Log4J flaw causing Army to take second look at open source software
The Army has been watching the Log4J vulnerability closely as it looks to open source software as a way to cut licensing costs, Army CIO Raj Iyer said Thursday.
The Army already spends more than $2 billion a year on software licenses, and in a political environment where the department’s overall budget is likely to be cut, saving every dollar has become an imperative. Open source software is still an option, but more attention is needed on the provenance of code that the Army uses from the open source community, he said.
“We definitely are a believer in open source, but it means we have to put extra effort from a cybersecurity perspective,” Iyer said during AFCEA NOVA’s Army IT day.
The comments came as technology giants and federal agencies this morning met at the White House to discuss open-source software security in response to concerns over the widespread Log4j vulnerability.
Log4j is widely used open source logging software for websites. It was discovered in November that a vulnerability allowed attackers to remotely access networks through the software, causing concern across industry and the government. Other government agencies have been watching it closely and urging both federal agencies and private sector companies to patch their systems.
Open source tools offer the Army the possibility to reduce the cost of their system. To use it, though, Iyer wants a more robust governance system of how code is reviewed before it can touch Army tech. One of the biggest concerns is ensuring there is visibility on where the code comes from and that its origins are not in adversarial countries that could insert backdoors into software.
But if done right, Iyer sees an opportunity to reduce costs.
“It’s truly an imperative for me to bring down our bills,” he said.