from the still-milking-log4j-for-politics dept.
The Atlantic Council has published a policy report entitled "Avoiding the success trap: Toward policy for open-source software as infrastructure". It addresses the idea of Open Source Software (OSS) as essential infrastructure. OSS differs from physical infrastructure yet supports critical functions, provides dependable services, offers subtle and often unseen service delivery, and functions through decentralized control.
This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.
[...] None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.
So it seems that the establishment continues to turn its jaundiced eye towards software development.
Previously:
(2023) Opinion: FOSS Could be an Unintended Victim of EU Security Crusade
(2022) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone
(2022) Open Source Community Sets Out Path to Secure Software
« China Backdoors US Chip Sanctions, Buys Used Banned Equipment | US, EU Looking to Form 'Critical Minerals Club' »
Related Stories
Open source community sets out path to secure software:
The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.
[...] OpenSSF executive director Brian Behlendorf added: "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."
The 10-point plan, which can be read in full on OpenSSF's website, is as follows:
- To deliver baseline secure software development education and certification;
- To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
- To accelerate the adoption of digital signatures on OSS releases;
- To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
- To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
- To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
- To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
- To coordinate industry-wide data sharing to improve how the community goes about determining what the most-critical OSS components actually are;
- To improve the adoption of software bill of materials (SBOM) tooling and training;
- And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.
Commenting on the plan, Mike Hanley, chief security officer (CSO) at GitHub, said: "Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain.
Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone:
With deep sadness, EFF mourns the loss of our friend, the technologist, activist, and cybersecurity expert Peter Eckersley. Peter worked at EFF for a dozen years and was EFF's Chief Computer Scientist for many of those. Peter was a tremendous force in making the internet a safer place. He was recently diagnosed with colon cancer and passed away suddenly on Friday.
The impact of Peter's work on encrypting the web cannot be overstated. The fact that transport layer encryption on the web is so ubiquitous that it's nearly invisible is thanks to the work Peter began. [...]
While encrypting the web would have been enough, Peter played a central role in many groundbreaking projects to create free, open source tools that protect the privacy of users' internet experience by encrypting communications between web servers and users. Peter's work at EFF included privacy and security projects such as Panopticlick, HTTPS Everywhere, Switzerland, Certbot, Privacy Badger, and the SSL Observatory.
His most ambitious project was probably Let's Encrypt, the free and automated certificate authority, which entered public beta in 2015. [...]
By 2017 it had issued 100 million certificates; by 2021, about 90% of all web page visits use HTTPS. As of today it has issued over a billion certificates to over 280 million websites.
[...] Peter left EFF in 2018 to focus on studying and calling attention to the malicious use of artificial intelligence and machine learning. He founded AI Objectives Institute, a collaboration between major technology companies, civil society, and academia, to ensure that AI is designed and used to benefit humanity.
FOSS could be an unintended victim of EU security crusade:
Opinion: The European Union has a commendable love for the safety of its citizens. Armed with the keys to a market of 300 million of the world's richest consumers, the EU has merely to scent danger to bravely regulate. Food, consumer goods, financial markets and data processing: if it can bite the punter, the EU has a legal muzzle to hand.
[...] The EU has now turned its attention to cybersecurity and more especially the lack thereof. It's certainly dangerous enough to merit attention. A proposed Cyber Resilience Act (CRA) making its way through Brussels says that for "products with digital elements" to be allowed on the EU market, manufacturers have to demonstrate they follow best practice in four areas. These are improving the security of a product through the whole life cycle, following a coherent cybersecurity framework to measure compliance, demonstrate transparency about cybersecurity efforts, and lastly to make sure customers can use products securely.
Which sounds fair enough, considering some of the horrors visited upon us in the past – and today. Cheap "smart" electronics running out-of-date Android that nobody's patched since Noah? Phones studded with "I bring you the best wishes of the People's Liberation Army" mystery-meat bloatware? Big name, big ticket office software that keeps making headlines for all the wrong reasons? Who could argue with bringing these into line?
There are just two questions that need to be answered: will the proposed regulations do the job they set out to do, and what effect will they have on the market? Here, it's not so much the devil in the details as the entire population of all seven layers of Dante's Inferno.
(Score: 3, Interesting) by bloodnok on Saturday February 11, @10:08PM (4 children)
The comment seems to imply that there is something to be dismayed about in this report but I fail to see it. Please enlighten me.
__
The major
(Score: 2) by Mojibake Tengu on Sunday February 12, @12:28AM (3 children)
"The Atlantic Council..." is like a neon sign on a sex shop. Says everything.
So, the report itself is conveying an elitist lament overflowing with veiled sentiments "We failed to hold tight grip on whole industry segment so the technology is now leaking here and there and everywhere even to adversaries without monetization. What a tremendous loss of money and power! We need to reinvent something to govern it back under control!".
That's why "success is a trap" by them.
They only realized their former conceptual error made of greed. Just ignore them. They are not humans anyway. Not in the sense of human morality. They are heading to irrelevance and they know it.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 2, Interesting) by Anonymous Coward on Sunday February 12, @01:08AM (2 children)
> They are heading to irrelevance and they know it.
Did you look at the board and advisors to the Atlantic Council? A list is here,
https://en.wikipedia.org/wiki/Atlantic_Council#Leadership [wikipedia.org]
Dozens of heavy hitters from international finance, military, gov't, academia, media, philanthropy (big old money) and other think tanks--all with wikipedia pages about them. In general, it looks like they are from both major parties, but most all could probably be called "centrist". And all meeting to discuss matters of interest on a regular basis. If they are "heading to irrelevance", it won't be any time soon.
I read the intro to the main article linked in tfa and what it looks like to me is that they got caught off guard. Someone finally noticed that the software running things was mostly OSS of one kind or another.
(Score: 3, Interesting) by Anonymous Coward on Sunday February 12, @03:00AM (1 child)
I thought about this a little more. The kind of soft power at the Atlantic Council looks pretty scary. But since they are just learning about the software community they may still be malleable? What if someone put a bug in their ear about systemd and how it messes up Linux for the community? And how the strength of Linux and the Unix way is historically based on many small, easily debugged modules.
These people at the Atlantic Council are the sorts that could call up their friends at the top of IBM and say something like, tell your Red Hat bunch to stop this crap with systemd. We don't think it's a good idea to turn Linux into another monolithic system like Windows.
A little ways into the linked article mentions a survey they ran and this appendix describes it, https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/#appendix [atlanticcouncil.org]
Only 46 responses, but they charged ahead and based this initial briefing on OSS on them anyway. These are people that want to dig, it's time to start feeding them some data.
(Score: 3, Informative) by canopic jug on Sunday February 12, @04:03AM
Only 46 responses, but they charged ahead and based this initial briefing on OSS on them anyway.
It's almost like they wanted to be able to say they sought, and got, input without actually having done so.
Money is not free speech. Elections should not be auctions.