tuesday to the Trump administration’s decision to impose export controls on Anthropic’s newest AI models.

The Friday order, which Anthropic said forced it to disable its Fable 5 and Mythos 5 artificial intelligence models, was prompted by what the administration said were national security concerns that a large number of cybersecurity professionals have dismissed as ill-founded.

Several Hill Democrats told CyberScoop they were concerned that the administration’s decision was driven by other considerations. Notably, the administration has feuded with Anthropic over use of its models for domestic surveillance and fully autonomous weapons.

Sen. Angus King, a Maine independent who caucuses with Democrats, said he would need to be convinced it was a legitimate national security order and hadn’t yet seen a full justification.

“What they did was pretty extreme, and I’d want to see what the basis was, as opposed to all the other issues that are swirling around in cybersecurity,” he said. “I’m a little skeptical because of their otherwise announced antipathy to this company.”

Leaders of the House Homeland Security Committee had contrasting takes, with Chairman Andrew Garbarino, R-N.Y., offering a two-pronged response and the top Democrat on the panel, Bennie Thompson of Mississippi, panning the order.

“The administration is right to treat advanced AI cyber capabilities as a national security issue, especially when foreign adversaries and cybercriminals are actively looking for ways to weaponize these tools,” Garbarino said in a statement. “At the same time, we need to make sure our response does not unintentionally disadvantage American companies, allied partners, or critical infrastructure defenders who need access to the best secure tools available in order to protect our networks here at home.”

The United States, not China, needs to set standards for trusted AI, Garbarino said.

But Thompson said the order adds evidence to the appearance that the Trump administration doesn’t “have a coherent plan for mitigating the cybersecurity risks” of frontier AI models, he told CyberScoop in a statement.

“AI regulations should rely on standards and procedures that provide confidence to the public that decisions are based on the evidence and not on politics,” he said. “Instead, the Trump administration has adopted an ad hoc approach where decisions are made by political appointees in the White House rather than experts and where companies are left guessing on how to comply.”

Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee, had also previously highlighted the administration’s quarrel with Anthropic in response to the order in a statement to CyberScoop.

Behind the scenes, the administration and Anthropic were reportedly continuing to try to forge a truce Tuesday. More broadly, the administration’s AI executive order had a rocky rollout as the administration swung back-and-forth on how involved the government should be.

Some lawmakers deferred on commenting Tuesday, such as Senate Homeland Security Committee Chairman Rand Paul, R-Ky., who told CyberScoop he didn’t have anything to say on the order.

Others said they were still seeking information from the administration.

“I have not had the opportunity to get a brief specifically as to the logic, the reasoning behind it, and so forth,” said Sen. Mike Rounds, the South Dakota Republican who chairs the Armed Services Subcommittee on Cybersecurity. “So I’m going to withhold judgment until I get an opportunity to get the rest of the story, so to speak.”

The post Lawmakers leery about Trump administration’s Anthropic order appeared first on CyberScoop.

Congress extended a controversial surveillance law for 45 days on Thursday, hours before its latest expiration following an earlier extension.

The Senate passed — then the House cleared — a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act, which authorizes warrantless surveillance of foreign targets. But those targets are sometimes communicating electronically with Americans, and intelligence officials can search the database using their identifying information, which has long given privacy groups and privacy-minded lawmakers heartburn.

The 45-day reprieve gives lawmakers more time to hammer out a lasting deal, and comes after the leaders of the Senate Intelligence Committee agreed to send a letter to the Director of National Intelligence and attorney general, seeking swift declassification of a letter on a classified ruling from the Foreign Intelligence Surveillance Court.

Sen. Ron Wyden, D-Ore., had sought release of that opinion, and had resisted giving unanimous consent for the latest short-term extension to move forward until Senate Intelligence Chairman Tom Cotton, R-Ark., and top panel Democrat Mark Warner of Virginia agreed to send the letter.

A declassification review was already underway, but the Cotton-Warner letter states that “We expect that this declassification review will be completed and the FISC opinion released publicly within 15 days,” according to Wyden, speaking on the Senate floor.

The March 17 opinion reportedly came with annual recertification of the warrantless surveillance program. The Justice Department is appealing that ruling because it blocked them from using certain tools to analyze communications.

