EXCLUSIVE INTERVIEW

FOSS vs. the Winged Monkeys: Q&A With Open Source for America’s Chris Lundberg

Chris Lundberg has worked for years to drive the availability oftechnology to the masses. He has managed teams developing software forthe Library of Congress, worked with the U.S. Navy todevelop satellite communications software and consulted for Accenture indeveloping telecom Internet solutions.

Prior to that, Lundberg produced Internet solutions for the financialand entertainment sectors as director of applications at Opion. He isan open source user and advocate. Lundberg is pretty surethat access to organizing technology is the only thing keeping the”winged monkeys” at bay.

“I’ve got this mental image of technological progress being aband marching down a yellow brick road, beset by authoritariangovernments, secrecy, poor information distribution and deceit atevery turn — the winged monkeys, as it were. Open source, and moregenerally open access, gives us some arrows to fire back with,”Lundberg, cofounder and CTO of DemocracyInAction.org and partner forWiredForChange, told LinuxInsider.

Information Peddler

Lundberg worked toget Open Source for America launchedthis summer and is on its board of advisors. This group is a coalitionof more than 60 organizations joining together to advocate open sourcein the U.S. federal government arena. Its membership includes industryleaders such as Red Hat, Sun Microsystems, Google, Novell and Oracle,along with academic institutions, associations, communities, thinktanks and related open source groups.

Lundberg is looking to the new administration in Washington tomove forward with technological reform. So far, he said, the newpresident is making the right moves, but he expects to see moregovernmental cooperation.

The Obama administration has expressed its desire to create anunprecedented level of openness in government and establish a systemof transparency, public participation and collaboration. These goalscoincide with those of open source, noted Lundberg.

Open Source for America provides a unified voice to help bring aboutchange in U.S. federal government policies and practices to allow it to better utilize open source software for costefficiency, security and enhanced performance.

Taking a Stand

LinuxInsider recently spoke with Chris Lundberg to discuss theissues surrounding efforts to advance the use of technology for themasses.

LinuxInsider: How is open source contributing to your image of theWinged Monkey — or changing it?

Chris Lundberg:

Open source and open access represent the idea thatsolutions are often better found via many, than via few. It’s as mucha philosophy as a method of software development.

LI: Why doesn’t proprietary stuff fit this mold?

Lundberg:

In some cases, proprietary models can help open up access totechnologies and drive innovation. But the temptations often drivewell-meaning proprietary developers down paths that areunsustainable. It also doesn’t make for good governance, as it becomesdifficult for constituents to have an influence on their governments.

LI: What role is Open Source for America playing in the push for technology?

Lundberg:

The last 10 years have seen a growing set of individuals andorganizations who have been working with the government to learn aboutand use open source technologies. This year, there have beeninitiatives at the federal level around openness, transparency andcollaboration. Not long after President Obama signed his transparencymemorandum, some of the members discussed that the new administrationseemed interested in technologies that could improve access totechnology.

LI: Since it was part of his platform, how effective has the Obamaadministration been in creating unprecedented levels of openness ingovernment?

Lundberg:

He faces a tough battle, particularly with the breadth of thefederal government. But they’re making good strides withWhitehouse.gov and a few other federal sites. I worked at the Libraryof Congress for a little while, and I know the many, many hoops thatremain. We hope that this movement toward open communication iscontinued and is also reflected in the technologies the administrationchooses to deploy.

LI: What factors led to the formation of the Open Source for Americaorganization?

Lundberg:

Open Source for America’s goal is to promote the benefits of opensource software. The campaign seeks to educate Americans andgovernment leaders about the incredible power of open source softwareand its reliance on a broad community of review and testing. Webelieve open source software is more secure, more reliable, lowerscosts, enables better choice and will provide improved governmentperformance and service.

LI: What goals have you laid out for the organization to accomplish all of this?

Lundberg:

Some of our goals are to affect change in the U.S. federalgovernment policies and practices so that the federal government maymore fully benefit from and utilize open source software. We want tocoordinate an open source community to collaborate with the federalgovernment on technology requirements. We also want to raise awarenessand create understanding among federal government leaders about thevalues and implications of open source software. We hope that OpenSource for America may also participate in standards development andother activities that may support its open source mission.

LI: That is quite a goal set. Is the growing trend toward opensource software changing the emphasis on giving technology to themasses?

