Skip to content

31.1: Global Open Source and National Interests

Open source software embodies a remarkable paradox. It represents perhaps humanity's most successful experiment in global cooperation—developers from every continent contributing to shared infrastructure that powers modern civilization. The Linux kernel includes contributions from engineers in the United States, China, Russia, Europe, and dozens of other countries, collaborating on code that runs everything from smartphones to supercomputers. Yet this same software increasingly sits at the heart of national security concerns, economic competition, and geopolitical tension.

The xz-utils backdoor attempt in March 2024 crystallized this tension. An attacker, operating under a pseudonymous identity over several years, nearly inserted a sophisticated backdoor into compression software used across Linux systems globally. The attack prompted uncomfortable questions: How do we secure global infrastructure when contributors are anonymous? What happens when the openness enabling global collaboration also enables adversarial infiltration? Can software be simultaneously a global commons and a national security asset?

These questions have no easy answers. They require navigating between the genuine benefits of open, global collaboration and the equally genuine security concerns that arise from that openness. Understanding this tension—rather than resolving it simplistically—is essential for policy makers, security strategists, and technologists working at the intersection of open source and national interest.

The Global Commons Concept

Economists define a global commons as a resource shared by all nations, not subject to individual ownership or control. The traditional examples—the atmosphere, the oceans, Antarctica—share characteristics that open source software increasingly exhibits.

Commons characteristics in open source:

  • Non-excludable: Anyone can access and use most open source software
  • Non-rivalrous: One entity's use doesn't diminish another's (unlike physical commons, the software itself is non-rivalrous, but maintainer attention and security investment remain rivalrous resources)
  • Collectively maintained: Contributions come from diverse, global sources
  • Governance challenges: No single authority controls the resource

Open source infrastructure functions as digital commons. The Linux kernel, OpenSSL, curl, and thousands of other foundational projects are used by organizations worldwide regardless of nationality. No nation controls these resources; no nation can exclude others from their use. The collective benefits—shared innovation, reduced duplication, accelerated development—flow to all participants.

The tragedy of the commons, where shared resources are depleted through overuse, manifests differently in open source. The resource isn't depleted through use but through neglect—insufficient investment in security, maintenance, and development. As discussed in Chapter 30, market failures in open source security represent a commons problem: everyone benefits, but investment falls below socially optimal levels.

Stewardship tensions:

Unlike physical commons, open source has identifiable maintainers and governance structures. Projects have leaders; foundations provide coordination; platforms host infrastructure. This creates a more manageable governance situation than truly ownerless commons.

However, this governance remains predominantly located in specific jurisdictions—primarily the United States and Europe. Major foundations (Linux Foundation, Apache) are U.S. entities. Key platforms (GitHub, GitLab) are American companies. This concentration creates potential for jurisdictional control over resources used globally.

When U.S. sanctions restricted GitHub access for developers in certain countries, the global commons nature of open source collided with national legal frameworks. The theoretical openness of open source encountered practical limitations imposed by the geographic location of infrastructure and governance.

National Security Perspectives

Governments increasingly view open source through a national security lens—both as an asset to leverage and a risk to manage.

Asset perspective:

Open source provides national security benefits:

  • Cost efficiency: Shared development reduces duplication across government systems
  • Transparency: Inspectable code enables security verification
  • Resilience: Distributed development reduces single points of failure
  • Innovation: Access to global talent pool accelerates capability development
  • Interoperability: Standards-based software enables coalition operations

Many government systems rely extensively on open source. Defense systems, intelligence infrastructure, and critical government functions incorporate Linux, open source cryptographic libraries, and countless other projects. This dependence creates a stake in open source security.

