OpenUK’s State of Open reports began in 2021¹ and have taken a both well-received and ground-breaking approach to reporting, pushing boundaries further each year in the pursuit of quantifiable knowledge about open source software and by building an evidence based approach. This year we are again refining our process further. We start the process with this overview of 2022 (with the odd peek into Q1 of 2023) as Phase One of this year’s report.

We will build Phases Two in June and Phase Three in September from a survey in May, designed to obtain the base data required to update the economic impact of open source software in the UK. From this we may also build a view of possibilities for the future development of this.

My key take-aways from the information OpenUK shares in this Report is that the UK sits at the number one position in Europe in terms of GitHub accounts. This has become the traditional – if fallible – measure of open source software developers, referred to as “developer accounts”. Having established that the UK is Number One in Europe and Number Five globally in terms of these developer accounts, as of October 2022². By January 2023 the number of accounts goes over three million.

This means that the UK starts 2023, with 4.5% of the UK population holding a GitHub account – higher per capita than any other country in the world. This figure substantiates our view of the UK as a global leader in open source software through contribution and number of developers.

1. https://openuk.uk/stateofopen
2. https://octoverse.github.com/2022/global-tech-talent

This concept of leadership through contribution will also be considered and this and the contribution to the ecosystem, digital public good and paying maintainers will be considered across the phases of this year’s report alongside the economics of Open Source Software.

Our first annual State of Open Con took place in the Queen Elizabeth Conference Centre in February. The outputs of this conference will also form part of our 2023 reporting. We intend to build a distinct document around the business of open source software, as well as our State of Open Reports including case studies from UK based businesses in Phase Two and onwards. All phases will include Thought Leadership.

You will not have escaped the hype around AI, what with the onslaught of Generative AI and Chat GPT related data crossing our inboxes and the UK’s draft AI Bill. These will inspire an AI focus to Phase Two, taking a detailed review of the impact of AI on Open Source and Open Source on AI.

The ongoing discussion of security in a digital world at a policy level will provide focus for a Phase Three in the early autumn. Our UK Consultation on Security comes to an end on 1 May and the consultation itself indicates a more appropriate approach to security and open source software than Europe’s disastrous Cyber Resilience Act. The global landscape is critical and a greater consideration of the US approach “In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation” whilst touched on in this Phase One, will also be included in future phases.
All of the work across our Phases in 2023 will demonstrate the place of the UK as a global power in Open Source Software technology, its leadership in Europe and the economic impact this has on the UK economy.

Our Survey will hit your inboxes in May and we very much need your input into this to allow for this economic analysis.

The Austrian economist Joseph Schumpeter coined the phrase ‘Creative Destruction’ in 1942³ to describe the impact of innovations in capitalist economies. While his views have been much debated, they have been hugely influential on free-market economists and economies globally.

Creative destruction is a provocative term for the idea that in free markets, creativity and innovation lead to new products, services, business models, processes, even views and opinions that ‘destroy’ existing ways of doing things, replacing them with new, improved and often very different alternatives. Schumpeter rightly identified entrepreneurs as drivers of innovation – individuals who spot market opportunities and go on to exploit these through technical, organisational, and other innovations.

Since 1942 our world has changed in unimaginable ways, often driven by innovations that have simultaneous positive and negative impacts. The birth of online streaming services, led by Netflix have, on the one hand expanded the range of onscreen entertainment for billions while, on the other, contributed to the demise of video rental stores and challenged the programming structure of publicly funded providers including the BBC. Likewise, e-commerce giants Amazon have expanded consumer choice and convenience while also being responsible for the closure of local independent shops, making many UK highstreets into ‘ghost towns’.

Away from these well documented examples of the mixed effects of creative destruction, there are multiple instances of innovations delivering numerous benefits for individuals, communities, and societies by improving their health, education, and wellbeing; ultimately enhancing their standard of living. The potential for innovations to be a force for good – to address climate challenges, improve food security, reverse the loss of biodiversity, and many more complex, difficult but very real problems, is enormous.

With the improvements that technological and digital innovations have made to the opening of data, software, and coding, this potential is a real and present opportunity in which entrepreneurs globally are fully engaging to address inequalities, exclusion, poverty, and problems and challenges that have endured for decades, if not centuries.

What distinguishes the innovations created through access to open technology is that they are driven by and achieved through collaborations at all levels: regional, national, and global.

