Strengthening digital infrastructure: A policy agenda for free and open source software – Brookings Institution
Download
This is a Brookings Center on Regulation and Markets policy brief.
While there is little debate that digital forces are playing an increasingly crucial role in the economy, there is limited understanding of the importance of the digital infrastructure that underlies this role. Much of the discussion around digital infrastructure has focused on broadband availability (which is certainly important), but the role of free and open source software (FOSS or OSS) has gone underappreciated. FOSS—software whose source code is public, is often created by decentralized volunteers, and can be freely used and modified by anyone—has come to play a vital role in the modern economy. It is baked into technology we use every day (cars, phones, websites, etc.), as well as into various aspects of critical infrastructure including our finance and energy systems.
Like physical infrastructure, this digital infrastructure requires regular investment to further enable innovation, commerce, and a flourishing economy. However, also like physical infrastructure, there is a market failure in the private sector that leads to an underinvestment in digital infrastructure. Therefore, there is a clear need for government investment and regulation to ensure the future health, security, and growth of the FOSS ecosystem that has become indispensable to the modern economy.
In this article I lay out policy proposals based on my academic research and that of others, as well as policies that exist in other countries who are ahead of the United States on investing in this critical asset. I first discuss the overall challenge FOSS faces and the limits of existing policy in the U.S. (which are primarily focused on government usage of FOSS, not on investing in the FOSS ecosystem directly). Finally, I present 11 policy proposals separated into four domains of focus: creating an open source program office; measuring and understanding the FOSS ecosystem; enhancing the positive economic impact of FOSS; and securing the FOSS ecosystem. Although there is no silver bullet for guaranteeing the future health and growth of FOSS, these proposals will go a long way towards ensuring FOSS can continue to play its essential role in enabling the modern U.S. economy to grow and flourish.
At the highest level, the challenge related to FOSS is that despite its value to the modern economy, its decentralized and free nature leads to both an underappreciation of this value and an underinvestment in its growth and security.
Source: XKCD, https://xkcd.com/2347/, licensed under Creative Commons Attribution-NonCommercial 2.5 License
On the value side, although it has been estimated that up to 98% of codebases include FOSS, it can be difficult to measure its value. Traditional measures of the value of a product, such as multiplying the number of times a product is used times the price of the product and subtracting input costs, do not work. The price is zero, the labor is volunteered, and measuring the volume of usage is extremely difficult due to the distributed nature of FOSS and the fact that it can be copied and reused freely. Despite these challenges, there have been some recent efforts to value FOSS by myself and others. For example, our early efforts to measure the value of just one piece of FOSS—the widely used Apache web server—found that in 2013, it added up to $12 billion to the U.S. economy, despite not showing up directly in any GDP statistics. More recently, a European Commission sponsored report found that in 2018, EU companies invested roughly €1 billion into FOSS creation, which resulted in up to a €95 billion benefit for FOSS users in the EU. Similar estimates for the U.S. investment in FOSS were $33 billion in 2019. However, despite these attempts, we have only scratched the surface of truly understanding the value FOSS provides to the economy and modern life. This is even more so the case when considering the value created in the context of digital autonomy, as an increased reliance on FOSS can limit the occurrence of single points of failure where a company or country is beholden to a particular company that provides proprietary software or owns a patent (especially in the context of communications standards, like 5G).
Related Content
On the investment side, the challenge is twofold. First, despite increasing evidence for a high rate of return to public and private investment in FOSS that can enhance competitiveness and innovation, the U.S. has yet to make a concerted effort to directly invest in it—beyond just supporting its use in federal agencies. The U.S.’s investments in the Global Positioning System (GPS) is an example of the success such investments can have—U.S. investments in GPS, which is made freely available to users, have enabled $1.4 trillion of economic gains for U.S. companies (which the government receives tax revenue on). Likewise, our work on Apache showed that government investments in FOSS can lead to a rate of return of at least 17%, more than double the U.S. government’s commonly used baseline of 7% representing a good investment opportunity. Broader analysis in the European Commission report revealed a cost-benefit ratio of roughly 1:4 for FOSS investments by private companies, and my own work on government support of FOSS in France showed a variety of positive outcomes, including as much as an 18% increase in the founding of French IT-related startups and as much as a 14% increase in the number of French workers employed in IT-related jobs. Even for companies, my research has shown that not only does using FOSS lead to productivity gains but investment in FOSS can pay dividends as companies that contribute to FOSS obtain up to 100% more productive value from using FOSS than their free-riding peers.
