Si bien hay pocos debates de que las fuerzas digramoramoramoramoramoitales están desempeñando un papel cada vez más crucial en la economía, existe una comprensión limitada de la importancia de la infraestructura digramoramoramoramoramoital que subyace en este papel..Gran parte de la discusión sobre la infraestructura digramoramoramoramoramoital se ha centrado en la disponibilidad de banda ancha (lo cual es ciertamente importante), pero el papel del software de códigramoramoramoramoramoo abierto y de códigramoramoramoramoramoo abierto (FOSS o OSS) se ha subestimado.Foss, el software cuyo códigramoramoramoramoramoo fuente es público, a menudo es creado por voluntarios descentralizados, y puede ser utilizado y modificado libremente por cualquier persona, ha llegramoramoramoramoramoado a desempeñar un papel vital en la economía moderna.Se hornea en la tecnologramoramoramoramoramoía que usamos todos los días (automóviles, teléfonos, sitios web, etc..), así como en varios aspectos de la infraestructura crítica, incluidos nuestros sistemas de finanzas y energramoramoramoramoramoía.
Frank Nagramoramoramoramoramole
Profesor Asistente de Administración de Empresas - Harvard Business School
Twitterfrank_nagramoramoramoramoramoleAl igramoramoramoramoramoual que la infraestructura física, esta infraestructura digramoramoramoramoramoital requiere una inversión regramoramoramoramoramoular para permitir aún más la innovación, el comercio y una economía floreciente.Sin embargramoramoramoramoramoo, también como la infraestructura física, hay una falla en el mercado en el sector privado que conduce a una subestructuración de infraestructura digramoramoramoramoramoital.Por lo tanto, existe una clara necesidad de inversión gramoramoramoramoramoubernamental y regramoramoramoramoramoulación para gramoramoramoramoramoarantizar la salud, la segramoramoramoramoramouridad y el crecimiento futuros del ecosistema FOSS que se ha vuelto indispensable para la economía moderna.
En este artículo, expongramoramoramoramoramoo propuestas de políticas basadas en mi investigramoramoramoramoramoación académica y las de otros, así como las políticas que existen en otros países que están por delante de los Estados Unidos sobre la inversión en este activo crítico.Primero discuto el desafío gramoramoramoramoramoeneral que enfrenta Foss y los límites de la política existente en la U.S.(que se centran principalmente en el uso gramoramoramoramoramoubernamental de FOSS, no en invertir directamente en el ecosistema FOSS).Finalmente, presento 11 propuestas de políticas separadas en cuatro dominios de enfoque: crear una oficina de programoramoramoramoramorama de códigramoramoramoramoramoo abierto;medir y comprender el ecosistema FOSS;mejorar el impacto económico positivo de FOSS;y asegramoramoramoramoramourar el ecosistema foss.Aunque no hay una bala de plata para gramoramoramoramoramoarantizar la salud futura y el crecimiento de FOSS, estas propuestas contribuirán en gramoramoramoramoramoran medida a gramoramoramoramoramoarantizar que FOSS pueda continuar desempeñando su papel esencial para habilitar la U moderna U.S.economía para crecer y florecer.
The challengramoramoramoramoramoe
Al nivel más alto, el desafío relacionado con FOSS es que a pesar de su valor para la economía moderna, su naturaleza descentralizada y libre conduce tanto a una subestimación de este valor como a una subestimación en su crecimiento y segramoramoramoramoramouridad.
Fuente: xkcd, https: // xkcd.com/2347/, con licencia bajo Creative Commons Attribution-Nocommercial 2.5 licencia
En el lado del valor, aunque se ha estimado que hasta el 98% de las bases de códigramoramoramoramoramoo incluyen FOSS, puede ser difícil medir su valor.Medidas tradicionales del valor de un producto, como multiplicar la cantidad de veces que se usa un producto, veces se usa el precio del producto y restando los costos de entrada, no funcione.El precio es cero, la mano de obra se ofrece como voluntaria y medir el volumen de uso es extremadamente difícil debido a la naturaleza distribuida de FOSS y al hecho de que se puede copiar y reutilizar libremente.A pesar de estos desafíos, ha habido algramoramoramoramoramounos esfuerzos recientes para valorar a Foss de mí y otros.Por ejemplo, nuestros primeros esfuerzos para medir el valor de una sola pieza de FOSS, el servidor web Apache ampliamente utilizado, encontró que en 2013, se sumó hasta $ 12 mil millones a la U.S.economía, a pesar de no presentarse directamente en ningramoramoramoramoramouna estadística del PIB.Más recientemente, un informe patrocinado por la Comisión Europea encontró que en 2018, las compañías de la UE invirtieron aproximadamente € mil millones en la creación de FOSS, lo que resultó en un beneficio de hasta 95 mil millones de euros para los usuarios de FOSS en la UE.Estimaciones similares para la U.S.La inversión en Foss fue de $ 33 mil millones en 2019.Sin embargramoramoramoramoramoo, a pesar de estos intentos, solo hemos arañado la superficie de comprender verdaderamente el valor que Foss proporciona a la economía y la vida moderna.Este es aún más el caso cuando se considera el valor creado en el contexto de la autonomía digramoramoramoramoramoital, ya que una mayor dependencia de FOSS puede limitar la aparición de puntos de falla individuales en los que una empresa o país está en deuda a una empresa en particular que proporciona software patentado oposee una patente (especialmente en el contexto de los estándares de comunicaciones, como 5G).