The combination of an abundance of pressing problems, open technologies, and individuals, communities and organisations with an entrepreneurial mindset focused on discovering innovative solutions through collaboration, through the building of innovation and entrepreneurial ecosystems and clusters, and the open sharing of knowledge, data, expertise, contacts, R & D, and other resources essential for innovation for good, has the very real potential to drive transformational, life changing, lifesaving changes.

A superb example of this is the Mojaloop payment platform, spun out of the Gates Foundation allow payment infrastructure to be created in emerging markets whilst the local communities engage in learning how to contribute. Not simply providing a resource but providing skills for the future.

On the open data front, HUB Ocean, an independent, non-profit, non-compete foundation that provides a partner community by developing a ground-breaking data platform, applications, and tools to pilot new approaches to ocean governance. Their mission is, ‘To change the fate of the ocean by unleashing the power of data, technology and collaboration’. HUB Ocean has joined the World Economic Forum’s C4IR Network (Centre for the Fourth Industrial Revolution) and their vision is to become the world’s data collaboration hub. They seek to unlock the power of data, collaboration, and technology by facilitating collaborations between scientists, governments and industries and catalysing innovation through open access to combined data across all sectors made available on their Ocean Data Platform⁴ which makes it possible (and easy) to share, collect, store and work with ocean data. Another example is provided by the recently launched Gender Index⁵ – a live, interactive tool that maps every single active UK company (totalling 4.4 million) in every county, region, Local Economic Partnership, and local authority in real-time. Providing free, open access to data on gender, regions, sectors and investment, it is a ground breaking, first-of-its-kind platform which provides data (concrete evidence) that highlights women’s’ under representation in entrepreneurship and is providing practitioners, policy makers and academics with access to evidence to help them better understand the composition of the UK’s business base and inform policies, interventions and actions that can growth women’s’ participation in business ownership.

Like OpenUK, these and other examples of open source software and open data platforms and the sharing of and free access to open source software, open data, and open hardware, are reliant on collaboration and community and are case studies of the innovations made possible when we collaborate together within and across entrepreneurial ecosystems.

By putting in place the necessary legislation and regulations to support these types of innovative collaborations, and by educating governments, markets, organisations, scientists and communities about the multiplier and synergistic benefits of open technologies, creative destruction as a force for good can grow and prosper.

Understanding the nuances of entrepreneurship and business growth in this ecosystem is a dark art, and one which is not yet well documented or built into the curriculum despite the increasing growth of open source software to a point of normalisation and the use of open data becoming increasingly prevalent across our services today.

With this in mind The University of Strathclyde has supported OpenUK’s State of Open Con 23 in hosting an Entrepreneurship room engaging with founders of open source software businesses and will be building a MOOC, “The Business of Open Source” by OpenUK in association with The University of Strathclyde.

4. https://www.hubocean.earth/platform
5. https://www.thegenderindex.co.uk/

The Open Technology economic flywheel is also increasingly obvious globally.

I would argue that we couldn’t see the explosive growth in tech in African countries without Open Source Software. In fact I did, in this piece Projecting Africa: software growth, ecosystems and the future arriving ¹⁰.

Open Source, online learning, cloud services and hustle are really the charm, driving adoption of newer technologies and approaches. While universities are still teaching older programming languages such as C++ and Java, self-taught developers are emerging with Javascript – which is of course the lingua franca of the modern web – and cloud skills. Advocacy, online teaching and learning and sharing are baked into the culture, which is creating a flywheel.
But Open Source doesn’t tend itself. Code and communities need care and feeding, chopping wood and carrying water, in order to be sustainable.

In the UK Amanda Brock had the idea that we needed an organisation to lobby on open technology’s behalf, and to help sustain communities and individuals working here. That idea became OpenUK¹¹, an organisation set up to develop UK leadership and global collaboration in open technology.

That idea has also fostered a new annual tech conference taking place for the first time in London in early 2023 – State of Open Con¹².

If you’re interested in open culture and technology this conference is the place to be. Conference Tracks include security, platform engineering, sustainable open source, open hardware, open data, entrepreneurship, and government policy. The 2023 speaker list was incredible but the hallway track is probably what I was most excited about. It was great to see so many of my open source friends, in one place, without having to get on a plane to do so.

You can watch all 65 hours of online content from State of Open Con 23 as unlimited free download.

