CISA chief frets about open-source vulnerabilities, delayed security improvements | CyberScoop<\/title> <meta name=\"description\" content=\"Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some \u201chard decisions\u201d amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA chief frets about open-source vulnerabilities, delayed security improvements\"> <meta property=\"og:description\" content=\"Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some \u201chard decisions\u201d amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-05-21T17:05:40+00:00\"> <meta property=\"article:modified_time\" content=\"2026-05-21T17:05:43+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1778005960g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89119\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89119\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89119 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.337719298246\">\n<div class=\"single-article__header-content\" readability=\"34.226600985222\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/\"> <span>Technology<\/span> <\/a> <\/li>\n<\/ul>\n<p> Acting director Nick Andersen\u2019s comments came as a wave of malware attacks hit tech that\u2019s publicly available for collaboration. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/89119\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> (Tom Williams\/CQ-Roll Call, Inc via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"27.260409315455\"><body readability=\"56.60667752443\"><\/p>\n<p>Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some \u201chard decisions\u201d amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday.<\/p>\n<p>\u201cThe open-source community is one that I\u2019m particularly worried about when we start to think about rapid escalation of vulnerability discovery,\u201d acting director Nick Andersen said, referencing <a href=\"https:\/\/www.explainxkcd.com\/wiki\/index.php\/2347:_Dependency\">a cartoon<\/a> about how key technologies that underpin the internet are often maintained by a single person. <\/p>\n<p>In <a href=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/\">one recent attack<\/a>, a hacker hijacked an account of a single open-source project maintainer to publish malicious updates for axios, popular with software developers, raising the potential for attacks that could spread more widely. TeamPCP, a suspected North Korean hacking group, has been on a <a href=\"https:\/\/cyberscoop.com\/mini-shai-hulud-malware-npm-packages-compromised-again\/\">sweeping spree<\/a> of <a href=\"https:\/\/cyberscoop.com\/github-internal-repositories-vs-code-extension-attack\/\">open-source attacks<\/a>.<\/p>\n<p>\u201cThere\u2019s tremendous opportunity here to re-architect areas \u2026 to make investments in areas where we know that we\u2019ve been lacking, and to just force some hard security decisions to be made\u2026 where people thought that their risk profile was different than what it is,\u201d Andersen said. \u201cWe see the escalation in terms of speed, scale and velocity of vulnerability discovery to weaponization and exploitation.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CISA has been working with industry and others \u201cto modify our approach to vulnerability management, modify our approach to coordinated vulnerability disclosure, modify our approach to remediation, with the explicit understanding that we\u2019re just not going to be able to keep up using traditional mechanisms,\u201d Andersen said, speaking at the National Cyber Innovation Forum in Washington, D.C.<\/p>\n<p>The government and private sector can work together to identify the biggest threats and then give them the right level of attention, he said. On the federal government side, that means working to get a full picture of the extent of reliance on open-source technologies.<\/p>\n<p>Overall, the United States has put off too many necessary security improvements, Andersen said.<\/p>\n<p>\u201cWhether you look at the private sector or you look at our governments and public sector networks and systems that we\u2019re supporting, there\u2019s just a tremendous amount of technical debt that\u2019s out there,\u201d he said. We\u2019ve not made the right level of investment required in order to be able to readily secure ourselves for the future.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA chief frets about open-source vulnerabilities, delayed security improvements |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,117,2560,1073,6697,310],"tags":[454,119,2576,1076,6698,311],"class_list":["post-8671","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-government","category-nick-andersen","category-open-source","category-teampcp","category-technology","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-government","tag-nick-andersen","tag-open-source","tag-teampcp","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nick-andersen\/\" rel=\"category tag\">Nick Andersen<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/teampcp\/\" rel=\"category tag\">TeamPCP<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8671"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8671\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8671,"date":"2026-05-21T12:05:40","date_gmt":"2026-05-21T17:05:40","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89119"},"modified":"2026-05-21T12:05:40","modified_gmt":"2026-05-21T17:05:40","slug":"cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/05\/21\/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements\/","title":{"rendered":"CISA chief frets about open-source vulnerabilities, delayed security improvements"},"content":{"rendered":"