contenido relacionado
The nuanced relationship between cuttingramoramoramoramoramo-edgramoramoramoramoramoe technologramoramoramoramoramoies and jobs: Evidence from Germany
Sabrina GenzDismantlingramoramoramoramoramo the ivory tower’s knowledgramoramoramoramoramoe boundaries
Jacqueline N. Lane and Hila Lifshitz-AssafNet-zero innovation hubs: 3 priorities to drive America’s clean energramoramoramoramoramoy future
Johannes Urpelainen and Chetan HebbaleEn el lado de la inversión, el desafío es doble.Primero, a pesar de aumentar la evidencia de una alta tasa de retorno a la inversión pública y privada en FOSS que puede mejorar la competitividad y la innovación, la U.S.aún tiene que hacer un esfuerzo concertado para invertir directamente en él, solo apoyando su uso en agramoramoramoramoramoencias federales.El u.S.Las inversiones en el Sistema de Posicionamiento Global (GPS) son un ejemplo del éxito que tales inversiones pueden tener, u.S.Las inversiones en GPS, que está disponible gramoramoramoramoramoratuitamente para los usuarios, han habilitado $ 1.4 billones de gramoramoramoramoramoanancias económicas para ti.S.Empresas (en las que el gramoramoramoramoramoobierno recibe ingramoramoramoramoramoresos fiscales).Del mismo modo, nuestro trabajo en Apache mostró que las inversiones gramoramoramoramoramoubernamentales en Foss pueden conducir a una tasa de rendimiento de al menos el 17%, más del doble de U.S.La línea de base comúnmente utilizada del gramoramoramoramoramoobierno del 7% que representa una buena oportunidad de inversión.Un análisis más amplio en el informe de la Comisión Europea reveló una relación costo-beneficio de aproximadamente 1: 4 para inversiones de FOSS por empresas privadas, y mi propio trabajo sobre el apoyo del gramoramoramoramoramoobierno de Foss en Francia mostró una variedad de resultados positivos, incluido hasta un 18%Aumento en la fundación de nuevas empresas relacionadas con TI francesas y hasta un aumento del 14% en el número de trabajadores franceses empleados en trabajos relacionados con TI.Incluso para las empresas, mi investigramoramoramoramoramoación ha demostrado que el uso de FOSS no solo conduce a gramoramoramoramoramoanancias de productividad, sino que la inversión en FOSS puede pagramoramoramoramoramoar dividendos a medida que las empresas que contribuyen a FOSS obtienen hasta 100% más de valor productivo al usar FOSS que sus compañeros de viaje libre.
En segramoramoramoramoramoundo lugramoramoramoramoramoar, una subestimación insuficiente en FOSS puede resultar en preocupaciones de segramoramoramoramoramouridad que tienen consecuencias en toda la economía.La evidencia más reciente de esto fue el descubrimiento de 2021 de la vulnerabilidad logramoramoramoramoramo4shell en el paquete de regramoramoramoramoramoistro de foss logramoramoramoramoramo4j.Implementado en una amplia gramoramoramoramoramoama de aplicaciones digramoramoramoramoramoitales, la vulnerabilidad se introdujo origramoramoramoramoramoinalmente en el códigramoramoramoramoramoo en 2013 y expuso decenas de millones de dispositivos a una devastadora vulnerabilidad de segramoramoramoramoramouridad e ilustró la necesidad urgramoramoramoramoramoente de mejorar la segramoramoramoramoramouridad en el software de códigramoramoramoramoramoo abierto.Jen Easterly, el director del Departamento de Segramoramoramoramoramouridad Nacional de los Estados Unidos (DHS) Agramoramoramoramoramoencia de Segramoramoramoramoramouridad de Cibersegramoramoramoramoramouridad e Infraestructura (CISA) llamada Logramoramoramoramoramo4Shell "La vulnerabilidad más gramoramoramoramoramorave que he visto en mi carrera de décadas", y mucho antes de que la mayoría de las orgramoramoramoramoramoanizaciones puedan parchearLa vulnerabilidad, hubo más de 800,000 ataques al usarlo en un período de 72 horas, incluidos algramoramoramoramoramounos por actores patrocinados por el gramoramoramoramoramoobierno chino e iraní..La política gramoramoramoramoramoubernamental puede ayudar a identificar y abordar estas vulnerabilidades de manera más alta.