10. https://redmonk.com/jgovernor/2021/12/02/projecting-africa-software-growth-ecosystems-and-the-future-arriving/
11. https://openuk.uk/
12. https://stateofopencon.com/

“The Kubernetes State of Play 2022” report by Civo²⁴ found that 51% of 1,000 cloud developers are now using Kubernetes and/or containers in their operations. That’s up from 49% in 2021. Civo focused on how cloud developers use Kubernetes across their operations, the challenges they see and the evolving use cases for the technology in years to come. The research aligns with a big picture of increasing adoption across the industry. Cloud Native Computing Forum (CNCF) research highlights that 5.6 million developers are using Kubernetes globally today.

There has been significant growth in enterprise adoption: CNCF’s latest data found that respondents from organisations larger than 5,000 employees are “far more likely to use Kubernetes than those working at smaller organisations”²⁵

Across 2022, Civo research highlighted that 57% of respondents saw an increase in the number of Kubernetes clusters run by their organisations. The majority saw a rise of up to 25% in the number of Kubernetes clusters they were running. There was also a steady increase of businesses running production workloads in containers since 2021 – which increased from 81% to 83% in 2022. Security risks continue to be a point of tension, with 53% of developers citing concerns about the security of Kubernetes.

The 2023 State of Open Source report published by Open Logic Perforce and the Open Source Initiative indicated that 80% of organisations surveyed (of a global sample) had increased the use of Open Source Software in 2022. 42% of the global sample chose maintaining security policies or compliance and 38% chose lack of skills, experience or proficiency. It’s worth noting that the third support challenge, at 37%, is keeping up with updates and patches and maintaining end-of-life versions.

All three challenges indicate the need for curation, maintenance and security²⁶.

In the UK, the top reason to use Open Source Software is the ability to contribute to, and influence the direction of, open source projects. Interestingly, lower costs did not feature in any of the top five reasons UK organisations use Open Source Software where all five were focused on innovation and forward thinking²⁷.

24. Civo. (2022). The Kubernetees State of Play 2022. Retrieved from: https://www.civo.com/kubernetes-state-of-play-2022
25. CNCF Annual Survey 2021: https://www.cncf.io/reports/cncf-annual-survey-2021/
26. Open Logic by Perforce an Open Source Initiative. (2023). State of Open Source Report. Retrieved from https://www.openlogic.com/resources/2023-state-open-source-report?utm_source=OSI&utm_medium=content&utm_campaign=OPL-GLB-2023Q1-CON-StateofOpenSource&utm_content=blog
27. Open Logic by Perforce an Open Source Initiative. (2023). State of Open Source Report. Retrieved from
    https://www.openlogic.com/resources/2023-state-open-source-report?utm_source=OSI&utm_medium=content&utm_campaign=OPL-GLB-2023Q1-CON-StateofOpenSource&utm_content=blog

Focus on contribution

Software Power: The Economic and Geopolitical Implications of Open Source Software’, by the French Insitute of International Relations

There is an increasing level of contribution to Open Source software. Contributions are made by the Open Source “community”. In 2022 many of those consuming and distributing Open Source are also contributing to Open Source or are involved in sponsorships of non-profit Open Source organisations funding the “community”.

There are however ongoing demands from the Open Source maintainers and communities for greater contribution from commercial and public sector users. This was considered by the French Institute of International relations, ‘Software Power: The Economic and Geopolitical Implications of Open Source Software’²⁸

The report argues that the way forward globally is to secure software supply chains and to enhance cybersecurity. To enhance and maintain a strong software foundation requires a sustainable solution to funding Open Source Software and to engage and enhance public-private collaboration. In particular, the public sector has a role to play in strengthening critical software infrastructures, including OSS supply chain, and proposes improved training for developers on security issues, and the creation of a public platform dedicated to analysing the risks associated with Open Source components. ²⁹

This form of public private initiative for the public sector to secure and maintain Open Source Software has also been advocated for by OpenUK and will be explored further in later phases of the OpenUK State of Open: The UK in 2023 Reports.

28. Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri,
    Ifri, December 2022.
29. Ibid., p. 3.

The OSCI by EPAM

The Open Source Contributor Index (OSCI)³⁰, designed and maintained by EPAM, seeks to track which global commercial organisations contribute what to Open Source and to demonstrate those that contribute the most to Open Source. It seeks to demonstrate this by ranking overall global contributions to Open Source.

The OSCI defines the active contributors and charts participation in the “community”.

