No doubt by now you’ve heard about the Obama Administration’s newly announced Cybersecurity National Action Plan (CNAP). You can read more about it on CIO.com here and here.
But what you may not know is that the White House is actively working with the Linux and open source community for CNAP. In a blog post Jim Zemlin, the executive director of the Linux Foundation said, “In the proposal, the White House announced collaboration with The Linux Foundation’s Core Infrastructure Initiative (CII) to better secure Internet ‘utilities’ such as open-source software, protocols and standards.”
To learn more about the collaboration between the White House and The Linux Foundation I reached out to Zemlin. Here is an edited version of the email interview.
CII is still in the early phase of conceptualization. Has any major progress been made after LinuxCon?
CII has made tons of progress. We will be launching our BadgeApp in the coming months, but we are developing the criteria with an open source process at https://github.com/linuxfoundation/cii-best-practices-badge. We also continue to work on the census at https://github.com/linuxfoundation/cii-census and with our grant recipients. For example, CII recently funded a collaboration of SSH vendors to accelerate the deprecation of the obsolete v1 of their protocol. We also sponsored a reproducible builds summit to improve the deployment of replicatable build services in open source infrastructure.
I attended the CII announcement at LinuxCon and saw involvement by different players from the market — from Microsoft to Bloomberg. What is the organizational structure of CII?
Emily Ratliff is our senior director of infrastructure security at Linux Foundation and is dedicated to the work of the Core Infrastructure Initiative. She works with the steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. (the board of secuirty experts on the home page is pretty amazing:https://www.coreinfrastructure.org/) We will be announcing a new CTO shortly who will oversee CII and other security initiatives at Linux Foundation.
What are the core/key components of “Cyber Security,” as identified by the administration, that are open source?
Whether the federal applications are closed source or open source (for example, Oracle vs. MySQL), many of the technologies used to secure them are open source. Most two-factor authentication systems, many firewalls, VPNs, intrusion detection and other systems are either partially or entirely open source. For example, Heartbleed was so serious because OpenSSL is deployed on nearly all network hardware, as well as most operating systems and programming languages.
The Linux Foundation has been supporting many critical projects can you tell us about some of them?
One of the critical security components on the Internet is time. The ability to have reliable time servers is essential for secure communications and encryption and NTP is the standard used worldwide. While NTP is essential for securing every Internet server, router and smartphone, the maintainer of the widely-deployed ntpd open source project everyone uses was earning less than $25,000 per year for his efforts. The OpenSSL project, which enables the ubiquitous lock in the location bar of web browsers by encrypting data, has in the past received about $2,000 per year in donations. The author of OpenSSH, an open source project universally used by administrators to securely connect to their servers, has been working part time jobs. CII is providing funding to these and other developers to invest the appropriate time into projects that have global security impact. CII has also begun to transition from just “fighting fires” to authoring “building codes” that will help secure communications systematically.
Every time governments come closer to technology there are fears of backdoors. How do you ensure that there won’t be any government sneaking of code?
All the work that CII sponsors results in open source code, where any and all potential users can review the output of this work.
Q: How exactly is The Linux Foundation involved with this and how will the U.S. government assist the foundation?
The Core Infrastructure Initiative is a collaborative project of the Linux Foundation, just like Node.js or Hyperledger. We bring together industry, community, and now government participants to collaborate to improve open source security.
The Linux Foundation is in ongoing discussions with the White House about how best to work together. We are encouraged by its inclusion of CII in its Cybersecurity National Action Plan. We would like to significantly expand this effort by incorporating major companies from industries beyond technology. All companies depend on open source software to function, as it represents the infrastructure of the Internet and of nearly all modern software development.