Fostering Open Source Software Security

Executive Summary 

Open source software (OSS) is the backbone and driver of digitization across sectors worldwide. This makes OSS a cornerstone of every society and economy, including the core of national security concerns. Therefore, governments have a vested interest in OSS security. At the same time, governments, as large users of OSS, bear some of the responsibility for supporting the OSS ecosystem. 

To assume responsibility, governments must understand the existing OSS communities and the culture surrounding OSS. Governments will be able to effectively foster OSS security only if they work with the ecosystem stakeholders. Doing so requires governments to adhere to guidelines such as respect, cooperation, collaboration and sincerity. In addition, governments must identify their own role(s) in consultation with the OSS ecosystem. Governments can serve as internal coordinators, role models, supporters and regulators. The role of internal coordinator requires governments to be more transparent and systematic in their own use of OSS. In particular, they should take stock of what is being used, where exactly the components are being used and how they are used. As role models, governments engage with OSS, adhering to best practices in the ecosystem and encouraging other governments and stakeholders to do so. As supporters, governments actively engage with the OSS ecosystem, mobilizing and channeling resources into it through various means. Governments use their regulatory powers to create a legal framework that reflects the characteristics of the OSS ecosystem. They can mix and match from different roles and shift between them as they gain more experience, trust and credibility in the OSS ecosystem. 

Taken together, these roles and guidelines provide an ideational framework for government action in the OSS ecosystem. However, to operationalize this framework, a government actor that is equipped with the necessary authority, resources and expertise must be identified or created. This task should ideally be taken over by an Open Source Program Office (OSPO). Mobilizing resources such as funds, capabilities and credibility, a Cybersecurity OSPO—either standalone or as part of a larger OSPO—can implement, coordinate and facilitate policy interventions for the shared goal of improving OSS security across the ecosystem. 

It is important that governments understand their responsibility and allocate resources for a more secure OSS ecosystem in a community-sensitive, structured and sustainable manner. This paper offers a blueprint for how governments can do this and where to start.