Open-source software has served as an important catalyst for much of modern digital technology, scaling small innovations into widely used features in weeks instead of years. Yet the past few years have shown that open source is at risk. One of the most consequential cybersecurity incidents in recent memory, Log4j, exploited a vulnerability in a critical open-source logging tool used by millions of apps across the planet. This incident highlights the dichotic relationship between society’s collective dependence on open-source code and the lack of investment in its security. To preserve the future of the software ecosystem, the United States and its partners and allies must expand existing cybersecurity policy efforts to better address and mitigate risk to open-source tools and core libraries.
Open-source software is software that is developed by “an interacting, self-governing group involved in creating innovation with members contributing toward a shared goal of developing.” This software is widely used and performs numerous functions critical to the health and operation of the internet. Sharing information and tools is common practice across open-source development. However, these efficiencies create risk. The collaborative nature of open-source software can be both a benefit and a drawback, with open-source developers placing their trust in the tools and code of others without the time or ability to verify that these resources are adequately secure. The success of open source is such that this risk management model is no longer commensurate with the risk borne by this code.