The German think-tank, Stiftung Neue Verantwortung, has released a policy brief suggesting governments establish a cybersecurity Open Source Program Office (OSPO) to enhance the security of Open Source Solutions (OSS). The proposal comes as policy-level demand for OSS cybersecurity continues to grow. The brief asserts that cybersecurity OSPOs could provide an efficient solution to the unique challenges of secure OSS development.
The paper offers a detailed blueprint for such an OSPO, suggesting it could either be integrated within a national cybersecurity agency, as the agency could provide competent professionals, or operate as an independent office. Collaboration with other governmental agencies and stakeholders would be key regardless of the setup.
The blueprint envisions various potential roles and interventions for the cybersecurity OSPO, which could change according to government needs and the stage of the software lifecycle. These could include gathering an inventory of critical infrastructure and OSS usage, providing legal advice and security education, and offering best practices and guidelines. The OSPO could also conduct security audits and developer training, monitor the flow of bug fixes upstream, and support projects to find active communities for uptake if needed.
Additionally, the brief suggests that cybersecurity OSPOs could support OSS development by identifying where the funding would be most useful for businesses developing the solutions, by coordinating funds at a pan-European level, or by advising on the use of other mechanisms such as public-private partnerships.
This policy brief emerges at a time when OSS cybersecurity is being increasingly discussed in policy initiatives including the Cyber Resilience Act and the AI Act. In May, the European Union Agency of Cybersecurity issued a report forecasting cybersecurity threats from now until 2030, identifying OSS usage in supply chains as a potentially increasing risk. The proposal for a Cybersecurity OSPO provides a concrete starting point for governments to strengthen the security of the OSS ecosystem and address these concerns.
In recent years, OSPOs have become a preferred governance method for OSS initiatives in the private sector, with the public sector also beginning to adopt this model. More information about the OSPO model can be found in the dedicated section on the OSOR website.
The policy brief was authored by Dr. Sven Herpig, the project director for Cybersecurity Policy and Resilience at Stiftung Neue Verantwortung. His research focuses on areas such as the attack surface of machine learning with regard to national security, geopolitical responses to cyber operations, government hacking, and vulnerability management. Stiftung Neue Verantwortung is a think-tank focusing on policy and social issues of new digital technologies.