The data used by the OSCI is captured through the use of publicly available GitHub code commit data from GitHub Archive. This includes all commits to public GitHub projects. OSCI measures the active contributors (defined as 10+ commits by the single contributor) and the total community with at least one commit at each organisation.

The OSCI indicates that over the last two years leading technology companies Microsoft, Google, Red Hat, Intel and IBM had the most active contributions/ contributors globally – with employees contributing 10+ commits to GitHub per month.
While these companies consume large amounts of Open Source Software, they continue to contribute by open sourcing their projects and contributing thousands of commits³¹ per month according to the OSCI Activity date from 2019-2021.

OSCI’s UK-focused data demonstrates a total of 3,171 contributors in 2022, with 1,681 being considered active making 10+ contributions to a project.

The most active contributing organisations in the UK are:
ARM, Canonical, Linaro, Collabora and the BBC³².

The reports discussed here go a long way in the effort to communicate and clarify the widespread role of Open Source Software and the forms of engagement that are necessary to consider.

OpenUK’s work will continue its focus on the UK’s leading role in this Open Source future with its annual survey in May 2023 and a further series of case studies building on those in its 2021 and 2022 reports.

30. https://www.epam.com/open-source
31. Evaluating Open Source Trends from 2020 to Today. Retrieved from: https://opensourceindex.io/p/evaluating-opensource-
    trends-from-2020-to-today
32. Courtesy of EPAM

Global legislation and geopolitics

Geopolitical impact of Open Source software

OpenUK began considering the impact of Geopolitical shift on Open Source Software long before most other organisations from its inception in 2019, at a time when the UK faced Brexit. Brexit was in fact one of the instigators of its formation as an organisation in its current format. Rarely in the course of history has there been a more visible and defined moment of Geopolitical shift than Brexit. That moment in time has had a profound impact on Open Source Software in the UK and on the UK’s participation in Open Source Software.

Government interest in Open Source is not new, but it is continuously evolving as a consequence of increased utilisation of Open Source in its digital infrastructure. Governments are no longer only seeking to adopt Open Source or to develop software solutions, but also to contribute to the Open Source ecosystems.

At both a national and global level Governments are taking notice – it is estimated that 80% to 96% of the code that makes up global software – including proprietary software – is of Open Source origin³⁷. As Open Source now sits at the heart of software used by individuals, Government and tech companies³⁸, it’s under continuous scrutiny in relation to security and sustainability (maintenance).

In 2019 the EU’s engagement in Open Source was at an apparent peak with its Open Source Policy in September 2019, at a time when the UK’s long-established Open Source Software first policy aligned to the establishment of the UK’s Government Digital Services was no longer news³⁹. Further legislation was added in 2021⁴⁰. The European Commission updated and expanded its Open Source strategy in 2020, linking it to the ambition of “digital autonomy”. As a result, the Commission created an Open Source Program Office (“OSPO”) whose role is to facilitate the implementation of the strategy and its action plan. While the OSPO was established in 2020, it did not meet in person until September 15, 2022⁴¹

The European Union passed the Cyber Resilience Act deals with cybersecurity as a whole, provides for the implementation of an equivalent of Software Bill of Materials (SBOMs), requiring software vendors to identify and document the components contained in their products⁴²

37. Synopsis, “2022 Open Source Security and Risk Analysis Report”, April 2022; K. Szulik, “Open Source Is Everywhere: Survey Results”, Tidelift, April 12, 2018, available at: https://blog.tidelift.com; T. Herr, “Responding to and Learning from the Log4Shell Vulnerability”, testimony to the Committee on Homeland Security and Government Affairs, United States Senate, February 8, 2022
38. Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri,Ifri, December 2022.
39. https://www.theguardian.com/government-computing-network/2011/nov/02/cabinet-office-open-source-procurement-toolkit
40. https://portal.ieu-monitoring.com/editorial/eu-commission-open-source-software-to-benefit-businesses-innovators-and-public-interest-areas?utm_source=ieu&utm_medium=web&utm_campaign=portal
41. European Commission, “Open-Source Software Strategy 2020-2023”, October 21, 2020, available at: https://ec.europa.eu; European Commission, “EC Open Source Program Office”, no date, available at: https://joinup.ec.europa.eu.
42. European Commission, “Open-Source Software Strategy 2020-2023”, October 21, 2020, available at: https://ec.europa.eu; European Commission, “EC Open Source Program Office”, no date, available at: https://joinup.ec.europa.eu.

