Sen. Cotton urges top White House cyber official to protect open-source software
Sen. Tom Cotton, R-Ark., arrives for the Senate Armed Services Committee hearing in the Dirksen Senate Office Building on Thursday, December 11, 2025. Bill Clark/CQ-Roll Call, Inc via Getty Images
A letter from the chairman of the Senate Intelligence Committee cites previous Nextgov/FCW reporting about a potential Russian backdoor into a Defense Department software suite.
The chairman of the Senate Intelligence Committee asked National Cyber Director Sean Cairncross in a Wednesday letter to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies.
Sen. Tom Cotton, R-Ark., said he remains concerned about instances of open-source tools that received contributions from foreign adversaries like China and Russia.
Open-source projects — free software builds available for download online — largely rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers.
Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.
“[Open-source software] is the backbone of U.S. government systems, including mission-critical defense systems, where we reap the numerous benefits of OSS to innovate, develop, and deploy technology quickly,” Cotton wrote.
The letter cited previous Nextgov/FCW reporting that revealed a Russia-based Yandex employee as the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built Defense Department software packages.
Nextgov/FCW has asked the Office of the National Cyber Director for comment.
In July, Secretary of Defense Pete Hegseth signed a memorandum directing the Defense Department to “not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the department.”
Chinese, Russian and North Korean-affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly-available software used by countless organizations, developers and governments around the world, according to findings from Strider Technologies released earlier this year.