The UK organisation for the business of Open Technology

The Open Source Software (OSS) community faces a pressing need for enhanced security measures, with recent global momentum recognising the urgency of addressing key issues. A sustainable approach is deemed essential, advocating for a fair distribution of responsibilities and accountability. Dr Rumbul highlights the strain on unpaid maintainers, emphasising the impact of elite decision-making on OSS communities. While regulatory efforts are underway in the EU, UK and USA, the lack of expertise in Open Source development among regulators is a noted challenge. She suggests that non-profit OSS foundations, like the Rust Foundation, uniquely positioned to understand community needs, should play a central role in directing and funding security initiatives collaboratively. Sustainable funding, possibly through fees imposed on organisations benefiting from OSS, is identified as a crucial step towards valuing and compensating OSS work as a core public service.

THOUGHT LEADERSHIP: A VIEW ON SUSTAINABLE SECURITY FROM THE RUST FOUNDATION
Dr Rebecca Rumbul, Executive Director & CEO, Rust Foundation

Security in the Open Source Software space has never been more prominent than it is today. While the world has suffered numerous serious security issues over the past 20 years, real global and cross sectoral momentum to solve key security issues has only gathered pace over the past year or two.

This momentum prompts the need for a considered and sustainable approach to achieving common security goals that allocates obligations, responsibilities, and accountability appropriately. This means identifying what work is being done, by whom, and how that work is directed and remunerated. It also means investing in changing that process. Anyone even tangentially associated with Open Source Software development knows that unpaid maintainers often bear the brunt of elite decision-making, which can result in disillusioned, overworked and under-compensated communities of developers that have neither the time nor the inclination to undertake the substantial work demanded of them.

Moves to regulate the security of the software supply chain are currently underway in the EU, UK and USA, and there is general agreement that this is a positive driver for improvement. Regulators are not, however, experts in Open Source development. The majority of regulators have little knowledge or expertise in how or where to plug the existing gaps, nor a clear strategy of how to fund this vital work.

Corporate organisations have long engaged with governments and influenced regulators, and these actors will have a necessary and valuable impact upon regulation development. The corporate voice alone cannot, however, be relied upon to ensure that security regulation or practice is fit for purpose, as business interests will always take priority over the interests of the common good. Corporate approaches to security also cannot be relied upon to benefit the digital commons as a byproduct of securing their own activities. It is clear to see across multiple spheres of private sector activity, from health provision to data connectivity infrastructure, that corporate interests inevitably leave significant gaps that either remain neglected or are filled by unpaid or underfunded interest groups. If there is genuine commitment across the stakeholder spectrum to improve supply chain security, a reliance on corporate actors alone to do this will not yield the results desired.

The actors that can implement meaningful beneficial impact are critical to consider in how a global approach to securing the digital world is built. Who can advocate for that common good? Who can identify the key issues and gaps? Who can mobilise to build solutions? And who can do this in a neutral and sustainable way that balances the needs of the myriad stakeholders in this space? OSS foundations, like the Rust Foundation, are the only actors that can take on this role. This is because these non-profit organisations are constituted to support the common good in OSS ecosystems. They are close to, and often run by, maintainer communities, so they know exactly where the issues exist. They are supported by corporate bodies, so they understand too the needs of end users and product developers. They are ultimately neutral, not for profit, able to take a balanced approach that prioritises the wider benefit, and critically, they are able to do this work collaboratively in the open. Security work funded by stakeholders and managed by relevant foundations is the best option.

Funding this activity sustainably will be one of the biggest challenges. For too long, too many organisations have taken advantage of free Open Source code without giving anything back. While a number of tech organisations are hugely supportive of OSS work, there are thousands more that are net beneficiaries. Until the work conducted by the OSS community is valued as a core public service, and funded as such, it cannot be expected to be responsible for propping up government systems or multinational technologies. Just as companies in the UK processing personal data are required to register and pay a fee to the regulator, so should organisations using Open Source code in their products be required to do something similar. Such fees could be used to sustainably fund OSS security activities run through OSS foundations.

Meaningful and impactful improvements can be achieved in OSS security engineering and development across ecosystems, if the work is directed by non-profit foundations and financially supported by a plurality of public and private bodies. In this way, all stakeholders can be engaged without holding a monopoly, maintainers can be fairly compensated, and the benefit will be felt by all.

View all Thought Leadership