Apple, Amazon, IBM to discuss open software security at White House

Posted:
in General Discussion edited January 2022
Executives from technology firms including Apple are to attend a White House cybersecurity meeting on Thursday, following multiple attacks on the US that exploited open-source software.




Thursday January 13's meeting has been prompted specifically by the discovery of a vulnerability in the open-source Log4j software, which is used internationally for logging of data in applications. White House National Security Advisor Jake Sullivan wrote to Big Tech CEOs in December, saying such open-source software is a "key national security concern."

The meeting with deputy national security advisor Anne Neueberger will discuss how the security of open-source software can be improved, according to a report by Reuters on Thursday morning. Alongside Apple, Amazon, and IBM, it is expected to include executives from Microsoft, Meta, Oracle, and agencies such as the Department of Defense.

This discussion also comes after incidents including the 2021 SolarWinds hack which accessed government emails and phones. It also follows the breach of the US Treasury Department in 2020.

It's not clear who will be participating in the meeting as representatives from the companies. The meeting is also expected to be virtual.

Read on AppleInsider

Comments

  • Reply 1 of 7
    crowleycrowley Posts: 10,453member
    It seems a bit suspect to invite vendors with major vested interests in their own proprietary software to an event to discuss improvements to open source software.  Especially when no representatives from organisations with greater stature in the open source community are mentioned.  No one from Apache or Red Hat?
    byronl
  • Reply 2 of 7
    crowley said:
    It seems a bit suspect to invite vendors with major vested interests in their own proprietary software to an event to discuss improvements to open source software.  Especially when no representatives from organisations with greater stature in the open source community are mentioned.  No one from Apache or Red Hat?
    IBM owns Red Hat so they are included. 
    byronl
  • Reply 3 of 7
    crowleycrowley Posts: 10,453member
    crowley said:
    It seems a bit suspect to invite vendors with major vested interests in their own proprietary software to an event to discuss improvements to open source software.  Especially when no representatives from organisations with greater stature in the open source community are mentioned.  No one from Apache or Red Hat?
    IBM owns Red Hat so they are included. 
    Good point!  Forgot about that  :s
    byronl
  • Reply 4 of 7
    rob53rob53 Posts: 3,241member
    crowley said:
    crowley said:
    It seems a bit suspect to invite vendors with major vested interests in their own proprietary software to an event to discuss improvements to open source software.  Especially when no representatives from organisations with greater stature in the open source community are mentioned.  No one from Apache or Red Hat?
    IBM owns Red Hat so they are included. 
    Good point!  Forgot about that  :s
    And we trust IBM for what reason?

    Software security has been an ongoing activity for decades. Securing open source software generally has been a group effort performed by programmers who actually care about security instead of making money selling PPI and advertising. Inviting many of the listed companies is a joke because they really don’t care about securing anything. DoD is there because every US government agency ends up using security configurations they (slowly) develop. US government computer users gave up trying to stop malware years ago, they (we) simply worked on mitigating the issues after they happened. It’s like the fire department. Wait for a fire and be ready to put it out quickly because there’s no way to stop every fire before it happens. There will always be people writing software that attacks computer systems just like there will always be people who break the law. Neither will ever be completely stopped. 
    byronl
  • Reply 5 of 7
    larryjwlarryjw Posts: 1,031member
    Linux is open source and is ubiquitous. What about the Apache server. Everyone uses it. 

    Java is open source. Oracle now owns it but also supports the open source version. 

    There isn’t much of anything that doesn’t contain or use open source software somewhere in its stack. 

    Who is missing from this list? I’d guess likely FSF and Apache representatives and academics and professionals that the ACM and IEEE might send. And heavy weights like Linus Torvalds and Tim Berners Lee. 

    NASEM (National Academy of Science, Engineering, and Medicine) have often produce excellent policy and product in short time, I’d like to see something from them. However, this organization seems to be a creature of Congress, though established by Abraham Lincoln.

    in general, I wouldn’t expect anything to come out of this meeting directly. Maybe they’ll learn how ubiquitous and foundational open source is. 
    edited January 2022
  • Reply 6 of 7
    rob53 said:
    crowley said:
    crowley said:
    It seems a bit suspect to invite vendors with major vested interests in their own proprietary software to an event to discuss improvements to open source software.  Especially when no representatives from organisations with greater stature in the open source community are mentioned.  No one from Apache or Red Hat?
    IBM owns Red Hat so they are included. 
    Good point!  Forgot about that  :s
    And we trust IBM for what reason?

    Software security has been an ongoing activity for decades. Securing open source software generally has been a group effort performed by programmers who actually care about security instead of making money selling PPI and advertising. Inviting many of the listed companies is a joke because they really don’t care about securing anything. DoD is there because every US government agency ends up using security configurations they (slowly) develop. US government computer users gave up trying to stop malware years ago, they (we) simply worked on mitigating the issues after they happened. It’s like the fire department. Wait for a fire and be ready to put it out quickly because there’s no way to stop every fire before it happens. There will always be people writing software that attacks computer systems just like there will always be people who break the law. Neither will ever be completely stopped. 
    You have misunderstood the conversation. It was about the involvement of a company (Red Hat) and the answer is that they are involved by virtue of being part of IBM. At no point did Crowley or I comment on IBM's credibility in the situation. 
    williamlondon
  • Reply 7 of 7
    dewmedewme Posts: 5,335member
    larryjw said:
    Linux is open source and is ubiquitous. What about the Apache server. Everyone uses it. 

    Java is open source. Oracle now owns it but also supports the open source version. 

    There isn’t much of anything that doesn’t contain or use open source software somewhere in its stack. 

    Who is missing from this list? I’d guess likely FSF and Apache representatives and academics and professionals that the ACM and IEEE might send. And heavy weights like Linus Torvalds and Tim Berners Lee. 

    NASEM (National Academy of Science, Engineering, and Medicine) have often produce excellent policy and product in short time, I’d like to see something from them. However, this organization seems to be a creature of Congress, though established by Abraham Lincoln.

    in general, I wouldn’t expect anything to come out of this meeting directly. Maybe they’ll learn how ubiquitous and foundational open source is. 

    I totally understand your line of questioning. It also seems more than strange that you wouldn't have representation from some of the key technical players on the government side, especially NIST, CISA, and ICS-CERT just to name a few because they are all in the business of pushing standardization and cooperation for cybersecurity between industry and government stakeholders. Cherry picking a few high profile tech companies who are very keen on proprietary solutions that enrich their own bottom line and scoring points for rubbing elbows with the top layer of the executive branch seems rather narrow minded.

    The last thing we need is another channel being spun up to allow the government to influence private industry ... when we already have several channels that have been in place for several years to address the same exact set of issues that this new WH driven forum is trying to address. It's like having a toolbox full of tools ready and waiting for the exact kinds of problems this get together is intended to address - but ignoring them all and going out and buying a new tool instead.

    Personally, I also think it's a bad idea for the executive branch having direct involvement with a select set of industry players other than informal information gathering. It's not because of politics, but because it is inherently political in terms of regimes, administrations, and appointees, which means it can simply go away when there is a change at the top. If the the current administration worked with non-appointed career civil service professionals who's lives revolve around these same topics I think you'd have a higher probability of the work and directives surviving changes to administrations and things that get started under one administration possibly finishing under a later administration.

    My hope is that this is just a photo op and the people who will drive the actions that come out of it will be those whose careers are all about getting real work done, ideally at a standardization level that everyone, including those who were not invited to this soiree, will be expected to follow. 
    edited January 2022
Sign In or Register to comment.