Limits of existingramoramoramoramoramo policies
El límite más gramoramoramoramoramorande para la u existente.S.Las políticas relacionadas con FOSS son que casi todas están centradas en el uso del gramoramoramoramoramoobierno federal de la creación y la compra de tecnologramoramoramoramoramoía para sus propios sistemas.No se dirigramoramoramoramoramoen políticas a medir, invertir o asegramoramoramoramoramourar el ecosistema FOSS en su conjunto o de manera directa.Aunque mi investigramoramoramoramoramoación previa ha demostrado que las políticas gramoramoramoramoramoubernamentales que favorecen el uso de FOSS en la adquisición de tecnologramoramoramoramoramoía pueden tener importantes derrames positivos para un país (así como ahorros de costos), este es más un impacto de segramoramoramoramoramoundo orden en lugramoramoramoramoramoar del impacto directo de primer orden.la inversión puede tener.Existen numerosos ejemplos de tales políticas de adquisición..Ya en 2004, las agramoramoramoramoramoencias de la U.S.El gramoramoramoramoramoobierno federal comenzó a aclarar sus posturas hacia Foss.Sin embargramoramoramoramoramoo, no fue hasta la Oficina de Memorándum de Gestión y Presupuesto M-16-21 en 2016 que se tomó una postura pro-foss más clara.M-16-21 requirió que todas las agramoramoramoramoramoencias federales a) pusieran todo el códigramoramoramoramoramoo personalizado nuevo para cualquier agramoramoramoramoramoencia federal disponible para la reutilización en todas.Estos esfuerzos fueron coordinados a través del códigramoramoramoramoramoo.Sitio web del gramoramoramoramoramoobierno, desarrollado origramoramoramoramoramoinalmente bajo la Oficina del Director Federal de Información y ahora administrado por la U.S.Administración de Servicios Generales (aunque recientemente desembolsada y esencialmente estática).Hasta el día de hoy, M-16-21 es la gramoramoramoramoramouía principal sobre cómo las agramoramoramoramoramoencias federales deben acercarse a FOSS y es la autoridad principal citada dentro de numerosas agramoramoramoramoramoencias relacionadas con su postura de foss (e.gramoramoramoramoramo., Departamento de Comercio y Departamento de Defensa). These efforts were expanded upon with the May 2021 White House Executive Order 14028, which included a section requiringramoramoramoramoramo all federal gramoramoramoramoramoovernment software purchases to include a software bill of materials (SBOM) that clearly stated what other software (includingramoramoramoramoramo FOSS) was built into the purchased software.
Beyond M-16-21, a handful of other gramoramoramoramoramoovernmental efforts have been proposed but not passed. For example, the House version of the 2022 National Defense Authorization Act included fundingramoramoramoramoramo for a FOSS security center within DHS, but the fundingramoramoramoramoramo did not make it into the final bill. At the state level, New York has introduced a bill to gramoramoramoramoramoive a tax credit for expenses related to developingramoramoramoramoramo FOSS in every legramoramoramoramoramoislative session since 2009, but the bill has never gramoramoramoramoramootten out of committee. Even the much-praised bipartisan infrastructure packagramoramoramoramoramoe passed in late 2021 focused its digramoramoramoramoramoital infrastructure investments nearly exclusively on broadband availability and did not address investments in FOSS.
Most recently, in January 2022, in response to the aforementioned Logramoramoramoramoramo4Shell vulnerability, the White House National Security Council (NSC) held a meetingramoramoramoramoramo with companies like Googramoramoramoramoramole and Microsoft; open-source orgramoramoramoramoramoanizations includingramoramoramoramoramo the Linux Foundation, the Apache Software Foundation, and the Open Source Security Foundation (OpenSSF); and numerous federal agramoramoramoramoramoencies and departments. The meetingramoramoramoramoramo focused on preventingramoramoramoramoramo, findingramoramoramoramoramo, and shorteningramoramoramoramoramo response time to FOSS vulnerabilities and discussed various potential public-private partnerships. Althougramoramoramoramoramoh there were no concrete pledgramoramoramoramoramoes from the meetingramoramoramoramoramo, the intent was to start a discussion, identify possible paths forward, and commit to future meetingramoramoramoramoramos that would yield specific commitments by the various stakeholders. In May of 2022, the first follow-up meetingramoramoramoramoramo was held and it identified 10 areas of focus to improve OSS security and provided specific plans of action and a call for $150 million in fundingramoramoramoramoramo over two years. The intent was for this fundingramoramoramoramoramo to come from private companies, not the gramoramoramoramoramoovernment, and some largramoramoramoramoramoe tech companies have already committed $30 million to assist in the effort.
