Encouraged by the questions being asked, the Eclipse Foundation recently participated in an open and transparent process initiated by the US Office on the National Cyber Director, in collaboration with three federal agencies with stakes in setting policies and priorities for securing open source software as critical infrastructure. Specifically, they sought feedback through a public Request for Information.
For a bit more context, over the past year the Eclipse Foundation has responded to the urgent needs of policymakers in Europe and the US as they consider how to meet the challenge of cybersecurity. In Europe, discussions around the Cyber Resilience Act and the cybersecurity of open source have pushed us to interact with policymakers to explain the functioning of open source development and the Foundation’s governance of open source. In the US, we’ve participated in White House roundtable discussions, sent our security leadership to Washington D.C. to assist researchers, and generally lent a hand wherever the opportunity arose. As a global concern, the Foundation has a stake in improving security wherever its projects and people contribute to the software ecosystem.
We take this kind of open engagement as an encouraging sign. Government bodies are actively considering how they can assist in improving and sustaining the software they have grown to depend upon – now embedded as critical infrastructure everywhere. We were encouraged to see the RFI soliciting suggestions to improve cybersecurity from a technical perspective, but also a broader interest in sustainability.
If you’d like to peruse the submissions you can visit the US government procurement website, search and download the responses.
The Eclipse Foundation has prepared a response which is summarized below. You can also download our full five-page submission if you’d like to read our detailed response.
Recommendation #1 Improve cybersecurity at scale – empowering open source projects and developers – in two parts.
Make SBOM Generation a Valuable Process for Open Source Developers
A Software Bill of Materials (SBOM) is generally easy to generate across most software development ecosystems. Although standards are emerging for SBOMs today there is no common registry where publishing an SBOM might add measurable value to open source projects. We also make recommendations for additional tooling and automation to make the process of SBOM generation a value-added activity rather than a drag on scarce engineering resources.
Invest in Improving Public Vulnerability Databases
Currently there exist a number of vulnerability databases, each lacking important features (not in machine readable formats, requires manual assessment, missing important fields, containing incomplete data and so forth). Given the noise generated by false positives and other mis-cues, projects face difficulties when handling automated vulnerability analysis as one single source might not cover all the situations. We recommend significant investment in curating and refining public vulnerability databases. Focus should be put on the usability of the data for automatic analysis and ease of reporting errors in existing entries as well as making the database machine-readable by default. Finally, we encourage employing Artificial Intelligence (AI) and Machine Learning (ML) to assist human experts in categorizing, filtering, and prioritizing vulnerabilities.
Recommendation #2 Sustainability - Create a public/non-profit partnership to strengthen the security and sustainability of open source software in the US federal government environment by way of diversifying investment in the ecosystem.
The economic models associated with open source are not sustainable and rely heavily on the alignment of corporate interest and limited non-profit resources, leaving gaps in maintaining an overall healthy ecosystem. Drawing from the recent success of The Sovereign Tech Fund (STF) and the US Department’s 10-year-old Open Technology Fund (OTF) as reference models, we’re encouraging the US federal government to take a new approach to funding open source projects which are used by the government but are otherwise overlooked by private industry for investment. This serves to diversify investment in the broader ecosystem.
Recommendation #3 Sustainability - Incentivize the Federal vendor community to contribute back to the open source projects they base their commercial service offerings upon.
In our third and final recommendation, we encourage the US government to use the power of public procurement, much as what has been done to encourage minority businesses as an example. This could be done by creating a special consideration for vendors providing software solutions who can demonstrate that, when their solutions stack includes OSS components, they are contributing back to those projects either financially or through direct engineering efforts. Incentivizing the industry to partner financially with projects they have leveraged in winning contracts creates a virtuous cycle of investment in a more robust software economy without the investment of tax dollars.
Why our response matters
Now in its twentieth year of operation, the Eclipse Foundation has become respected for its long-established best practices for security in open source software. The Foundation is a Common Vulnerabilities Exposure (CVE) Numbering Authority (CNA), assigning and managing CVE numbers for its projects. Recently, it has also launched a number of new initiatives to ease automatic management of security configuration, vulnerability reporting and tracking for hosted projects.
With a global footprint and as a steward of scores of high-impact projects organisations depend upon, improving the security posture of the open source ecosystem is of paramount interest to the Foundation.
Deb Bryant, US Policy Adviser