Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some “hard decisions” amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday.“The open-source community is one that I’m particularly worried about when we start to think about rapid escalation of vulnerability discovery,” acting director Nick Andersen said, referencing a cartoon about how key technologies that underpin the internet are often maintained by a single person. In one recent attack, a hacker hijacked an account of a single open-source project maintainer to publish malicious updates for axios, popular with software developers, raising the potential for attacks that could spread more widely. TeamPCP, a suspected North Korean hacking group, has been on a sweeping spree of open-source attacks.“There’s tremendous opportunity here to re-architect areas … to make investments in areas where we know that we’ve been lacking, and to just force some hard security decisions to be made… where people thought that their risk profile was different than what it is,” Andersen said. “We see the escalation in terms of speed, scale and velocity of vulnerability discovery to weaponization and exploitation.”CISA has been working with industry and others “to modify our approach to vulnerability management, modify our approach to coordinated vulnerability disclosure, modify our approach to remediation, with the explicit understanding that we’re just not going to be able to keep up using traditional mechanisms,” Andersen said, speaking at the National Cyber Innovation Forum in Washington, D.C.The government and private sector can work together to identify the biggest threats and then give them the right level of attention, he said. On the federal government side, that means working to get a full picture of the extent of reliance on open-source technologies.Overall, the United States has put off too many necessary security improvements, Andersen said.“Whether you look at the private sector or you look at our governments and public sector networks and systems that we’re supporting, there’s just a tremendous amount of technical debt that’s out there,” he said. We’ve not made the right level of investment required in order to be able to readily secure ourselves for the future.”The post CISA chief frets about open-source vulnerabilities, delayed security improvements appeared first on CyberScoop.