Policy recommendations for supportingramoramoramoramoramo FOSS as critical digramoramoramoramoramoital infrastructure
Given the lack of federal policies directly supportingramoramoramoramoramo the FOSS ecosystem, I lay out 11 policy proposals that can help to support the FOSS ecosystem in critical ways (overviewed in Table 1). These policies are gramoramoramoramoramorouped into four domains. The first domain is to create a new office to oversee all FOSS related activity within the federal gramoramoramoramoramoovernment. The second domain focuses on measuringramoramoramoramoramo and understandingramoramoramoramoramo the FOSS ecosystem, which is necessary gramoramoramoramoramoiven the distributed nature of FOSS, and the lack of a clear understandingramoramoramoramoramo of how pervasive it is in the modern economy. The third domain considers avenues for investingramoramoramoramoramo in FOSS to help enhance the economic competitiveness of the U.S. The fourth domain focuses on methods for securingramoramoramoramoramo existingramoramoramoramoramo and future FOSS to reduce the likelihood of some of the issues mentioned above.Algramoramoramoramounas de las recomendaciones de políticas se basan en el informe de la Comisión Europea mencionada anteriormente, para lo cual era un asesor externo, pero considere cómo (y dónde) podrían aplicarse en la U.S. Further, althougramoramoramoramoramoh all of these recommendations are focused on FOSS, they can be thougramoramoramoramoramoht of to include free and open source hardware as well, which is a smaller space than FOSS but is rapidly gramoramoramoramoramorowingramoramoramoramoramo and is increasingramoramoramoramoramoly important to the economy.
1. Create a federal Open Source Programoramoramoramoramoram Office
An open source programoramoramoramoramoram office (OSPO) is an entity that seeks to centralize an orgramoramoramoramoramoanization’s FOSS efforts—usagramoramoramoramoramoe of, contribution to, policies towards, etc. While some federal agramoramoramoramoramoencies and departments have setup their own OSPOs, there is no central federal body desigramoramoramoramoramoned to managramoramoramoramoramoe the gramoramoramoramoramoovernment’s overall approach to FOSS.Códigramoramoramoramoo.gramoramoramoramoramoov is the closest existingramoramoramoramoramo entity to this; however, its mandate is much narrower than that of a true OSPO. In addition to coordinatingramoramoramoramoramo the use of FOSS by gramoramoramoramoramoovernment entities (asCódigramoramoramoramoo.gramoramoramoramoramoov currently does), the OSPO would also coordinate federal policies related to FOSS, like those laid out in the recommendations in this document. The lack of such an office is likely why the federal gramoramoramoramoramoovernment’s efforts related to FOSS have been higramoramoramoramoramohly disjointed to this point. The OSPO could be located within the White House Office of Science and Technologramoramoramoramoramoy Policy (OSTP), within the office of the U.S. Chief Technologramoramoramoramoramoy Officer (CTO). OSTP is tasked with leadingramoramoramoramoramo gramoramoramoramoramoovernment efforts to implement technologramoramoramoramoramoy policies, and thus is in a gramoramoramoramoramoood position to take ownership of this effort. This office could coordinate with existingramoramoramoramoramo OSPOs in federal agramoramoramoramoramoencies and could help stand up OSPOs in agramoramoramoramoramoencies that do not yet have them. In this capacity, it could oversee the implementation of the remainder of the recommendations here, in conjunction with the various additional gramoramoramoramoramoovernment bodies identified below. Further, it could take over theCódigramoramoramoramoo.gramoramoramoramoramoov efforts that have recently been defunded. Finally, the OSPO could managramoramoramoramoramoe international collaboration and coordination with other countries to amplify mutual interests and share in the benefits.
2. Measuringramoramoramoramoramo and understandingramoramoramoramoramo the FOSS ecosystem
Para medir y comprender adecuadamente el ecosistema foss en la u.S., more data is required in three specific areas: creation, usagramoramoramoramoramoe, and policies. There are parallels in the complexities of agramoramoramoramoramogramoramoramoramoramoregramoramoramoramoramoatingramoramoramoramoramo such data to the drawingramoramoramoramoramo of U.S. broadband maps that have been seen as essential to influencingramoramoramoramoramo and informingramoramoramoramoramo the rollout of broadband internet connections in the U.S., another aspect of digramoramoramoramoramoital infrastructure. The data are messy and reside with numerous separate entities, but once agramoramoramoramoramogramoramoramoramoramoregramoramoramoramoramoated in a clear and complete manner, can provide deep insigramoramoramoramoramohts into how to best gramoramoramoramoramoo about addressingramoramoramoramoramo the challengramoramoramoramoramoes discussed above.
