The recent discovery of a vulnerability in Apache log4j, a widely used open-source software tool, has exposed a significant security issue with our digital world. Open-source software (software that can be used, modified and shared by the public) provides common pieces of the programming that underlies much critical software, both public and private.
Open-source software has been an incredible democratizing and innovative force for the digital world. Its widespread adoption, however, means that security issues can have real-world consequences when a huge proportion of the most popular apps and websites depend on it. This isn’t only an issue for technology companies and their users. It is also an issue of national security. The prevalence of open source means its security is critical to our infrastructure, putting much of the internet and millions of citizens at risk of attack.
We’ve had security issues with open-source software occur every couple of years, including the Heartbleed Bug in 2014 and the npm Left-Pad Vulnerability in 2016. According to the Cybersecurity and Infrastructure Security Agency, in 2020, two of the most routinely exploited information-technology vulnerabilities were related to open source.
One of the primary reasons for these vulnerabilities is that popular open-source software such as log4j is often maintained by volunteers who may not have sufficient resources to prioritize security. But these volunteers aren’t to blame. What appears to be an esoteric technical problem is actually one of funding and the sustainability of the entire digital ecosystem. While some open-source projects are supported by companies and nonprofit organizations, other pieces of code are maintained and released by people who struggle to monetize their work. The open-source security problem is, at its core, a tragedy of the commons. When the underlying health of our digital infrastructure is unsound, the whole system suffers.
In healthcare, it is widely accepted that preventive care is dramatically cheaper and more effective than treatment. We should take the same view toward open-source software platforms and invest in proactive work to prevent the next log4j crisis. The long-term solution is to foster an open-source software ecosystem that is not only secure, innovative and open, but also sustainable.
Part of the solution involves obtaining ambitious and innovative ideas from the open-source community to improve sustainability. At Schmidt Futures we’ve launched the Open Source Software Virtual Incubator, a platform where engineers and innovators can exchange information about what they are working on, so that groups like ours can join together in supporting great ideas.
The federal government can play a part as well by investing more resources to support open-source software. Dedicating even a small fraction of the $9.8 billion allocated for civilian cybersecurity programs in the administration’s 2022 budget request could make an enormous difference.
Congress should create a Center for Open Source Software Security, which would identify and catalog critical software in need of support and fund critical improvements in open-source software security. More broadly, the federal government could establish offices across agencies to support open-source software and encourage governmentwide use, building on existing programs such as code.gov. We hope the recent White House meeting on open-source software encourages initiatives that not only focus on security but improve sustainability as well.
Let’s take the opportunity the most recent security issue affords us, and commit to identifying and supporting the innovative ideas that will strengthen the open-source software ecosystem.
Mr. Schmidt is a co-founder of Schmidt Futures. He was CEO of Google, 2001–11, and executive chairman of Google and its successor,
Alphabet Inc.,
2011–17. Mr. Long is founding research lead of the Plaintext Group, a technology-policy initiative at Schmidt Futures.
Ashwin Ramaswami
contributed to this article.
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the January 28, 2022, print edition.
https://www.wsj.com/articles/protect-open-source-software-prevention-oss-public-use-cybersecurity-innovation-cyberattack-apache-log4j-11643316125