The U.S. government is “still in the process of organizing and coordinating” its own strategy around the use of open source software, according to a CISA official.
Governments across the world recognize the importance of using open source software to drive innovation and are increasingly working to implement policies that will further promote the use of this publicly accessible code in their own digital services, experts and a U.S. government official said during an event hosted by the Center for Strategic and International Studies think tank on Tuesday.
The discussion was held to mark the findings of a new CSIS report, released on Monday, which found that governments across the globe have implemented at least “669 open source policy initiatives between 1999 and 2022.” The report said that the majority of identified policies “convey the government’s support” for open source software, including statements of interest, the creation of government-sponsored programs to examine the adoption of this software and conferences surrounding the use of open source code.
The U.S. government and others view open source software—blocks of code that are publicly accessible for anyone to use—as vital in the development of new services, systems and technologies. And the use of open source code has become ubiquitous in the tech sector in recent years, with a report released last year by software firm Synopsys finding that 97% of examined software codebases used open source code.
Allan Friedman, a senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency who gave keynote remarks during Tuesday’s event, said the government “is still in the process of organizing and coordinating our strategy” when it comes to open source software. He added that a lot of this ongoing work is being led by the Office of the National Cyber Director, which is pulling together subject matter experts from agencies such as CISA, the Federal Trade Commission and the National Institute of Standards and Technology to “make sure we have a big tent.”
“Some of the great work that's happened is tracking visibility across the U.S. government and promoting specialized but very important advances, such as memory safety,” Friedman said. “And CISA is, of course, working on our own strategy, figuring out how we partner with the leading large companies, but also acknowledging that that's not the entire open source world. The open source world is full of global efforts.”
Eugenia Lostri—a fellow in technology policy and law at Lawfare and the lead author of the CSIS report—said the review found that governments viewed modernization, security, transparency, cost, sovereignty and support for industry as top-of-mind issues when outlining their related policy objectives, with a particular focus on examining how open source software could enhance domestic services and industry.
“In many cases, we see governments thinking of open source software as a way to advance their own tech sovereignty and autonomy, and maybe stopping them from being dependent on third-country technology,” Lostri said. “And there are many regions in which this is actually a top priority that is always mentioned.”
While open source code can provide the building blocks for countries to enhance their own tech sectors and services, the evolving nature of software makes it difficult for government-led policies to establish a direct path forward solely through legislation or regulations. Instead, many of the policies identified in the CSIS report focused on issues surrounding research and development, as well as procurement, in the context of “trying to transition from proprietary software to [open source software].”
And when it comes to some ongoing concerns about the use of open source software, such as those related to security, Friedman cautioned that “we should expect it to get worse before it gets better.”
“Greater visibility into different types of risks means that we're going to see more risks,” Friedman added. “That doesn't mean the problem is getting worse. That means that we are in a better position to understand what the risks are, and how we collectively can deal with them.”