Risk perspective:

Open source also presents security concerns:

  • Supply chain exposure: Vulnerabilities or backdoors affect all users
  • Attribution difficulty: Anonymous contributions complicate trust assessment
  • Foreign dependency: Critical software may depend on foreign maintainers
  • Adversarial infiltration: Open contribution processes can be exploited
  • Governance gaps: No authority ensures security of critical projects

The xz-utils incident demonstrated these risks concretely. A sophisticated attacker exploited the open contribution model to attempt backdoor insertion. Detection required fortunate circumstances—a vigilant developer investigating performance issues. The incident highlighted how open source's strengths (anyone can contribute) can become vulnerabilities (anyone can attempt compromise).

National security approach evolution:

Government approaches to open source security have evolved:

  • 1990s-2000s: Skepticism about open source security ("many eyes" debate)
  • 2000s-2010s: Increasing adoption with risk management focus
  • 2010s-2020s: Recognition of critical infrastructure status
  • 2020s: Active investment in open source security (sovereign tech funds, CISA initiatives)

This evolution reflects growing understanding that ignoring open source isn't an option—it's too embedded in infrastructure to avoid. Managing the security relationship became the only viable approach.

National Approach Comparison

Different nations approach open source with distinct strategies reflecting their economic systems, security postures, and technological capabilities.

United States:

The U.S. approach combines market-led development with regulatory influence:

  • Private sector leadership: Corporate investment drives most open source development
  • Standards influence: NIST frameworks shape global practice
  • Procurement leverage: Federal requirements influence market standards
  • Foundation hosting: Most major foundations are U.S.-based entities
  • Platform dominance: GitHub, major cloud providers are American

U.S. policy increasingly emphasizes "secure by design" principles and supply chain security requirements. Executive Order 14028 and CISA initiatives reflect government recognition of open source's critical infrastructure role without direct government control of development.

European Union:

The EU approach emphasizes sovereignty and regulation:

  • Digital sovereignty: Concern about dependence on non-European platforms
  • Regulatory frameworks: EU Cyber Resilience Act (CRA) imposes security requirements
  • Public funding: Sovereign Tech Fund, EU-FOSSA, NLnet invest in open source
  • Standards development: European standards bodies active in security standards
  • Foundation diversity: Eclipse Foundation moved to Europe; CERN contributes significantly

The EU CRA represents assertive use of regulatory power to influence global practice. By imposing requirements on products sold in the EU market, the regulation affects development practices worldwide.

China:

China's approach combines domestic development with international engagement:

  • Self-reliance goals: Reducing dependence on foreign-controlled software
  • Domestic platforms: Gitee as alternative to GitHub; domestic foundations
  • Contribution growth: Chinese developers increasingly contribute to global projects
  • Standards participation: Active engagement in international standards bodies
  • State-influenced development: Greater government role in technology direction

China's approach reflects broader technology competition dynamics. Concerns about dependence on U.S.-controlled platforms—particularly after sanctions affected access—have driven investment in domestic alternatives while maintaining engagement with global projects where beneficial.

Comparison summary:

Aspect United States European Union China
Primary driver Private sector Regulation/sovereignty State strategic goals
Investment model Corporate-led Public funding expanding State-influenced
Platform hosting Dominant (GitHub) Seeking alternatives Domestic alternatives
Standards approach De facto through market De jure through regulation Increasing participation
Security focus Market incentives Mandatory requirements Self-reliance

The Openness-Security Tension

Open source's foundational principle—open collaboration—exists in tension with security requirements. This tension cannot be fully resolved, only managed.

Openness benefits for security:

  • Transparency: Code is inspectable by anyone, enabling vulnerability discovery
  • Distributed review: Many contributors can identify issues
  • Rapid response: Open development enables quick patches
  • No obscurity: Security cannot depend on hidden implementation

Openness costs for security:

  • Attack surface visibility: Attackers can study code for vulnerabilities
  • Contribution risk: Open processes can be exploited for malicious insertion
  • Governance gaps: No authority enforces security standards
  • Trust challenges: Anonymous contributors complicate trust assessment

Managing the tension:

Projects manage this tension through various mechanisms:

  • Review processes: Code review before merge (though variable quality)
  • Maintainer trust: Building reputation through sustained contribution
  • Signing and verification: Cryptographic attestation of contribution authenticity
  • Security teams: Dedicated security review for critical projects
  • Contributor vetting: Some projects require identity verification for sensitive access

The xz-utils incident revealed limitations of existing mechanisms. The attacker built trust through years of legitimate-appearing contributions before attempting malicious insertion. Standard review processes didn't catch the sophisticated backdoor. Only fortuitous external discovery prevented deployment.

