Open source software is the foundation for much of the technology that serves as a backbone of our world. Open source refers to software that is made freely available for anyone to access, modify, utilize and redistribute. Providing the foundation for 96% of the world’s software, open source software is a public good enabling a software ecosystem that includes the open source community, federal government, critical infrastructure, private industry and civil society to innovate, collaborate and develop at speed.
We can only fully realize the benefits of open source software when everyone – including the federal government – plays their part in supporting the ecosystem. The federal government is one of the largest users of open sourcesoftware in the world, and we must do our part to help secure it. This requires widescale efforts to help uplift the level of security in the open source ecosystem.
Such instances of once-in-a-generation government investment are not unprecedented. In 1956, President Eisenhower signed the Federal Aid Highway Act of 1956 into law, authorizing $25 billion to build 41,000 miles of highways over a decade. In the decades following the legislation, the investment yielded profound dividends for the United States: one report found that every $1 spent returned more than $6 in economic productivity. Further, the highway system has led to dramatic safety improvements, with the fatality rate of the highway system significantly lower than that of the average road, and nearly one-tenth of the national fatality rate in 1956.
While the scale of investment in the highway system may be different than what’s needed with our digital infrastructure, the first step is understanding what kinds of investment need to be made. What might a potential digital public works program for open source software infrastructure look like? Perhaps it would include rewriting critical open-source components in memory-safe languages, ensuring that security is a core part of all software development education, or helping build sustainable governance models in open source communities. We want to hear from you around what areas should be prioritized for fostering greater open source software security.
Securing open source software is critical for achieving a software ecosystem that exemplifies Secure by Design principles. We envision an ecosystem in which creating secure open source code and regularly assessing the security of existing open source code is the norm rather than an added burden. As part of this, software manufacturers that consume open source software should contribute back to the security of the open source software they depend upon.