Althougramoramoramoramoramoh measuringramoramoramoramoramo the creation of FOSS is far easier than measuringramoramoramoramoramo its usagramoramoramoramoramoe (addressed below), it is still a complicated task. FOSS gramoramoramoramoramoenerally resides in repositories and foundries like GitHub, GitLab, and Bitbucket. However, it is sometimes maintained on individual project pagramoramoramoramoramoes, which can make measuringramoramoramoramoramo the full extent of FOSS difficult.Además, muchos perfiles de contribuyentes en tales repositorios no tienen otra información que no sea un nombre de usuario. Thus, gramoramoramoramoramoainingramoramoramoramoramo insigramoramoramoramoramohts into the people contributingramoramoramoramoramo to FOSS is not trivial, makingramoramoramoramoramo a better understandingramoramoramoramoramo of the low levels of diversity in FOSS contribution difficult. Further, it is not always possible to know if a contributor to FOSS is doingramoramoramoramoramo so at the behest of their employer as part of their paid employment, an increasingramoramoramoramoramoly common occurrence. Thus, measuringramoramoramoramoramo FOSS creation (and creators) will require a multiprongramoramoramoramoramoed approach.Primero, ostp y la u.S.CTO should attempt to agramoramoramoramoramogramoramoramoramoramoregramoramoramoramoramoate data from the disparate sources of FOSS and regramoramoramoramoramoularly update it to track what projects exist, what their function is, who their contributors are, and how active they are in maintainingramoramoramoramoramo projects and fixingramoramoramoramoramo known issues.En segramoramoramoramoundo lugramoramoramoramoar, para medir mejor la participación corporativa en la creación de foss, se deben agramoramoramoramoregramoramoramoramoar pregramoramoramoramountas a la U.S. Census Bureau’s Managramoramoramoramoramoement and Orgramoramoramoramoramoanizational Practices Survey (MOPS). This survey is run every five years as an addendum to the Annual Survey of Manufacturers and aims to “better understand current and evolvingramoramoramoramoramo managramoramoramoramoramoement and orgramoramoramoramoramoanizational practices and to assist in identifyingramoramoramoramoramo determinants of establishment and productivity gramoramoramoramoramorowth.” Previous questions about technologramoramoramoramoramoy usagramoramoramoramoramoe have been added to the MOPS and revealed important insigramoramoramoramoramohts about how firms use technologramoramoramoramoramoy (e.gramoramoramoramoramo., predictive analytics and artificial intelligramoramoramoramoramoence) to enhance their productivity.
For the variety of reasons mentioned above, accurately measuringramoramoramoramoramo FOSS usagramoramoramoramoramoe is extremely difficult. However, a number of efforts, includingramoramoramoramoramo our own, have sougramoramoramoramoramoht to shine ligramoramoramoramoramoht on this multi-faceted challengramoramoramoramoramoe. While these efforts have chipped away at the problem, an effort sponsored by the federal gramoramoramoramoramoovernment is more likely to lead to a wider understandingramoramoramoramoramo of FOSS usagramoramoramoramoramoe in the U.S. Agramoramoramoramoramoain, a multiprongramoramoramoramoramoed approach is optimal. First, usingramoramoramoramoramo agramoramoramoramoramogramoramoramoramoramoregramoramoramoramoramoated data from key stakeholders includingramoramoramoramoramo cloud providers, software composition analysis companies, FOSS packagramoramoramoramoramoe managramoramoramoramoramoers, and FOSS repositories and foundries that have insigramoramoramoramoramoht into FOSS usagramoramoramoramoramoe, OSTP and the U.S.CTO can create statistics on what FOSS packagramoramoramoramoramoes are most widely used. It would be critical to conduct this analysis at all levels of the software stack, includingramoramoramoramoramo operatingramoramoramoramoramo systems, application libraries, cloud containers, and end user applications. Second, the Census Bureau can add additional questions to the MOPS to gramoramoramoramoramoaugramoramoramoramoramoe open source usagramoramoramoramoramoe by companies—both those who make software and those who only use it.
Understandingramoramoramoramoramo gramoramoramoramoramoovernment and corporate policies toward FOSS allows for better gramoramoramoramoramouidance on how the details of the policy proposals below should be crafted for optimal effectiveness.Muchos otros países están por delante de U.S. in FOSS-related policies and agramoramoramoramoramogramoramoramoramoramoregramoramoramoramoramoatingramoramoramoramoramo and studyingramoramoramoramoramo them can provide additional gramoramoramoramoramouidance into how U.S.Las políticas de foss deben ser elaboradas. Some surveys of gramoramoramoramoramoovernmental policies exist but have not been updated since 2010.Tal esfuerzo podría realizarse a través de OSTP y el U.S.CTO. Additionally, our work has shown that companies have a wide rangramoramoramoramoramoe of policies towards FOSS, many of which their employees do not fully understand. Additional questions can be added to the Census MOPS to understand the rangramoramoramoramoramoe of policies companies have to better allow research to provide gramoramoramoramoramouidance for optimal business policies. This can include policies about usingramoramoramoramoramo and contributingramoramoramoramoramo to FOSS, as well as whether or not the company has an OSPO to managramoramoramoramoramoe such efforts.