Despite its attempt to build a solid base through its OSPO, the European Commission’s 2022 draft Cyber Resilience Act⁴³ has been extensively criticised for a lack of understanding of the nuance and meaning of Open Source Software. This has included from the Open Source ecosystem. Criticism has included the Open Source Initiative (OSI)⁴⁴, and the major Open Source foundations including the Eclipse Foundation⁴⁵ and via the Open Source Software Security Foundation, the Linux Foundation⁴⁶.

The full list of criticism has been gathered by the OSI and made public⁴⁷. The Commission’s apparent misunderstanding of the nature of Open Source Software⁴⁸ has led to perhaps more criticism of this legislation and its place in the EU’s proposed product liability regimen than has been seen made towards any other legislation in the history of Open Source Software.

A report published in December 2022 by the French Institute of International relations, ‘Software Power: The Economic and Geopolitical Implications of Open Source Software’ highlights the tensions in certain countries between the desire to secure universally used Open Source components and the desire to develop “sovereign” technologies which sit in contrast to the global nature of Open Source Software. Yet the renewed political interest in Open Source in Europe is linked to the declared ambition to build “European Digital Sovereignty”.

At the heart of technological infrastructures, and therefore of this sought-after Sovereignty, are software and technological standards.⁴⁹ European countries top the Open Data Barometer and Open Knowledge Foundations’ Global Open Data Index⁵⁰. The main line of action of European public authorities has been to develop the use of Open Source Software in public administrations in response to the needs, and to open the code and data produced by public institutions.

In the USA, the report suggests that states have understood the critical importance of Open Source and are increasingly treating it as a strategic issue. The motivations of states to invest in Open Source may stem from a number of objectives including access to trusted technological solutions in the context of the digitisation of public administration and services, to ensure cybersecurity, to develop a local software industry, to reduce dependence on foreign proprietary software and to preserve the concept of an open, public, common and collaborative digital space.

43. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
44. https://blog.opensource.org/what-is-the-cyber-resilience-act-and-why-its-important-for-open-source/
45. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376663_en
46. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376650_en
47. https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/
48. Alice Pannier, “Software Power: The Economic and Geopolitical Implications of Open Source Software”, Études de l’Ifri, Ifri, December 2022.
49. S. Rolland, “‘Il n’y aura pas de souveraineté numérique européenne sans maîtrise du logiciel’, Bruno Sportisse, Inria”, La Tribune, February 22, 2022
50. European Working Team on Digital Commons, “Towards a Sovereign Digital Infrastructure”, op. cit., p. 10.

Education, data, and understanding through metrics is vital to the security of our open source projects. Research conducted by Sonatype as part of its 8th Annual State Of Software Supply Chain report looked to compare various quality metrics already available to the community and how they could be improved.

Data taken from 7.9 million releases with Maven Central, 14 million Common Vulnerability and Exposures (CVE) reports, dependency lists of open source projects, and a variety of popular existing metrics showed that not one of the metrics tested in isolation, were suitable to determine vulnerable open source projects. Although no single quality metric had a moderate correlation to vulnerability count, when using machine learning techniques and aggregate methods across all metrics, the model could accurately identify projects containing vulnerabilities with 95.5% accuracy. This shows that using the popular metrics as a collective was a suitable approach to finding vulnerabilities.

Another interesting finding was that although only 10% of the projects had a vulnerability that directly affected their code, 65% had either a direct or transitive vulnerability due to a third-party dependency within their dependency tree, further suggesting that all parties must work collaboratively in tackling these issues.

Due to the transparency of data provided from the Open Source Security Foundation (OpenSSF) Scorecard metric, research was also able to create a model based on secure software best practices that can correctly identify projects containing known vulnerabilities with a reliability of 89%⁵⁸.

58. https://www.sonatype.com/state-of-the-software-supply-chain/project-quality-metrics#scorecard-checks

The US driving the conversation

As discussed in State of Open in 2021, President Joe Biden signed an Executive Order (EO) on cybersecurity⁶² addressing the software supply chain and the White House called for increased cooperation from the private sector. The order required those companies selling to the federal government to take precautionary measures to identify and remediate vulnerabilities in software and to provide agency customers with a software bill of materials (SBOM)⁶³.

This has been supplemented on March 2 2023 by the White House announcement⁶⁴ of a Cyber Security Strategy.

