The recent discovery of a vulnerability in Apache log4j, a widely used open source software tool, has highlighted a significant security issue in our digital world. Open source software (software that can be used, modified, and shared by the public) provides common programming elements that underpin many critical software, public and private.
Open source software has been an incredible democratizing and innovative force for the digital world. However, its widespread adoption means that security issues can have real consequences when so many of the most popular apps and websites depend on it. This isn’t just a problem for tech companies and their users. It is also a matter of national security. The prevalence of open source means its security is critical to our infrastructure, putting much of the internet and millions of citizens at risk of attack.
We’ve had security issues with open source software every two years, including the Heartbleed bug in 2014 and the npm Left-Pad vulnerability in 2016. According to the Cybersecurity and Infrastructure Security Agency, in 2020 two of the most common IT vulnerabilities exploited were open source related.
One of the main reasons for these vulnerabilities is that popular open source software such as log4j is often maintained by volunteers who may not have sufficient resources to prioritize security. But these volunteers are not to blame. What appears to be an esoteric technical issue is actually a funding and sustainability issue for the entire digital ecosystem. While some open source projects are supported by corporations and nonprofits, other pieces of code are maintained and published by people struggling to monetize their work. The open-source security problem is, at its core, a tragedy of the commons. When the underlying health of our digital infrastructure is not strong, the whole system suffers.
In the field of health, it is widely accepted that preventive care is considerably cheaper and more effective than treatment. We should take the same view towards open source software platforms and invest in proactive work to prevent the next log4j crisis. The long-term solution is to foster an open source software ecosystem that is not only secure, innovative, and open, but also sustainable.
Part of the solution is to get ambitious and innovative ideas from the open source community to improve sustainability. At Schmidt Futures, we launched the Virtual open source software incubatora platform where engineers and innovators can exchange information about what they’re working on, so groups like ours can come together to support big ideas.
The federal government can also play a role by investing more resources to support free software. Spending even a small fraction of the $9.8 billion allocated for civil cybersecurity programs in the administration’s 2022 budget request could make a huge difference.
Congress should create a Center for Open Source Software Security, which would identify and catalog critical software in need of assistance and fund critical open source software security enhancements. More generally, the federal government could establish offices in all agencies to support open source software and encourage government-wide use, building on existing programs such as code.gov. We hope the recent White House meeting on open source software will encourage initiatives that not only focus on security, but also improve sustainability.
Let’s seize the opportunity presented by the most recent security issue and commit to identifying and supporting innovative ideas that will strengthen the open source software ecosystem.
Mr. Schmidt is co-founder of Schmidt Futures. He was CEO of Google from 2001 to 2011 and executive chairman of Google and its successor, Alphabet. Inc.,
2011–17. Mr. Long is the founding research director of the Plaintext Group, a technology policy initiative at Schmidt Futures. Ashwin Ramaswami contributed to this article.
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the print edition of January 28, 2022.