The Government's Role in Maintaining Open-Source Security

Open-source software has become ubiquitous, powering many of the most critical infrastructure systems in the world, but its community-driven model presents a unique security risk. Because open-source projects are maintained by volunteers, they are often neglected and fall behind on security updates, which can have devastating consequences when critical infrastructure systems rely on vulnerable open-source components.

Varun Badhwar
Varun Badhwar

In her paper Tragedy of the Digital Commons, Strauss Center scholar and lecturer Chinmayi Sharma shares the current state of affairs with open-source software and her thoughts on improving security. Here are some of the highlights.

Open-source software has the same issues as any other public good

The issues that open-source software has are a direct result of its status as a public good. Like other public goods, it is non-excludable by design, meaning anyone is entitled to use it. As a result, almost all companies use open-source software, and the ever-increasing number of applications they create experience the same security vulnerabilities.

Public goods are also non-rivalrous, meaning they are infinitely scalable. Open-source code is non-rivalrous in this sense, but the fact that it needs to be maintained makes it so that it is only partially rivalrous. Sitting in the gray area between the two creates a unique problem — an infinite number of people or organizations can use the code, but each of them is individually responsible for implementing changes after security incidents. It can take months or even years before a majority of users take necessary action, leaving them at risk for attacks.

Open-source’s status as a public good also makes it vulnerable to the market failures that other public goods face. The most problematic is the free-rider issue — which refers to the costs associated with maintaining and securing open-source software, and the fact that most users don’t make contributions to the pot. If it can be used for free, there is little incentive for organizations to spend any money on upkeep. This responsibility then falls into the hands of the public, which relies on poorly distributed information about the security issues that need to be addressed.

So, what can be done to avoid these issues?

When a problem with a public good needs to be solved, responsibility is often shifted to the least-cost avoider – the party that is most well-equipped for solving it. In the case of open-source, that party is the developer. But shifting the cost and responsibility to someone who is not profiting from making the code available in the first place isn’t likely to work.

Instead, Sharma suggests completely redesigning the existing software development lifecycle, emphasizing collaboration between developers, users, and the government. Until now, the government has just been playing a game of security-issue whack-a-mole, addressing issues as they pop up (and only some of them at that). This piecemeal approach often includes unenforceable solutions that only address the public sector, essentially leaving government agencies and the private sector to carry out business as usual.

The government needs to lead the way with a critical infrastructure designation

Designating open-source as critical infrastructure would give it the status it deserves and the requirements that come along with it —  that the government addresses its shortcomings, both in the short term and long term. This designation would also send a strong message to developers and users of open-source that the issues it faces are ones of national importance. It would also be helpful if the government took on the responsibility of coordinating the gathering and sharing of information, as well as the allocation of resources to promote public-private collaboration.

The government also has many other roles to play. The first is to act as a standards body as they often do, recommending industry best practices for organizations across the board. As a consumer, it has the power to influence a company’s willingness to improve the security of their products. It could also take on the responsibility of the supplier, filling in any security gaps that others are unable to take on.

Given the importance of open-source to our critical infrastructure, it is clear that the security of open-source projects is a matter of national security. If software vendors continue to free-ride, the public will continue to bear the costs of the negative externalities they create.

While the government has taken steps to improve open-source security, much more needs to be done to effectively ensure national security.