Is it time for open source to be treated as a public good?

Is it time for open source to be treated as a public good?

Image:
Is it time for open source to be treated as a public good?

Open source is everywhere, including critical infrastructure. Should governments be playing more of a role in its governance?

Open source software is widely regarded as a good thing. It helps spread successful ideas quickly, drives adherence to open standards, reduces licensing costs and lock in, and provides a springboard for innovation.

Even those who disagree that it's necessarily a good thing can't deny its profound influence. Nowadays, every substantial piece of software contains open source components. Why reinvent the wheel after all?

But the very success of the open source model has magnified some of the contradictions and imbalances embedded within it. There are the licensing battles where projects accuse the cloud giants of ripping off their work without giving enough back.

And there are the small projects with a handful of contributors that nevertheless experience massive adoption because they fill a necessary niche or improve upon some other widely used component. Which is all well and good until a security hole is discovered, as occurred with Log4J recently, when suddenly everyone wishes, too late, that they'd contributed more to testing, or had run more stringent checks on their software that uses the component prior to deploying. (To be clear, the same problems exist in proprietary software too, and indeed they can be more serious because of the lack of visibility into the code.)

A recent development has seen developers sabotaging their own work in an effort to get wealthy corporations who benefit from it to contribute more.

"In terms of improving code quality, open source already benefits from the many reviewers looking at the biggest projects for potential issues," says Paul Baird, chief technical security officer UK at Qualys.

"The issues come up around smaller projects that are still vital as components for larger applications, where they may not get the same amount of attention over time. Log4J is a perfect example of this in action."

With governments on both sides of the Atlantic saying end user organisations and software suppliers alike need to do more to manage their cyber resilience and the software supply chain, is it time that open source software was treated more like a public good?

Should open source security be treated as a public good like roads?

Yes, says Amanda Brock, CEO at OpenUK.

"There is no escaping that our IT today is software defined, and the backbone of global and increasingly IT infrastructure," she says, pointing to the energy sector.

Brock is an advisory to the Energy Digitalisation Taskforce (EDiT) commissioned by government, Ofgem and Innovate UK. EDiT's report Delivering a Digitalised Energy System recommends establishing a digital delivery body to develop core public interest assets quickly and independently of vested interests, and says that that open source software should form the backbone of the energy sector's digital infrastructure.

As part of a more coordinated approach, Brock recommends the government open an Open Source Program Office (OPSO), described by the Linux Foundation describes as "a designated place where open source is supported, nurtured, shared, explained and grown inside a company".

"We must collaboratively consider open technology - not just open source software but also hardware and opening up data - being funded by global governments on a go-forward basis, building an appropriate structure or body to manage that for the UK based on the societal benefits it brings," she says.

Max Schulze, executive chairman, Sustainable Digital Infrastructure Alliance, would also welcome a bigger role for governments, and says they should be looking at how they can benefit from greater investment.

He comments that digital flag bearers like Uber and AirBnB are really assemblers of globally available components, many maintained by non-profit foundations such as Apache.

"It's safe to say that the majority of the digital economy exists only because the technology is open source," Shulze says.

"It's probably the largest source of collective equity in technology that exists. Governments who are investing in this equity, create more economic opportunities for their own technology companies while giving rise to a global digital economy".

Also in agreement is Robert Carolina, senior fellow, Information Security Group at Royal Holloway, University of London, who said it's time to realise that times have changed.

"Historically, open source like some public goods have been funded and encouraged by individual philanthropists, ad hoc groups of public-spirited citizens, or voluntary contributors, and today it is indeed appropriate for the state to step up."

Carolina is an advocate for using software bill of materials (SBOM) to allow software users to better evaluate risk. SBOMs are a formal record of the details and supply chain relationships of the various components used in building the software. Their use is also being emphasized by the US government in the wake of the devastating SolarWinds attack.

A study by software company Argon Security found that software supply chain attacks more than
tripled in 2021 compared to 2020, with hackers attacking vulnerabilities such as Log4Shell and also compromised pipeline tools.

"We should expect this trend to accelerate in the frequency and sophistication of supply chain attacks," the report warns.

Is there a danger of too much prescriptive officialdom in open source software?

But could too much interference kill the golden egg laying goose? It's certainly possible that the approach could backfire, cautions Carolina.

"There are always dangers that overly prescriptive cyber security regulation can stifle innovation. This can, in some cases, degrade cyber security, especially over time as the surrounding technological environment continues to evolve.

"The trick will be to draw the right balance between defining governing principles that help to reduce vulnerabilities in open source, and over-regulating in a manner that jeopardises the health and future of open source."

Government involvement needs to occur in a bottom-up fashion, says Brock.

"Officialdom's contribution will work best if it flows into open tech through the community-accepted and community-generated norms and good governance."

She adds: "the best approaches to solve the [security and support] problem are those based on the open model - more collaboration is needed to connect the right people to make things happen. This should include more support from big tech and from governments around the world, so that the open technology and IT sectors can continue to do what it does best."

However, Schulze goes one step further - open source communities are an exemplar of good democratic practices that good teach governments a thing or two.

"Open source has given birth to the majority of technology we use today - from the internet itself, the web server, machine learning, virtualisation, and much, much more," he says.

"It's very mature, incredibly democratic and truly open - everyone can contribute, everyone has a say while using the community to make decisions together.

"I personally believe that the governance of open source communities and the internet as a whole can actually serve as a role model for governments."