“A few weeks ago, the Foreign Intelligence Surveillance Court found major compliance problems related to the surveillance law known as section 702,” Wyden said earlier this month. “These compliance problems are directly related to Americans’ Constitutional rights.”

Senate Majority Leader John Thune, R-S.D., said the extension will give lawmakers additional room to hold “discussion on reforms.”

The House this week had passed a 3-year reauthorization with some changes to the surveillance program, but key to doing so was leadership’s agreement to attach legislative language on a separate matter that would ban a central bank digital currency. Thune had said that language was going nowhere in the Senate.

On Thursday, the House voted 261-111 to extend the law for 45 days. President Donald Trump has sought a “clean” 18-month reauthorization of the surveillance powers.

The extension continues a perennial ritual for the Hill when it comes to Section 702: A deadline looms, and Congress kicks the can down the road repeatedly.

The post Congress kicks the can down the road on surveillance law (again) appeared first on CyberScoop.

Congress is grappling with renewal of a surveillance law set to expire at the end of this month that critics say is a mystery on how much of a difference it has made for controversial government spying authorities — for better or worse.

The 2024 law reauthorized so-called Section 702 powers of the Foreign Intelligence Surveillance Act (FISA), which authorizes warrantless surveillance of electronic communications of foreign targets. Most controversially, the law allows U.S. officials to search (“query”) those communications databases using Americans’ personal information, as long as the American is  in contact with someone overseas, which raises significant privacy concerns.

Backers of the 2024 law, known as the Reforming Intelligence and Securing America Act (RISAA), point to 56 changes it made to deal with criticisms of Section 702, following a period where abuses came to light, including hundreds of thousands of improper searches. At the same time, the law made changes that some feared could actually expand Section 702 powers.

The House voted to extend the law as-is for 10 days early Friday. The Senate then did the same. The Trump administration has sought a 180-day “clean” reauthorization.

As Congress weighs potential extensions of the 2024 law without making changes to it, “I don’t think we know” what good has come of it, said Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty and national security program. By the same token, it’s difficult to know whether some of the expansion fears have come to fruition, she said: “We don’t have reliable information on this.”

Added Jake Laperruque of the Center for Democracy and Technology: “There’s a lot of black boxes here.”

Examining Past Changes

Both Goitein and Laperruque are skeptical of any positive change from RISAA, though, and have long advocated for a warrant requirement for U.S. person searches. Intelligence agencies have resisted that addition, claiming that it would dramatically slow down time-sensitive national security investigations.

By contrast, Glenn Gerstell, former general counsel at the National Security Agency, said RISAA constituted “the most significant set of reforms to the statute since its adoption in 2008.” and that “those reforms have had a dramatic effect.” 

One major point of dispute is to what degree the number of U.S. person searches dropped, particularly because of a conclusion in last year’s Justice Department inspector general report finding that an “advanced filtering tool generated queries that were not tracked by the FBI.” 

As the report outlines, an FBI system has an “‘advanced filter function’ that allows users to select a specific FBI casefile number or ‘facility’ (e.g., a phone number or email address), using a drop-down menu or search bar, to review communications with targeted facilities.

“This functionality enables users to select from lists of ‘participants’ in communication with targeted facilities and review communications of those participants.In or around August 2024,” the report continues. The National Security Division of the Justice Department “became aware of the participants filter function in [the system] and was concerned that searches conducted through use of the participants filter constituted separate queries that must satisfy the query standard and comply with all query procedural requirements.”

By the intelligence community’s count, the number of U.S. person searches has otherwise mostly declined even going back to before the 2024 law’s passage: 119,383 in 2022, 57,094 in 2023, 5,518 in 2024 and 7,413 in 2025.

“It is quite clear that the searches that were run using this filter function met the statutory definition of queries, and yet the FBI for some significant period of time decided to not count them as queries,” Goitein said.

Laperruque, deputy director of CDT’s security and surveillance project, said an audit mandate in the 2024 law was potentially useful, but hasn’t proven to be in reality.

