Report

Securing the Open Frontier: Voluntary Standards for Open-Source Security

How can policymakers leverage voluntary standards to enhance cybersecurity in open-source software?

Open-source software (OSS) is key to much of the technology that powers modern life, making it a critical area of interest for cybersecurity policy. However, OSS governance demands creative thinking – though OSS is about as secure as commercial software, it can be difficult to govern through “traditional” regulatory measures. Rules that rely on firm structures for liability, accountability, and enforcement are a poor fit for the decentralized, volunteer-driven nature of OSS and the community that surrounds it. This paper explores how voluntary cybersecurity standards in OSS may offer a practical, ecosystem-specific pathway to strengthening OSS security and presents concrete policy recommendations for U.S. policymakers to support such standards effectively.

Download

LnRiLWJ1dHRvbntjb2xvcjojZjFmMWYxfS50Yi1idXR0b24tLWxlZnR7dGV4dC1hbGlnbjpsZWZ0fS50Yi1idXR0b24tLWNlbnRlcnt0ZXh0LWFsaWduOmNlbnRlcn0udGItYnV0dG9uLS1yaWdodHt0ZXh0LWFsaWduOnJpZ2h0fS50Yi1idXR0b25fX2xpbmt7Y29sb3I6aW5oZXJpdDtjdXJzb3I6cG9pbnRlcjtkaXNwbGF5OmlubGluZS1ibG9jaztsaW5lLWhlaWdodDoxMDAlO3RleHQtZGVjb3JhdGlvbjpub25lICFpbXBvcnRhbnQ7dGV4dC1hbGlnbjpjZW50ZXI7dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlfS50Yi1idXR0b25fX2xpbms6aG92ZXIsLnRiLWJ1dHRvbl9fbGluazpmb2N1cywudGItYnV0dG9uX19saW5rOnZpc2l0ZWR7Y29sb3I6aW5oZXJpdH0udGItYnV0dG9uX19saW5rOmhvdmVyIC50Yi1idXR0b25fX2NvbnRlbnQsLnRiLWJ1dHRvbl9fbGluazpmb2N1cyAudGItYnV0dG9uX19jb250ZW50LC50Yi1idXR0b25fX2xpbms6dmlzaXRlZCAudGItYnV0dG9uX19jb250ZW50e2ZvbnQtZmFtaWx5OmluaGVyaXQ7Zm9udC1zdHlsZTppbmhlcml0O2ZvbnQtd2VpZ2h0OmluaGVyaXQ7bGV0dGVyLXNwYWNpbmc6aW5oZXJpdDt0ZXh0LWRlY29yYXRpb246aW5oZXJpdDt0ZXh0LXNoYWRvdzppbmhlcml0O3RleHQtdHJhbnNmb3JtOmluaGVyaXR9LnRiLWJ1dHRvbl9fY29udGVudHt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlfS50Yi1idXR0b25fX2ljb257dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlO2Rpc3BsYXk6aW5saW5lLWJsb2NrO3ZlcnRpY2FsLWFsaWduOm1pZGRsZTtmb250LXN0eWxlOm5vcm1hbCAhaW1wb3J0YW50fS50Yi1idXR0b25fX2ljb246OmJlZm9yZXtjb250ZW50OmF0dHIoZGF0YS1mb250LWNvZGUpO2ZvbnQtd2VpZ2h0Om5vcm1hbCAhaW1wb3J0YW50fS50Yi1idXR0b25fX2xpbmt7YmFja2dyb3VuZC1jb2xvcjojNDQ0O2JvcmRlci1yYWRpdXM6MC4zZW07Zm9udC1zaXplOjEuM2VtO21hcmdpbi1ib3R0b206MC43NmVtO3BhZGRpbmc6MC41NWVtIDEuNWVtIDAuNTVlbX0gLnRiLWJ1dHRvbltkYXRhLXRvb2xzZXQtYmxvY2tzLWJ1dHRvbj0iMDdlZWIzNzFiZDdlZGIwMGI2OTEwNTUzZTIzMDlkZjAiXSAudGItYnV0dG9uX19saW5rIHsgYmFja2dyb3VuZC1jb2xvcjogcmdiYSggMjMxLCAyMzYsIDI0MCwgMSApO2JvcmRlci1yYWRpdXM6IDRweDtjb2xvcjogcmdiYSggMCwgMTA5LCAxOTMsIDEgKTtwYWRkaW5nOiAuMjVyZW0gLjVyZW0gLjI1cmVtIC41cmVtO2ZvbnQtc2l6ZTogMTZweDtmb250LXdlaWdodDogYm9sZDtjb2xvcjogcmdiYSggMCwgMTA5LCAxOTMsIDEgKTsgfSAudGItYnV0dG9uW2RhdGEtdG9vbHNldC1ibG9ja3MtYnV0dG9uPSIwN2VlYjM3MWJkN2VkYjAwYjY5MTA1NTNlMjMwOWRmMCJdIC50Yi1idXR0b25fX2xpbms6dmlzaXRlZCB7IGJhY2tncm91bmQtY29sb3I6IHJnYmEoIDIzMSwgMjM2LCAyNDAsIDEgKTtjb2xvcjogcmdiYSggMCwgMTA5LCAxOTMsIDEgKTtjb2xvcjogcmdiYSggMCwgMTA5LCAxOTMsIDEgKTsgfSAudGItYnV0dG9uW2RhdGEtdG9vbHNldC1ibG9ja3MtYnV0dG9uPSIwN2VlYjM3MWJkN2VkYjAwYjY5MTA1NTNlMjMwOWRmMCJdIC50Yi1idXR0b25fX2xpbms6aG92ZXIgeyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2JhKCAyMzEsIDIzNiwgMjQwLCAxICk7Y29sb3I6IHJnYmEoIDAsIDEwOSwgMTkzLCAxICk7Zm9udC13ZWlnaHQ6IGJvbGQ7Y29sb3I6IHJnYmEoIDAsIDEwOSwgMTkzLCAxICk7IH0gLnRiLWJ1dHRvbltkYXRhLXRvb2xzZXQtYmxvY2tzLWJ1dHRvbj0iMDdlZWIzNzFiZDdlZGIwMGI2OTEwNTUzZTIzMDlkZjAiXSAudGItYnV0dG9uX19saW5rOmZvY3VzIHsgYmFja2dyb3VuZC1jb2xvcjogcmdiYSggMjMxLCAyMzYsIDI0MCwgMSApO2NvbG9yOiByZ2JhKCAwLCAxMDksIDE5MywgMSApO2NvbG9yOiByZ2JhKCAwLCAxMDksIDE5MywgMSApOyB9IC50Yi1idXR0b25bZGF0YS10b29sc2V0LWJsb2Nrcy1idXR0b249IjA3ZWViMzcxYmQ3ZWRiMDBiNjkxMDU1M2UyMzA5ZGYwIl0gLnRiLWJ1dHRvbl9fbGluazphY3RpdmUgeyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2JhKCAyMzEsIDIzNiwgMjQwLCAxICk7Y29sb3I6IHJnYmEoIDAsIDEwOSwgMTkzLCAxICk7Y29sb3I6IHJnYmEoIDAsIDEwOSwgMTkzLCAxICk7IH0gLnRiLWJ1dHRvbltkYXRhLXRvb2xzZXQtYmxvY2tzLWJ1dHRvbj0iMDdlZWIzNzFiZDdlZGIwMGI2OTEwNTUzZTIzMDlkZjAiXSAudGItYnV0dG9uX19pY29uIHsgZm9udC1mYW1pbHk6IEZvbnRBd2Vzb21lO21hcmdpbi1yaWdodDogMTJweDsgfSAudGItYnV0dG9uW2RhdGEtdG9vbHNldC1ibG9ja3MtYnV0dG9uPSIwN2VlYjM3MWJkN2VkYjAwYjY5MTA1NTNlMjMwOWRmMCJdIC50Yi1idXR0b25fX2ljb246OmJlZm9yZSB7IGNvbnRlbnQ6ICdcZjBlZCc7IH0gQG1lZGlhIG9ubHkgc2NyZWVuIGFuZCAobWF4LXdpZHRoOiA3ODFweCkgeyAudGItYnV0dG9ue2NvbG9yOiNmMWYxZjF9LnRiLWJ1dHRvbi0tbGVmdHt0ZXh0LWFsaWduOmxlZnR9LnRiLWJ1dHRvbi0tY2VudGVye3RleHQtYWxpZ246Y2VudGVyfS50Yi1idXR0b24tLXJpZ2h0e3RleHQtYWxpZ246cmlnaHR9LnRiLWJ1dHRvbl9fbGlua3tjb2xvcjppbmhlcml0O2N1cnNvcjpwb2ludGVyO2Rpc3BsYXk6aW5saW5lLWJsb2NrO2xpbmUtaGVpZ2h0OjEwMCU7dGV4dC1kZWNvcmF0aW9uOm5vbmUgIWltcG9ydGFudDt0ZXh0LWFsaWduOmNlbnRlcjt0cmFuc2l0aW9uOmFsbCAwLjNzIGVhc2V9LnRiLWJ1dHRvbl9fbGluazpob3ZlciwudGItYnV0dG9uX19saW5rOmZvY3VzLC50Yi1idXR0b25fX2xpbms6dmlzaXRlZHtjb2xvcjppbmhlcml0fS50Yi1idXR0b25fX2xpbms6aG92ZXIgLnRiLWJ1dHRvbl9fY29udGVudCwudGItYnV0dG9uX19saW5rOmZvY3VzIC50Yi1idXR0b25fX2NvbnRlbnQsLnRiLWJ1dHRvbl9fbGluazp2aXNpdGVkIC50Yi1idXR0b25fX2NvbnRlbnR7Zm9udC1mYW1pbHk6aW5oZXJpdDtmb250LXN0eWxlOmluaGVyaXQ7Zm9udC13ZWlnaHQ6aW5oZXJpdDtsZXR0ZXItc3BhY2luZzppbmhlcml0O3RleHQtZGVjb3JhdGlvbjppbmhlcml0O3RleHQtc2hhZG93OmluaGVyaXQ7dGV4dC10cmFuc2Zvcm06aW5oZXJpdH0udGItYnV0dG9uX19jb250ZW50e3ZlcnRpY2FsLWFsaWduOm1pZGRsZTt0cmFuc2l0aW9uOmFsbCAwLjNzIGVhc2V9LnRiLWJ1dHRvbl9faWNvbnt0cmFuc2l0aW9uOmFsbCAwLjNzIGVhc2U7ZGlzcGxheTppbmxpbmUtYmxvY2s7dmVydGljYWwtYWxpZ246bWlkZGxlO2ZvbnQtc3R5bGU6bm9ybWFsICFpbXBvcnRhbnR9LnRiLWJ1dHRvbl9faWNvbjo6YmVmb3Jle2NvbnRlbnQ6YXR0cihkYXRhLWZvbnQtY29kZSk7Zm9udC13ZWlnaHQ6bm9ybWFsICFpbXBvcnRhbnR9LnRiLWJ1dHRvbl9fbGlua3tiYWNrZ3JvdW5kLWNvbG9yOiM0NDQ7Ym9yZGVyLXJhZGl1czowLjNlbTtmb250LXNpemU6MS4zZW07bWFyZ2luLWJvdHRvbTowLjc2ZW07cGFkZGluZzowLjU1ZW0gMS41ZW0gMC41NWVtfSB9IEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDogNTk5cHgpIHsgLnRiLWJ1dHRvbntjb2xvcjojZjFmMWYxfS50Yi1idXR0b24tLWxlZnR7dGV4dC1hbGlnbjpsZWZ0fS50Yi1idXR0b24tLWNlbnRlcnt0ZXh0LWFsaWduOmNlbnRlcn0udGItYnV0dG9uLS1yaWdodHt0ZXh0LWFsaWduOnJpZ2h0fS50Yi1idXR0b25fX2xpbmt7Y29sb3I6aW5oZXJpdDtjdXJzb3I6cG9pbnRlcjtkaXNwbGF5OmlubGluZS1ibG9jaztsaW5lLWhlaWdodDoxMDAlO3RleHQtZGVjb3JhdGlvbjpub25lICFpbXBvcnRhbnQ7dGV4dC1hbGlnbjpjZW50ZXI7dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlfS50Yi1idXR0b25fX2xpbms6aG92ZXIsLnRiLWJ1dHRvbl9fbGluazpmb2N1cywudGItYnV0dG9uX19saW5rOnZpc2l0ZWR7Y29sb3I6aW5oZXJpdH0udGItYnV0dG9uX19saW5rOmhvdmVyIC50Yi1idXR0b25fX2NvbnRlbnQsLnRiLWJ1dHRvbl9fbGluazpmb2N1cyAudGItYnV0dG9uX19jb250ZW50LC50Yi1idXR0b25fX2xpbms6dmlzaXRlZCAudGItYnV0dG9uX19jb250ZW50e2ZvbnQtZmFtaWx5OmluaGVyaXQ7Zm9udC1zdHlsZTppbmhlcml0O2ZvbnQtd2VpZ2h0OmluaGVyaXQ7bGV0dGVyLXNwYWNpbmc6aW5oZXJpdDt0ZXh0LWRlY29yYXRpb246aW5oZXJpdDt0ZXh0LXNoYWRvdzppbmhlcml0O3RleHQtdHJhbnNmb3JtOmluaGVyaXR9LnRiLWJ1dHRvbl9fY29udGVudHt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlfS50Yi1idXR0b25fX2ljb257dHJhbnNpdGlvbjphbGwgMC4zcyBlYXNlO2Rpc3BsYXk6aW5saW5lLWJsb2NrO3ZlcnRpY2FsLWFsaWduOm1pZGRsZTtmb250LXN0eWxlOm5vcm1hbCAhaW1wb3J0YW50fS50Yi1idXR0b25fX2ljb246OmJlZm9yZXtjb250ZW50OmF0dHIoZGF0YS1mb250LWNvZGUpO2ZvbnQtd2VpZ2h0Om5vcm1hbCAhaW1wb3J0YW50fS50Yi1idXR0b25fX2xpbmt7YmFja2dyb3VuZC1jb2xvcjojNDQ0O2JvcmRlci1yYWRpdXM6MC4zZW07Zm9udC1zaXplOjEuM2VtO21hcmdpbi1ib3R0b206MC43NmVtO3BhZGRpbmc6MC41NWVtIDEuNWVtIDAuNTVlbX0gfSA=