The Securing Open Source Software Act⁶⁵, “moves Open Source from the realm of policy and regulation decisions into federal law. This bill will direct the CISA to develop a risk framework to evaluate how Open Source code is used by the federal government. The CISA would also decide on how the same framework could be used by critical infrastructure owners and operators.”

According to the Open Source Security Foundation (OpenSSF) in its analysis of the Act, the “CISA would produce an initial assessment framework for handling open-source code risk, incorporating government, industry, and Open Source community frameworks and best practices from software security.” The Act will also require the CISA to identify ways to mitigate Open Source software risks. To make that happen, it requires the CISA to hire Open Source developers to address security issues. It also proposes that some Federal agencies start Open Source Program Offices (OSPO).

Conclusion

Considerable concern has been expressed at the potential of multiple regimens on Open Source Software developers.

These efforts reflect a need for global collaboration to combat security concerns, it cannot be accomplished alone, making the development of an institutional response even more pressing as critical projects need to remain sufficiently resourced and maintained.

62. Federal Register, “Improving the Nation’s Cybersecurity”, op. cit.
63. https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards
64. https://www.state.gov/announcing-the-release-of-the-administrations-national-cybersecurity-strategy/
65. https://www.zdnet.com/article/whats-what-in-the-united-states-securing-open-source-software-act/

A lot has happened since OpenUK CISO Andrew Martin, gave July’s report.

Straight off the bat at the end of July, we saw a data breach involving 5.4 million Twitter accounts being sold in a database from criminal hacker, devil. This was a reminder that security will affect all of us. It also requires thought, investment and intelligence to get right. A point further compounded by Check Point Research⁶⁶ showing a 38% increase in cyber security attacks in 2022. I don’t think it would be risky to bet on 2023 making a further increase.

The devastating conflict in Ukraine continues to ravage. One unexpected, related event resulted in Montenegro, a NATO ally, attributing Russia for a sustained cyber security attack attacking their government servers. This was later claimed by the Cuba ransomware group (not thought to be related to the Republic of Cuba). As Longeren and Smith tell us⁶⁷, attribution is a very difficult subject for any cyber threat intelligence analyst. I hope Open Source Software initiatives such as the EU based OpenCTI project⁶⁸ can help provide more data in these areas.

Along with 9.9 million records breached in October 2022 (thankfully not personal data this time⁶⁹, one thing that is for sure is the overwhelming amount of cybersecurity attacks that occur and continue to do so.

So how does this fit with Open Source? Well, as was witnessed through the inaugural OpenUK State Of Open Con 23⁷⁰ a lot! The security track was filled with discussion on how to secure supply chains, how SBOMs will help with that, and that Open Source is not immune to this challenge. As quoted in some talks at the conference, statistics from the Sonatype State of the Software Supply Chain report⁷¹ show that 6 out of 7 project vulnerabilities come from transitive dependencies and request volumes from package ecosystems (Maven, PyPI, npm and Nugent) are estimated to have reached 3.1 trillion for 2022, meaning work is needed here to ensure our Open Source projects are not vulnerable for those that use them.

On day one, a keynote from Anjana Rajan, Assistant National Cyber Security Director, Technology Security Directorate, The White House, announced a collaborative project called the Open Source Software Security Initiative, combined with the work CISA were doing to encourage the use of SBOMs in the community, and a push towards memory safe languages, can help our Open Source cyber resilience. The Department for Culture, Media and Sport (DCMS) Head of Cyber Resilience Policy, Naomi Gilbert, explained that a call for views has been published on software resilience and security, and Open Source is expected to play a unique role in this area.

Day two started with Sal Kimmich’s keynote “Regulation by Telemetry: How to Fix OS Security by 2030” with some very bold ambitions, which I believe we can achieve. Throughout the two days, ways of improving our Open Source security posture came out: dependency management, code review, threat modelling, penetration testing and the need to secure cloud and Kubernetes infrastructures. It is a tall ask, but by coming together and collaborating in the unique way Open Source does, fostering relationships with governments and organisations such as Linux Foundation, NCSC, NIST, OWASP, OpenSSF, CNCF, Apache, and others, means that nothing is insurmountable.