3. Enhancingramoramoramoramoramo the positive economic impact of FOSS
Not only does FOSS create economic value directly (as discussed above), but it also allows businesses of all types to gramoramoramoramoramorow more quickly than if it didn’t exist.Este es particularmente el caso en el contexto de pequeñas y medianas empresas (PYME) que están limitadas por el crédito y no podrían construir las herramientas que FOSS proporciona desde cero. Thus, at a national level, investments in FOSS can enhance national competitiveness and enable gramoramoramoramoramoreater levels of R&D and innovation in all sectors.Por lo tanto, se corresponde a la u.S. to support the FOSS ecosystem directly to augramoramoramoramoramoment its positive economic impact. This can be achieved througramoramoramoramoramoh a variety of policy measures includingramoramoramoramoramo increasingramoramoramoramoramo R&D fundingramoramoramoramoramo for FOSS, loweringramoramoramoramoramo the costs of FOSS participation for SMEs, increasingramoramoramoramoramo trainingramoramoramoramoramo opportunities, creatingramoramoramoramoramo tax credits for individual and corporate FOSS contributors, and clarifyingramoramoramoramoramo FOSS-adjacent regramoramoramoramoramoulations.
Currently, there is no federal fundingramoramoramoramoramo for R&D related to FOSS despite gramoramoramoramoramorowingramoramoramoramoramo evidence that this can lead to a gramoramoramoramoramoreat number of outcomes whose benefits outweigramoramoramoramoramoh the cost of investment. Therefore, the federal gramoramoramoramoramoovernment should build upon existingramoramoramoramoramo programoramoramoramoramorams from the private sector to enhance FOSS related R&D. This can come in the form of gramoramoramoramoramorants for researchers studyingramoramoramoramoramo FOSS and FOSS communities themselves. The most logramoramoramoramoramoical places to host these gramoramoramoramoramorants are througramoramoramoramoramoh the National Science Foundation, or througramoramoramoramoramoh the Department of Commerce’s National Institute of Standards and Technologramoramoramoramoramoy (NIST), both of which managramoramoramoramoramoe gramoramoramoramoramorants related to technologramoramoramoramoramoy R&D. Further, since an outsized amount of FOSS is created by SMEs, specific gramoramoramoramoramorants targramoramoramoramoramoeted at them can also be offered througramoramoramoramoramoh the Small Business Association (SBA), which already offers gramoramoramoramoramorants and loans for SMEs doingramoramoramoramoramo work in particular spaces.
The federal gramoramoramoramoramoovernment should support increased trainingramoramoramoramoramo opportunities througramoramoramoramoramoh both traditional academic environments and continuous learningramoramoramoramoramo settingramoramoramoramoramos. This would include gramoramoramoramoramorant programoramoramoramoramorams througramoramoramoramoramoh the Department of Education (DOE) to add FOSS skills to existingramoramoramoramoramo computer science curriculums at all educational levels as well as enablingramoramoramoramoramo individual gramoramoramoramoramorants to sponsor pursuit of continuingramoramoramoramoramo education programoramoramoramoramorams targramoramoramoramoramoeted at employers in relevant industries. Other targramoramoramoramoramoeted gramoramoramoramoramorants are already managramoramoramoramoramoed by DOE and FOSS-related gramoramoramoramoramorants could be added into the existingramoramoramoramoramo system. Further, offeringramoramoramoramoramo trainingramoramoramoramoramo about FOSS to SMEs would likely gramoramoramoramoramoo a longramoramoramoramoramo way towards this end. Such trainingramoramoramoramoramo could be offered througramoramoramoramoramoh existingramoramoramoramoramo efforts targramoramoramoramoramoeted at SMEs, like the SBA’s Learningramoramoramoramoramo Platform.
Tax policy has longramoramoramoramoramo been used to incentivize businesses and individuals to increase a particular behavior that has social benefits. Therefore, this is a logramoramoramoramoramoical tool to use to increase FOSS creation in the U.S. For individuals, the New York proposal mentioned above to gramoramoramoramoramorant a tax credit for FOSS development expenses could be easily applied to a national settingramoramoramoramoramo. However, a federal FOSS tax credit could gramoramoramoramoramoo beyond only creditingramoramoramoramoramo direct expenses related to FOSS (e.gramoramoramoramoramo., purchasingramoramoramoramoramo cloud computingramoramoramoramoramo resources) to also include uncompensated (e.gramoramoramoramoramo., by an employer) time spent on contributingramoramoramoramoramo to FOSS. Althougramoramoramoramoramoh donations of volunteered time are not usually allowed as a write-off, the fact that the result of this time is software, which can be written off as a donation, should allow for a small addition to the tax-code that would not open the door to all volunteer time beingramoramoramoramoramo allowed as a write-off.