Second, an underinvestment in FOSS can result in security concerns that have economy-wide consequences. The most recent evidence of this was the 2021 discovery of the Log4Shell vulnerability in the FOSS logging package log4j. Deployed across a vast range of digital applications, the vulnerability was originally introduced in the code in 2013 and exposed tens of millions of devices to a devastating security vulnerability and illustrated the urgent need to improve security in open source software. Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called Log4Shell “the most serious vulnerability I’ve seen in my decades-long career,” and well before most organizations could patch the vulnerability, there were over 800,000 attacks using it in a 72-hour period, including some by Chinese and Iranian government-sponsored actors. Government policy can help identify and address these vulnerabilities in a timelier fashion.
The biggest limit to existing U.S. policies related to FOSS is that they are nearly all focused on the federal government’s use of, creation of, and purchasing of technology for its own systems. No policies are targeted at measuring, investing in, or securing the FOSS ecosystem as a whole or in a direct manner. Although my prior research has shown that governmental policies favoring the usage of FOSS in technology procurement can have important positive spillovers to a country (as well as cost savings), this is more of a second-order impact rather than the first-order impact direct investment can have. There are numerous examples of such procurement policies. As early as 2004, agencies of the U.S. federal government started to clarify their stances towards FOSS. However, it was not until the Office of Management and Budget memorandum M-16-21 in 2016 that a clearer pro-FOSS stance was taken. M-16-21 required that all federal agencies should a) make all new custom code for any federal agency available for reuse across all federal agencies, and b) release at least 20 percent of new custom code as FOSS for anyone to use. These efforts were coordinated through the Code.gov website, originally developed under the Office of the Federal Chief Information Officer and now administered by the U.S. General Services Administration (although recently defunded and essentially static). To this day, M-16-21 is the primary guidance on how federal agencies should approach FOSS and is the primary authority cited within numerous agencies related to their FOSS stance (e.g., Department of Commerce and Department of Defense). These efforts were expanded upon with the May 2021 White House Executive Order 14028, which included a section requiring all federal government software purchases to include a software bill of materials (SBOM) that clearly stated what other software (including FOSS) was built into the purchased software.
Beyond M-16-21, a handful of other governmental efforts have been proposed but not passed. For example, the House version of the 2022 National Defense Authorization Act included funding for a FOSS security center within DHS, but the funding did not make it into the final bill. At the state level, New York has introduced a bill to give a tax credit for expenses related to developing FOSS in every legislative session since 2009, but the bill has never gotten out of committee. Even the much-praised bipartisan infrastructure package passed in late 2021 focused its digital infrastructure investments nearly exclusively on broadband availability and did not address investments in FOSS.
Most recently, in January 2022, in response to the aforementioned Log4Shell vulnerability, the White House National Security Council (NSC) held a meeting with companies like Google and Microsoft; open-source organizations including the Linux Foundation, the Apache Software Foundation, and the Open Source Security Foundation (OpenSSF); and numerous federal agencies and departments. The meeting focused on preventing, finding, and shortening response time to FOSS vulnerabilities and discussed various potential public-private partnerships. Although there were no concrete pledges from the meeting, the intent was to start a discussion, identify possible paths forward, and commit to future meetings that would yield specific commitments by the various stakeholders. In May of 2022, the first follow-up meeting was held and it identified 10 areas of focus to improve OSS security and provided specific plans of action and a call for $150 million in funding over two years. The intent was for this funding to come from private companies, not the government, and some large tech companies have already committed $30 million to assist in the effort.
Given the lack of federal policies directly supporting the FOSS ecosystem, I lay out 11 policy proposals that can help to support the FOSS ecosystem in critical ways (overviewed in Table 1). These policies are grouped into four domains. The first domain is to create a new office to oversee all FOSS related activity within the federal government. The second domain focuses on measuring and understanding the FOSS ecosystem, which is necessary given the distributed nature of FOSS, and the lack of a clear understanding of how pervasive it is in the modern economy. The third domain considers avenues for investing in FOSS to help enhance the economic competitiveness of the U.S. The fourth domain focuses on methods for securing existing and future FOSS to reduce the likelihood of some of the issues mentioned above. Some of the policy recommendations build upon the European Commission report mentioned above, for which I was an outside advisor, but consider how (and where) they could be applied in the U.S. Further, although all of these recommendations are focused on FOSS, they can be thought of to include free and open source hardware as well, which is a smaller space than FOSS but is rapidly growing and is increasingly important to the economy.
Table 1: Recommendations for Strengthening Digital Infrastructure
source
