Top executives from some of the world’s largest tech companies met with White House officials Thursday to discuss ways to boost the security of the open-source software behind everything from consumer gadgets to massive industrial systems.
The White House said that those who participated, which included representatives from the likes of Apple, Google and Microsoft, had a “substantive and constructive” discussion. It added that talks will continue over the coming weeks.
The meeting came in the wake of last month’s discovery of, a massive security flaw in the popular open-source Java-logging library Apache Log4j. If left unpatched or otherwise unfixed, the bug could be exploited by cyber attackers, posing risks for huge swaths of the internet.
Thursday’s discussion focused on how to prevent security vulnerabilities in open-source software, as well as how to improve the process for finding and fixing bugs and how to speed up the patching process, the White House said.
Executives who attended the meeting called it valuable and pledged to work with the government to boost open-source software security.
“All types of software face threats from cybercriminals and malicious actors, and in many ways open source software, with its inherent transparency, can be more secure than proprietary software,” Jamie Thomas, general manager for strategy and development for IBM Systems, said in a statement after attending the event.
Kent Walker, president for global affairs and chief legal officer for Google and Alphabet, said that given its importance, it’s time to start thinking about digital infrastructure the same way we do our physical infrastructure.
“Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Walker said in a statement after the event.
Red Hat, one of the largest open-source software companies, sent a trio of executives to the meeting and released a statement afterwards calling on both open-source and proprietary software makers to maintain greater visibility into their software, take responsibility for its life cycle and make security data publicly available.
, director of the Cybersecurity and Infrastructure Security Agency, has said that the sheer scope of Log4j, which affects tens-of million of internet-connected devices, makes it the most serious she’s seen in her career.
As of Monday, no federal agencies had been compromised as a result of the bug and no major cyberattacks had been reported in the US. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, according to Easterly.
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger and National Cyber Director Chris Inglis were the top White House officials in attendance Thursday, while several other federal agencies including the Department of Homeland Security, CISA and the Department of Defense also attended.
Other tech companies participating included Akamai, Apache Software Foundation, Cloudflare, Meta, GitHub, the Linux Foundation, the Open Source Security Foundation, Oracle, RedHat and VMWare.