Balancing approaches:

Different positions exist on how to balance openness and security:

Openness maximalists argue: - Restricting participation undermines open source benefits - More eyes (including potentially hostile ones) still find more bugs - Security through obscurity fails; openness is necessary - Trust should be in processes, not individual vetting

Security prioritizers argue: - Some access restrictions are necessary for critical infrastructure - Maintainer vetting is appropriate for sensitive projects - Not all contributions should be equally trusted - Process improvements can't fully address insider threat

Most practitioners occupy a middle ground, accepting that some tension is inherent and must be managed rather than resolved.

Critical Infrastructure Dependency

Open source sits at the foundation of critical infrastructure across sectors.

Sector dependencies:

  • Financial services: Trading systems, payment processing, core banking on Linux and open source
  • Healthcare: Medical devices, electronic health records incorporate extensive open source
  • Energy: Grid management, SCADA systems use open source components
  • Transportation: Aviation, rail, automotive systems depend on open source
  • Communications: Internet infrastructure, mobile networks built on open source
  • Government: Defense systems, administrative functions rely on open source

This dependency creates concentration risk. A vulnerability in a widely-used component affects all dependent systems simultaneously. Log4Shell demonstrated this—a single library vulnerability required emergency response across every sector.

Dependency on global contributors:

Critical infrastructure depends on contributors from various nations:

  • Linux kernel: Contributors from dozens of countries including geopolitical rivals
  • OpenSSL: International maintainer team
  • Internet protocol implementations: Global contribution base
  • Cryptographic libraries: International development

This international dependence creates security questions:

  • What if contributors from adversary nations insert vulnerabilities?
  • What if geopolitical conflicts disrupt collaboration?
  • How do you verify contributions from anonymous or pseudonymous developers?
  • Can nations trust software developed by potential adversaries?

Responses to dependency:

Organizations and governments respond through various approaches:

  • Vendor support: Commercial support from trusted vendors who vet contributions
  • Independent review: Security audits by trusted parties
  • Domestic alternatives: Some nations develop alternatives to reduce foreign dependency
  • Contribution restrictions: Some projects limit sensitive access to vetted contributors
  • Supply chain verification: Emerging tools for verifying component provenance

No approach fully resolves the dependency—it's too deep to eliminate. Managing rather than eliminating this dependency is the realistic goal.

Recommendations

We recommend navigating the global open source and national interest tension through:

For policy makers:

  1. Invest in open source security as public infrastructure, not just consumption
  2. Avoid fragmentation that undermines open source benefits through nationalist restrictions
  3. Support neutral governance structures that maintain global legitimacy
  4. Develop threat models appropriate to open source's unique characteristics
  5. Balance security with openness rather than seeking to eliminate tension

For security strategists:

  1. Map critical dependencies on open source infrastructure
  2. Assess contributor geography for sensitive projects without enabling discrimination
  3. Invest in verification capabilities for provenance and integrity
  4. Support security resources for projects you depend on
  5. Develop response plans for supply chain incidents affecting global infrastructure

For organizations:

  1. Acknowledge dependency on global open source infrastructure
  2. Contribute to security of projects you depend on
  3. Implement verification appropriate to risk level
  4. Maintain perspective balancing security concerns with collaboration benefits
  5. Engage with governance of critical projects to ensure appropriate security practices

The tension between open source as global commons and national security asset will persist. Successful navigation requires accepting this tension rather than seeking false resolution—maintaining the benefits of global collaboration while implementing proportionate security measures for genuinely critical concerns.