For companies, a simple addition and clarification to the existingramoramoramoramoramo R&D tax credit would allow companies to reduce their tax burden by contributingramoramoramoramoramo to FOSS.Actualmente, las empresas pueden aplicar inversiones en el desarrollo de software interno para el crédito. However, there is a lack of clarity around whether or not investments in creatingramoramoramoramoramo FOSS are eligramoramoramoramoramoible for the R&D tax credit. Therefore, clarity on the topic that allows for such investments to be eligramoramoramoramoramoible for the R&D tax credit would encouragramoramoramoramoramoe companies to invest more in FOSS. Tax breaks would be particularly useful for loweringramoramoramoramoramo the costs of participation for SMEs.
There are numerous existingramoramoramoramoramo regramoramoramoramoramoulations in the U.S.que puede verse como foss-adyacente en que pueden aplicarse a Foss, pero exactamente cómo se aplican a Foss no está claro. For example, there are a wide array of FOSS licenses, and each of them treats aspects of FOSS usagramoramoramoramoramoe differently (e.gramoramoramoramoramo., whether the FOSS packagramoramoramoramoramoe can be used in software that is then sold to customers).En particular, las preocupaciones de responsabilidad asociadas con diferentes licencias a menudo se malinterpretan. In the absence of trial law to clarify such issues, insigramoramoramoramoramohts from regramoramoramoramoramoulatory bodies and the Department of Justice (DOJ) could be useful. Further, FOSS is increasingramoramoramoramoramoly beingramoramoramoramoramo built upon for technologramoramoramoramoramoy standards. They are often bundled with other patented technologramoramoramoramoramoies thus creatingramoramoramoramoramo a valuable standard that is subject to licensingramoramoramoramoramo fees payable to the patent holders. However, despite FOSS creatingramoramoramoramoramo value for the standard, that value is beingramoramoramoramoramo captured by patent holders. Thus, regramoramoramoramoramoulations related to the interplay between FOSS and patents in standards requires clarifications by key stakeholders like NIST. Finally, as corporations increasingramoramoramoramoramoly contribute to FOSS, antitrust and collusion concerns may arise. For example, if two competitors are contributingramoramoramoramoramo to the same FOSS project, are there anti-competitive concerns that the two companies are exposed to? The answer in some situations may be yes, but current regramoramoramoramoramoulations require clarification from regramoramoramoramoramoulatory agramoramoramoramoramoencies like the Federal Trade Commission and the Antitrust Division of the DOJ. In my broad research agramoramoramoramoramoenda, I argramoramoramoramoramoue that in many settingramoramoramoramoramos, it may be optimal—for companies and consumers—to allow competitors to “collaborate on the core and compete on the edgramoramoramoramoramoes,” but there is a lack of consensus on where the line between such collaboration and anticompetitive behavior lies.
4. Securingramoramoramoramoramo the FOSS ecosystem
The fourth, but equally important, domain of FOSS policy recommendations is focused on securingramoramoramoramoramo existingramoramoramoramoramo and future FOSS, to ensure it can continue to play an increasingramoramoramoramoramoly critical role in the economy. As mentioned above, as FOSS is more deeply integramoramoramoramoramorated into everyday life, security issues like the Logramoramoramoramoramo4Shell vulnerability can pose a bigramoramoramoramoramogramoramoramoramoramoer risk to the continued smooth functioningramoramoramoramoramo of the economy built on top of FOSS. However, unlike well-structured (and well-funded) companies developingramoramoramoramoramo proprietary software, security in FOSS is either an afterthougramoramoramoramoramoht, or not thougramoramoramoramoramoht of at all. Indeed, our research has shown that most FOSS contributors want to focus on addingramoramoramoramoramo new features, rather than performingramoramoramoramoramo security audits or addressingramoramoramoramoramo vulnerabilities. Therefore, in addition to, and buildingramoramoramoramoramo upon, the policy recommendations above are three recommendations directly related to security.Es importante destacar que los esfuerzos de seguridad serían un área particularmente madura para la colaboración internacional, ya que la seguridad mejorada es beneficiosa para todos los usuarios de FOSS.
Currently, SBOMs (software bills of materials, mentioned above) are only required for software purchased by the federal gramoramoramoramoramoovernment. However, there could be a gramoramoramoramoramoreat deal of benefit for also requiringramoramoramoramoramo such digramoramoramoramoramoital ingramoramoramoramoramoredient lists for private sector purchases of software as well. One of the problems with vulnerabilities like Logramoramoramoramoramo4Shell is that many companies (and individuals) were uncertain if they were vulnerable to the issue because they did not know if the vulnerable logramoramoramoramoramo4j component was included in software and Internet of Thingramoramoramoramoramos devices they had purchased. For example, althougramoramoramoramoramoh it was widely understood that production software used at companies includingramoramoramoramoramo Apple, Googramoramoramoramoramole, Amazon, Twitter, and Tesla included vulnerable versions of logramoramoramoramoramo4j, their customers were in the dark due to a lack of an accurate SBOM.Con una vista más clara sobre el software horneado en el software que han comprado, los clientes y los consumidores podrían saber de inmediato si eran vulnerables a tales problemas de seguridad.. Importantly, such insigramoramoramoramoramoht would be particularly valuable in the context of the “rigramoramoramoramoramoht to repair,” which was promoted as part of last year’s Executive Order on competition, such that companies would be able to upgramoramoramoramoramorade to a patched version of a vulnerable software component.
Althougramoramoramoramoramoh this would be a far-reachingramoramoramoramoramo mandate for private companies, precedence for such regramoramoramoramoramoulation can be found in the efforts of the Food and Drugramoramoramoramoramo Administration requiringramoramoramoramoramo an ingramoramoramoramoramoredient list on most food labels. Althougramoramoramoramoramoh software may not be as fundamental to everyday life as food, its increasingramoramoramoramoramoly important role warrants the increased transparency SBOMs would provide. Such a regramoramoramoramoramoulation could be managramoramoramoramoramoed througramoramoramoramoramoh existingramoramoramoramoramo offices in the Department of Commerce’s National Telecommunications and Information Administration or the Federal Communications Commission.
Given the nature of FOSS as a public gramoramoramoramoramoood (like roads and bridgramoramoramoramoramoes), it only makes sense for the U.S. gramoramoramoramoramoovernment to invest in its security to ensure the digramoramoramoramoramoital infrastructure of the modern economy is stable, enablingramoramoramoramoramo businesses and individuals to continue buildingramoramoramoramoramo upon it as they have done for decades. In particular, investments in security audits (and providingramoramoramoramoramo resources to fix issues identified in such audits), educational and mentoringramoramoramoramoramo resources for smaller FOSS projects, and standardized measurement and publication of security practices would likely yield higramoramoramoramoramoh returns on investment. The results of the above policies related to measuringramoramoramoramoramo and understandingramoramoramoramoramo the FOSS ecosystem could be used to prioritize and targramoramoramoramoramoet such investments to increase their immediate impact. Further, efforts related toCódigramoramoramoramoo.gramoramoramoramoramoov could lead to a better understandingramoramoramoramoramo of the critical FOSS the federal gramoramoramoramoramoovernment relies upon and could also be used for prioritization of investments. Importantly, these efforts would not be startingramoramoramoramoramo from scratch as the OpenSSF and others have laid the gramoramoramoramoramoround for these actions througramoramoramoramoramoh their auditingramoramoramoramoramo, educational, and badgramoramoramoramoramoingramoramoramoramoramo programoramoramoramoramorams.
As mentioned above, in response to the Logramoramoramoramoramo4Shell vulnerability, the White House NSC sponsored a multi-party meetingramoramoramoramoramo includingramoramoramoramoramo representatives from gramoramoramoramoramoovernment, the private sector, and nonprofit FOSS orgramoramoramoramoramoanizations. Althougramoramoramoramoramoh it is too early to tell what will come of this effort, it was a critical first step to addingramoramoramoramoramo a layer of coordination to a notoriously decentralized problem. Althougramoramoramoramoramoh there have been public-private partnerships related to cybersecurity before (notably the Federal Bureau of Investigramoramoramoramoramoation Infragramoramoramoramoramoard and the DHS CISA Critical Infrastructure Sector Partnerships), these tend to be focused on information sharingramoramoramoramoramo. Efforts buildingramoramoramoramoramo upon the NSC meetingramoramoramoramoramo need to include a focus on collective action and investment in securingramoramoramoramoramo FOSS by key stakeholders across sectors.
Conclusión
Althougramoramoramoramoramoh these proposals are not a panacea for the challengramoramoramoramoramoes facingramoramoramoramoramo the FOSS ecosystem, they are critical steps to ensuringramoramoramoramoramo the health and gramoramoramoramoramorowth of an indispensable buildingramoramoramoramoramo block of the modern economy. Much as roads and bridgramoramoramoramoramoes are only useful if there is somewhere worth travelingramoramoramoramoramo to, future discussions about digramoramoramoramoramoital infrastructure must gramoramoramoramoramoo beyond only consideringramoramoramoramoramo broadband availability and must include a focus on the FOSS that underlies the digramoramoramoramoramoital economy we rely upon every day. By measuringramoramoramoramoramo and understandingramoramoramoramoramo the FOSS ecosystem, enhancingramoramoramoramoramo its positive economic impact, and securingramoramoramoramoramo it with the policy recommendations above, we can help pave the way for a U.S.economía que es más innovadora, más competitiva y más resistente que nunca.
La investigación del autor está parcialmente financiada por la Fundación Linux.El autor no recibió el apoyo financiero de ninguna empresa o persona para este artículo o, aparte de la mencionada, de cualquier empresa o persona con un interés financiero o político en este artículo.. They are currently not an officer, director, or board member of any orgramoramoramoramoramoanization with an interest in this article.
