White House national security adviser Jake Sullivan has invited the CEOs of major software firms to discuss ways to improve software security following the emergence of a critical vulnerability that US officials have said could affect hundreds of millions of devices around the world, a senior Biden administration official told reporters Thursday.
The January discussion between tech executives and White House officials is needed because open-source software is widely used but is maintained by volunteers, making it “a key national security concern,” Sullivan said in a letter to tech firms, excerpts of which the White House shared with reporters.
Invitees include software development firms and cloud service providers, according to the White House. A National Security Council spokesperson declined to say which companies had been invited.
The letter follows the discovery this month of a vulnerability in software known as Log4j that organizations around the world use to log data in their applications.
Ransomware gangs and hackers linked with the governments of China, Iran, North Korea and Turkey have moved to exploit the flaw as tech firms and government agencies have raced to apply software patches.
The US Cybersecurity and Infrastructure Security Agency, which has said that hundreds of millions of devices could be exposed to the vulnerability, issued an “emergency directive” on December 17 ordering federal civilian agencies to update their systems.
An agency spokesperson told CNN on Thursday that there is no indication that any agency has been hacked using the vulnerability in Log4j.
While no US agencies have confirmed a breach via the vulnerability, the Belgian Defense Ministry told local media outlets this week that it had shut down parts of its computer network in response to a hack using the flaw.
Cybersecurity executives have called the vulnerability one of the most critical software bugs in years and warned that it could take weeks or months to fully assess the impact.
While the world’s richest companies rely on it, the Log4j software is maintained by a group of volunteers at the nonprofit Apache Software Foundation, who have worked long hours to address the flaw.
The vulnerability in Log4j “will define computing as we know it, separating those that put in the effort to protect themselves and those comfortable being negligent,” said Amit Yoran, the CEO of the Maryland-based security firm Tenable.
It’s precisely that dearth of investment in critical software that the White House wants to address.
President Joe Biden in May issued an executive order that requires software the government buys to meet a minimum set of security standards. The goal is to use the federal government’s buying power to trigger more demand for secure software development in the private sector, too.
The new letter from Sullivan is not the first time that the Biden administration has used the bully pulpit of the White House to prod tech firms into taking action on pressing cybersecurity issues.
Biden called cybersecurity a “core national security challenge” in an August meeting with the executives of Microsoft, JPMorgan and other major US firms. Google and Microsoft pledged to invest billions of dollars in cybersecurity initiatives in announcements paired with that White House meeting.