Full Report (PDF)

Executive Summary

Open-source software (OSS) is incorporated deeply into our digital ecosystem, across functions ranging from instant messaging to critical infrastructure. Though OSS is not necessarily riskier than commercial software, OSS security is critical given its prevalence in our rapidly changing digital environment and the complexity of implementing cybersecurity guidelines in the OSS space. The decentralized nature of OSS development and of the open-source community itself poses unique challenges to the uniform application of cybersecurity practices, which in turn makes regulation or other government engagement difficult.

This paper evaluates voluntary technical standards — here including widely adopted industry best practices as well as formal voluntary consensus standards developed by Standards Developing Organizations (SDOs) — as a potential mechanism for securing OSS. Voluntary standards are naturally suited to the decentralized nature of OSS and present a viable pathway forward for improving cybersecurity. Fourteen interviews with professionals in the open-source security and standards spaces reveal two key dynamics within OSS that impact standardization of OSS security: financial incentives and culture. Furthermore, interviewees identify the uptake of standards — as opposed to the design of standards — as a key inflection point that may benefit from formalized U.S. government support and put forth several policy suggestions.

U.S. policymakers interested in advancing the cybersecurity of OSS through standards should consider three policy recommendations identified in this paper: firstly, concerted government outreach to the OSS community; secondly, leveraging financial incentives to encourage cybersecurity; and thirdly, establishing government-managed repositories of standards to ease standards uptake.

Given the increasing role of OSS in powerful technologies like artificial intelligence (AI), it is critical that the government develop a clear strategy to enhance OSS cybersecurity. As technology becomes more capable, the ramifications of security incidents may become even more profound. To prevent or address such incidents, policymakers must develop interventions that are both effective and suited to the unique characteristics of the OSS space. This paper endeavors to inform policymakers about these unique characteristics and provide actionable pathways for future policy.

Introduction

In our digitized world, open-source software (OSS) has become ubiquitous, accounting for 80%-90% of all existing software.¹ OSS, loosely defined as software that is developed openly and collaboratively and is freely accessible for individuals to edit and download, is vital to key functions ranging from everyday texting to critical infrastructure. Part of the popularity of OSS is due to its accessibility and opportunity for innovation, but its decentralization can make cybersecurity difficult. In particular, conducting oversight, enforcing best practices for security, and determining liability in the event of a breach can be challenging in OSS. Moreover, recent developments such as the increasing popularity of open-source and open-weight large language models like Meta’s Llama and hugely impactful cyberattacks like Log4Shell and SolarWinds highlight the need for improved security practices in OSS.²

How can policymakers support OSS security despite the difficulty of applying traditional, liability-driven forms of regulation? This paper will examine the utility of voluntary technical standards as a tool for enhancing the security of OSS and identify potential ways for the U.S. government to leverage standards in its cybersecurity efforts.

Notes

1
“The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security,” The Linux Foundation, February 18, 2020, https://www.linuxfoundation.org/press/the-linux-foundation-and-harvards-lab-for-innovation-science-release-census-for-open-source-software-security.
2
Llama is Meta’s flagship large-language mode (LLM). It is not completely open-sourced, since the full details of its training and construction are not publicly available, but its model weights are public, and it is freely downloadable with adjustable weights. Log4Shell is a widespread critical vulnerability in an OSS program, and it is described in deeper detail later in this paper. The SolarWinds breach is a commercial software incident found in 2020.