“At least it should mean that it should help try to detect abuse if it is happening,” he said. “The problem there, though, is you’re still relying on the FBI to properly log all of its quarries and hand them over for DOJ to be checked, which hasn’t happened. You’re trusting DOJ and the executive to engage in self-policing, and that’s something where folks rightfully have a lot of skepticism based on how DOJ has conducted itself recently.”

Gerstell, a senior adviser at the Center for Strategic and International Studies, points to numerous reviews — including a staff report from the Privacy and Civil Liberties Oversight Board (PCLOB) — that indicate a drop in U.S. person searches. It’s the biggest change of RISAA, he said.

“The most significant one is a very substantial drop in the number of queries of the database for U.S. person information, which has been a big focus for privacy advocates, and there’s been a dramatic drop, so much so that both the Inspector General for the Department of Justice and the staff of the PCLOB have said, ‘I wonder if we’re overdoing it.’ … Every single one of them presents those numbers, without caveat.”

On the advanced filter function count, Gerstell acknowledged the ambiguity, but referred to reports that said, as he summarized, “If they had been considered queries, it appears that most would have been compliant anyway… because they were a subset of something that was already compliant. But we don’t know if any of them were noncompliant, and we don’t have the data.”

On the other side of the RISAA debate, critics argued that its revised definition of “electronic communications service provider” could dramatically expand surveillance to include businesses like coffee shops or landlords. The reported, but formally undisclosed, real target of the change was data centers.

“That was a pretty big expansion with a lot of potential abuse,” Laperruque said. But “we don’t really know much about how it’s changed” anything, he said.

Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee, sought to advance clarifying language about that subject after RISAA’s passage, and the Biden administration said it would confine the provision’s use to the kind of undisclosed businesses that prompted the provision in the first place. Laperreque noted that the Trump administration has made no such promises, and Warner’s clarifying language never became law.

The Foreign Intelligence Surveillance Court (FISC) has issued its annual opinion re-certifying the Section 702 program for another year. However, the court reportedly took issue with the program’s f filtering systems, saying that when such a system is used to look for information on Americans it must be counted as a query, subjecting it to additional restrictions. The Trump administration plans to appeal the ruling.

Other critiques of the 2024 law include that many of its biggest changes weren’t changes at all, but instead codifications of changes that then-FBI Director Christopher Wray had implemented. Abuses continued after those changes, Goitein said.

Gerstell said enshrining those changes into law wasn’t a bad thing. “The statute expressly codified some but not all of Wray reforms — and some went beyond that in many ways,” he said. Those changes included requiring FBI deputy director approval of U.S. person queries that target elected officials, government appointees, political candidates or organizations, or media. Those were some of the more criticized prior targeting abuses.

The fight still ahead

Republicans remain divided over extending the law. Some who had reservations about a clean reauthorization have come on board, such as Senate Judiciary Chairman Chuck Grassley, R-Iowa, who had taken issue with limitations on congressional attendance of FISC proceedings but since has had that concern resolved.

Others may have been swayed by direct lobbying from the Trump administration, including a social media post from Trump himself this week, where he wrote, “I am willing to risk the giving up of my Rights and Privileges as a Citizen for our Great Military and Country!” Still others have had their position against a clean extension hardened by the FISC court opinion and additional concerns.

Other issues have become enmeshed in the reauthorization debate, such as calls to block government agencies from purchasing information from data brokers. But “this has nothing to do with this authority,” said George Barnes, former deputy director of the NSA. 

But lawmakers of both parties have complained for months that the administration was silent for too long as the law’s expiration loomed.

Only recently did the Trump administration share new examples of the law’s successes, including that it had thwarted a 2024 terrorist attack on a Taylor Swift concert. Barnes said releasing such examples might offer a public case for the law, but has its downsides, too.

“I was always understanding but frustrated by the need to release examples just because they choreographed to the adversary what we could do,” said Barnes, now Red Cell’s cyber practice president. 

Reauthorizing Section 702 is urgent, though, for cybersecurity purposes, he said.

“A lot of the impact that I saw the authority having over my time was in cybersecurity as well,” he said. “And so when you have foreign entities that are targeting the U.S., or U.S. interests overseas, that authority can be positioned to help eliminate those activities.”

The post The surveillance law Congress can’t quit — and can’t explain appeared first on CyberScoop.