House Panel Advances Bills to Boost CISA’s Oversight of Open Source Software, Cyber Training

Lawmakers on a key House panel advanced two bipartisan cybersecurity measures during a markup on Wednesday to reduce the security risk posed by the federal government’s use of open source code and address cyber workforce shortages across the Department of Homeland Security.

In a unanimous voice vote, the House Homeland Security Committee favorably passed legislation that would require the Cybersecurity and Infrastructure Security Agency to develop a framework for strengthening the security of open source software used by federal agencies, as well as hire and further engage with open source security experts.

The bill, introduced on Monday by Rep. Mark Green, R-Tenn.—who chairs the panel—is the House companion to legislation introduced earlier this year by Sens. Gary Peters, D-Mich., and Josh Hawley, R-Mo. That bill passed the Senate Homeland Security Committee—which Peters chairs—at the end of March and was placed on the Senate legislative calendar on Tuesday. 

Lawmakers noted that the bicameral effort to strengthen open source software security across the federal government is largely in response to vulnerabilities discovered in 2021 in Log4j, a popular open-source logging library that is utilized by a wide range of consumer and enterprise products. CISA Director Jen Easterly has called the Log4j security flaw “the most serious vulnerability that I’ve seen in my decades-long career,” and Iranian hackers previously exploited the flaw to install cryptocurrency mining software on a federal agency’s network. 

During the committee markup, Green called open source software “the bedrock of our digital ecosystem” and noted that “virtually every computer relies on it, and it is an inextricable and valuable part of our digital infrastructure.”

“The collaborative nature of open source software offers tremendous opportunity for innovation and economic growth, but it comes with a unique set of security challenges as highlighted by the Log4j vulnerability response,” he added.

Rep. Eric Swalwell, D-Calif., who is one of the bill’s co-sponsors, said that the legislation “represents that we believe the federal government—as we face persistent threats from Russia, China, independent cyber actors—must lead by example in the way that we close any vulnerabilities.”

“To date, we have not yet developed a formalized framework for evaluating the security of open source software components,” he added. “This bill does just that.”

Lawmakers on the panel also favorably passed legislation sponsored by Rep. Sheila Jackson Lee, D-Texas, designed to help DHS address departmentwide shortages in its cyber workforce. The bill would direct CISA to establish an on-the-job cybersecurity training program to provide DHS employees who are not in cyber roles with the technical skills needed to fill such positions, as well as empower the DHS undersecretary for management to recruit and identify employees for participation in the program.

Rep. Bennie Thompson, D-Miss.—the panel’s ranking member—spoke in favor of the bill on Lee’s behalf and said that it would “help enhance efforts to get current DHS personnel trained to fill cybersecurity vacancies.” He cited, in part, a report on the state of the federal cyber workforce released last October by a federal working group that identified “more than 700,000 cyber jobs to fill nationwide and nearly 40,000 in the public sector as of April 2022.” 

“One important aspect of a broader federal cybersecurity workforce development strategy must be to utilize the talent we already have in the federal government, whether or not they have cybersecurity in their current job description,” Thompson added. “Many DHS components, not just CISA, have cybersecurity responsibilities as part of their mission. Developing their employees' cybersecurity skills will enhance cyber defense capabilities across the department by filling vacancies and strengthening the workforce.”

Rep. Andrew Garbarino, R-N.Y.—who chairs the panel’s Cybersecurity and Infrastructure Protection Subcommittee—also clarified that CISA already has the authority to do this type of cyber training for its own employees, but that the bill would give the agency “the authority to do it for other employees of other agencies under the department.” 

“This would allow someone from FEMA or somewhere else to move over if they wanted to learn the skills,” he added, noting that the federal shortage of cyber professionals necessitates the need to ensure that CISA and DHS as a whole have the workforce they need to mitigate cyber risks to critical infrastructure services. 

Rep. Seth Magaziner, D-R.I., also noted that, because the committee unanimously voted “for another good piece of legislation that asked CISA to perform a number of cybersecurity-related duties when it comes to open source software,” it would be “hypocritical of us on the one hand to say, ‘we want CISA to do all these things,’ and then, on the other hand, not advance legislation to help give them the staffing to actually fulfill that mission.” 

The committee also approved three other bipartisan proposals during the markup, including legislation to prohibit DHS from purchasing drones manufactured by adversarial nations, to streamline the authorization process for first responders to acquire innovative technologies and to extend the authorization for the DHS Countering Weapons of Mass Destruction Office.