66. https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/)
67. https://politicalviolenceataglance.org/2022/09/21/who-attacked-montenegro-the-moral-and-strategic-hazards-of-misassigning-
    blame/),
68. https://www.ssi.gouv.fr/en/actualite/opencti-the-open-source-solution-for-processing-and-sharing-threat-intelligenceknowledge/)
69. https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-october-2022)
70. https://stateofopencon.com)
71. https://www.sonatype.com/state-of-the-software-supply-chain

Security in the Open Source Software space has never been more prominent than it is today. While the world has suffered numerous serious security issues over the past 20 years, real global and cross sectoral momentum to solve key security issues has only gathered pace over the past year or two.

This momentum prompts the need for a considered and sustainable approach to achieving common security goals that allocates obligations, responsibilities, and accountability appropriately. This means identifying what work is being done, by whom, and how that work is directed and remunerated. It also means investing in changing that process. Anyone even tangentially associated with Open Source Software development knows that unpaid maintainers often bear the brunt of elite decision-making, which can result in disillusioned, overworked and under-compensated communities of developers that have neither the time nor the inclination to undertake the substantial work demanded of them.

Moves to regulate the security of the software supply chain are currently underway in the EU, UK and USA, and there is general agreement that this is a positive driver for improvement. Regulators are not, however, experts in Open Source development. The majority of regulators have little knowledge or expertise in how or where to plug the existing gaps, nor a clear strategy of how to fund this vital work.

Corporate organisations have long engaged with governments and influenced regulators, and these actors will have a necessary and valuable impact upon regulation development. The corporate voice alone cannot, however, be relied upon to ensure that security regulation or practice is fit for purpose, as business interests will always take priority over the interests of the common good. Corporate approaches to security also cannot be relied upon to benefit the digital commons as a byproduct of securing their own activities. It is clear to see across multiple spheres of private sector activity, from health provision to data connectivity infrastructure, that corporate interests inevitably leave significant gaps that either remain neglected or are filled by unpaid or underfunded interest groups. If there is genuine commitment across the stakeholder spectrum to improve supply chain security, a reliance on corporate actors alone to do this will not yield the results desired.

The actors that can implement meaningful beneficial impact are critical to consider in how a global approach to securing the digital world is built. Who can advocate for that common good? Who can identify the key issues and gaps? Who can mobilise to build solutions? And who can do this in a neutral and sustainable way that balances the needs of the myriad stakeholders in this space? OSS foundations, like the Rust Foundation, are the only actors that can take on this role. This is because these non-profit organisations are constituted to support the common good in OSS ecosystems. They are close to, and often run by, maintainer communities, so they know exactly where the issues exist. They are supported by corporate bodies, so they understand too the needs of end users and product developers. They are ultimately neutral, not for profit, able to take a balanced approach that prioritises the wider benefit, and critically, they are able to do this work collaboratively in the open. Security work funded by stakeholders and managed by relevant foundations is the best option.

Funding this activity sustainably will be one of the biggest challenges. For too long, too many organisations have taken advantage of free Open Source code without giving anything back. While a number of tech organisations are hugely supportive of OSS work, there are thousands more that are net beneficiaries. Until the work conducted by the OSS community is valued as a core public service, and funded as such, it cannot be expected to be responsible for propping up government systems or multinational technologies. Just as companies in the UK processing personal data are required to register and pay a fee to the regulator, so should organisations using Open Source code in their products be required to do something similar. Such fees could be used to sustainably fund OSS security activities run through OSS foundations.

Meaningful and impactful improvements can be achieved in OSS security engineering and development across ecosystems, if the work is directed by non-profit foundations and financially supported by a plurality of public and private bodies. In this way, all stakeholders can be engaged without holding a monopoly, maintainers can be fairly compensated, and the benefit will be felt by all.

As the recently appointed Chief Sustainability Officer of OpenUK, I am excited to take on the challenge of leading the company’s sustainability efforts and building upon the foundations established. 2023 presents the perfect opportunity to capitalise on the progress made and to set the stage for even greater successes leading into 2030.

One of the key areas OpenUK staunchly focuses on is Open Source Software and its impact on sustainability. While Open Source initiatives have the potential to promote sustainability, it’s important to consider with a balanced view, if not sometimes play a contrarian role to truly explore, discover and resolve the potential downsides.

According to the World Economic Forum’s Davos 2023 risk report, the cost of maintenance and security of coding technical systems is a top concern. Additionally, the OpenUK State of Open 2022 report notes that the top 3 challenges for Open Source initiatives are ABC. All of which: require positioning and alignment under Mother Earth spectacles of Environmental, Social and Governance (ESG) and Sustainable Development Goals (SDGs).

