Research and reports


Feb 8, 2023

Avoiding the success trap: Toward policy for open-source software as infrastructure

By Stewart Scott, Sara Ann Brackett, Trey Herr, Maia Hamin with the Open Source Policy Network

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools.


Issue Brief

Nov 22, 2022

The cases for using the SBOMs we build

By Amelie Koran, Wendy Nather, Stewart Scott, and Sara Ann Brackett

Software bills of materials (SBOMs) provide key data suit for many uses. Industry and government can continue to sharpen their demand signals, shape implementation, and continue driving development and adoption.

Cybersecurity Technology & Innovation

The Open-Source Policy Network

The Open-Source Policy Network (OSPN) is a collection of open-source software (OSS) developers, maintainers, and stakeholders convened by the Atlantic Council’s Cyber Statecraft Initiative to develop a community-led strategy and policy recommendations to improve the security and sustainability of OSS. The OSPN strives to natively integrate both policymakers and OSS practitioners in developing policy and shaping both public and private sector action toward the OSS ecosystem. The Council’s wider research on cybersecurity issues complements Network members and their collaboration to drive lasting and impactful change across OSS and the security of all digital systems.

Cyber Statecraft Initiative Newsletter

Sign up for the Cyber Statecraft Initiative newsletter to stay up to date on the program’s work.

  • This field is for validation purposes and should be left unchanged.

With generous support from

Core open-source concepts

The open-source ecosystem is a network of overlapping communities principally involved with developing, maintaining, and integrating OSS.

There are communities built around specific programming languages, some center on specific projects, some serve as simple ends like correctly adding characters to the left of a string or number, others provide word-processing programs, some are open cloud platforms. There are also open-source code compilers, web servers, media players, and so on.

The relationships between OSS projects and the larger software world are also complex and widely varying. A useful term here is “depth in stack,” referring to how deeply buried within an overall product or application OSS and other components can be.

For example, instead of purchasing Microsoft Word, one might download and use LibreOffice, an open-source word processor that provides largely the same functions as Word (standalone) vs a user in the simple act of watching a show on Netflix relies on an immense variety of OSS (buried).

This pattern holds across the ecosystem, where dependence is rarely obvious and easily identified when OSS components lie buried beneath indirect relationships and obscure references.

Even the common roles for a given open-source project are fluid—a developer might open-source one of their projects and act as its maintainer while they continue to contribute.

Down the line though, either from lost interest in the project or not enough time to dedicate to its maintenance, a developer might call in a well-known contributor as a maintainer, either transferring the project over entirely or creating a team of maintainers. Different communities rely on different governance models.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.