Research and reports
The Open-Source Policy Network
The Open-Source Policy Network (OSPN) is a collection of open-source software (OSS) developers, maintainers, and stakeholders convened by the Atlantic Council’s Cyber Statecraft Initiative to develop a community-led strategy and policy recommendations to improve the security and sustainability of OSS. The OSPN strives to natively integrate both policymakers and OSS practitioners in developing policy and shaping both public and private sector action toward the OSS ecosystem. The Council’s wider research on cybersecurity issues complements Network members and their collaboration to drive lasting and impactful change across OSS and the security of all digital systems.
Cyber Statecraft Initiative Newsletter
Sign up for the Cyber Statecraft Initiative newsletter to stay up to date on the program’s work.
With generous support from
Core open-source concepts
The open-source ecosystem is a network of overlapping communities principally involved with developing, maintaining, and integrating OSS.
There are communities built around specific programming languages, some center on specific projects, some serve as simple ends like correctly adding characters to the left of a string or number, others provide word-processing programs, some are open cloud platforms. There are also open-source code compilers, web servers, media players, and so on.
The relationships between OSS projects and the larger software world are also complex and widely varying. A useful term here is “depth in stack,” referring to how deeply buried within an overall product or application OSS and other components can be.
For example, instead of purchasing Microsoft Word, one might download and use LibreOffice, an open-source word processor that provides largely the same functions as Word (standalone) vs a user in the simple act of watching a show on Netflix relies on an immense variety of OSS (buried).
This pattern holds across the ecosystem, where dependence is rarely obvious and easily identified when OSS components lie buried beneath indirect relationships and obscure references.
Even the common roles for a given open-source project are fluid—a developer might open-source one of their projects and act as its maintainer while they continue to contribute.
Down the line though, either from lost interest in the project or not enough time to dedicate to its maintenance, a developer might call in a well-known contributor as a maintainer, either transferring the project over entirely or creating a team of maintainers. Different communities rely on different governance models.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.