OpenUK collective goal is to work closely with the community and to continuously evaluate, improve, and ensure that our initiatives align with our sustainability goals. This includes being transparent and considerate of the deficiencies that exist, aligning with the ESG, SDGs, and addressing the potential downsides of Open Source initiatives such as the environmental impact of Open Source software and the lack of alignment with environmental, social, and governance (ESG) and sustainable development goals (SDGs).

We are all believers, contributors and disciples of Open Source movement and Open Technology as it’s long been recognised for its ability to promote collaboration and inclusivity, but it also has the potential to lead the way in sustainable technology. The Open Source community’s values of transparency and community-driven development align closely with what is needed to address the complex and interconnected issues of sustainability.

As a driving force for good: one of the key areas where Open Source can make a difference is in the optimisation of digital technology to use electricity more efficiently. Sixty percent of the world’s electricity is still generated by burning fossil fuels, despite the increasing capacity for renewable energy generation. By developing and implementing Open Source solutions that use less electricity, the carbon emissions generated by the tech sector can be reduced.

However, it’s important to note that simply making technology more efficient may not be enough to address the root causes of climate change and sustainability issues. The Jevon’s paradox states that making something more efficient often leads to using more of it, not less. Therefore, it’s crucial to have deeper conversations about the relationship between society and technology, and to consider the impact of technology on marginalised communities and ecosystems.

Open Source can also play a role in addressing these issues by promoting transparency and accountability in the supply chain of digital technology. By using Open Source solutions, companies and organisations can better understand the environmental and social impact of the materials and resources used in the production of their technology.

Additionally, the Open Source community leads by example in terms of equity and inclusivity. By sharing the wealth generated by digital technology equitably and ensuring that the benefits are enjoyed by all members of society, not just those who are most privileged, we can promote sustainable development and create a more just and equitable world.

However, the elephant in the room today is OpenAI. OpenAI is facing criticism for its lack of transparency and its potential negative impact on the job market as it is a for-profit company and not in fact Open Source as it does not allow access to its source code nor license it under an OSI approved licence. This raises concerns about accountability and transparency.

In conclusion, Open Source initiatives have the potential to promote sustainability, but it is important for OpenUK to look beyond itself and ensure other worldly initiatives like OpenAI are continuously evaluated and supported to improve their strategies to ensure alignment with environmental, social, and governance goals and sustainable development goals. Transparency and accountability must also be prioritised to address potential downsides such as the environmental impact of Open Source Software and concerns about the job market. It is crucial to have deeper conversations about the relationship between society and technology, and to consider the impact of technology on marginalised communities and ecosystems. Open Source can play a key role in driving sustainable technology and promoting equity and inclusivity.

We will again be leading on agenda setting with our OpenUK Open Technology for Sustainability Day in Edinburgh on 14 September⁷².

72. https://openuk.uk/event-calendar/open-technology-for-sustainability-day/

About the creators of this report

OpenUK

OpenUK is the organisation for the business of Open Technology in the UK, being Open Source Software, open source hardware and open data. As an industry organisation, OpenUK gives its participants greater influence than they could ever achieve alone. Open UK’s purpose is to promote UK leadership and global collaboration in Open Technology.

OpenUK is committed to promoting UK leadership in Open Technology and supporting collaboration between businesses, public sector organisations, government and communities to expand the opportunities available to all around Open Technology on a global basis. OpenUK creates a visible Open Technology community in the UK, and uses that community’s impact to ensure that the UK’s laws and policies work for Open Technology whilst encouraging the future community in the business of Open Technology through learning.

OpenUK is a not-for-profit company limited by guarantee, company number 11209475 with its registered office at 8 Coldbath Square, London EC1N 5HL, www.openuk.uk, contact admin@openuk.uk

Symmetry

Symmetry looks beyond the surface and behind the curtain of the fundamental innovations and trends shaping our society, markets, culture, and values. We are academics and researchers looking at the intersections of emerging technology and socioeconomic impact, producing independent research for thought leadership and business solutions.

Symmetry’s mission is to share and grow knowledge about everyday lives. We want to understand the past, present, and future of human interaction with emerging technologies and socioeconomic changes—from behaviour to context, nature to nurture, origin to experiences—helping our clients engage their clients and public imagination.