Lundberg:

Open source has always been about distributing technology as farand wide as possible, both for altruistic purposes and tangiblepurposes such as security, etc. While the masses may not always beable to install their own operating system or database, it allowsservice providers such as ours to reduce overhead, minimizemaintenance and ensure that problems can be identified and resolvedbefore they become major issues. This combination of open sourcesoftware and service models can get organizing technology to themasses more effectively than ever before.

LI: And this is the added push, then, that your organization is providing?

Lundberg:

Yup!

LI: What are the road blocks in the drive to make technologymore available to the masses?

Lundberg:

Well, of course it differs by country and region, but we try andcategorize it as: A) Access — is a computer, cellphone, or Internetconnection even available?; B) Price — is the technology priced outof a reasonable range?; C) Complexity — is it prohibitively hard touse?; D) Effectiveness — Does it make a difference? Our day-to-dayaim is trying to move the ball down the road on each of these.

LI: Have any of these roadblocks been solved?

Lundberg:

Well, sheesh, of course everyone has 100MBit access now, right?They’re all moving targets, of course, but we’ve seen and helped driveprogress in the last five years on reducing price and complexity andincreasing effectiveness. Access is moving slowly.

LI: What kind of differences are you seeing regionally?

Lundberg:

In the U.S., I hope that some of the new broadband legislation willdrive up access in remote regions and some cities. Internationally indeveloping countries, we’re going to have to be creative in creatingeffective technologies over cellphone connections. Lots of challengesremain.

LI: Is open source making any inroads in the U.S. government as it isin governments in Europe, Asia and Africa?

Lundberg:

In 2004 the U.S. Office of Management and Budget issued amemorandum, M-04-16, which called on all federal agencies in thenation to exercise the same procurement procedures for open sourcesoftware as they would for commercial software. A pretty astoundingstep. … Since then, open source software adoption has grown with agenciesfrom the U.S. Navy, Federal Aviation Administration and Census Bureauto the U.S. Patent and Trademark Office and many more.

LI: Can you offer some examples of this progress?

Lundberg:

Hill Air Force Base in Ogden, Utah, migratedto an open source operating system at just two percent of the cost ofits previous operating system, realizing tremendous savings in costand time while maintaining user satisfaction and continuing to meetstrict security standards. Another example is the U.S. Department ofHealth and Human Services.

LI: What do you look forward to happening in the immediate futureregarding open technology?

Lundberg:

I hope primarily for open access to government information. Rightnow there are very few standard ways to communicate with government,but that’s moving along.

LI: Is this a level playing field in each country, or are some nationsmore cooperative than others?

Lundberg:

Frankly, most administrators and governments are trying to feeltheir way around technology, and so we’re seeing this back and forthbetween open source and proprietary technologies.

LI: Do you see this as your group’s biggest challenge?

Lundberg:

We see the biggest challenge being connectivity, both in the U.S.and internationally. We see access to cheap, simple organizing toolsis a surprisingly difficult step but one that we feel can change howwe govern and are governed.

LI: Is this because of the struggling third-world nations orgovernment resistance to open communication?

Lundberg:

I think it’s because there’s very little incentive for good geeksto work in government, thus making technology decisions more about thesales process than the technology.

LI: Any final observations?

Lundberg:

Wrangle the geeks, and the rest will come through.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Community

TechNewsWorld Channels

Open Source Leaders Push WH for Security Action

A first-of-its-kind plan to broadly address open source and software supply chain security is waiting for White House support.

The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB on Thursday to reach a consensus on key actions to take to improve the resiliency and security of open-source software.

A subset of participating organizations has collectively pledged an initial tranche of funding towards the implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, pledging over $30 million. As the plan evolves further, more funding will be identified and work will begin as individual streams are agreed upon.

Open Source Software Security Summit II is a follow-up to the first Summit held in January, led by the White House’s National Security Council. That meeting, convened by the Linux Foundation and OpenSSF, came on the one-year anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

As part of this second White House Open Source Security Summit, open source leaders called on the software industry to standardize on the Sigstore developer tools and support a 10-point plan to upgrade open source’s collective cybersecurity resilience and improve trust in software itself, according to Dan Lorenc, CEO and co-founder of Chainguard, co-creator of Sigstore.

“On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security, and it is fundamental to billions of dollars being invested in software innovation today,” announced Jim Zemlin, executive director of the Linux Foundation, during his organization’s press conference on Thursday.

Pushing the Support Envelope

Most major software packages contain elements of open source software, including code used by the national security community and critical infrastructure. Open-source software supports billions of dollars in innovation but also carries with it unique challenges for managing cybersecurity across its software supply chains.

“This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” said Zemlin. “This is the first time I have seen a plan and industry will to foster a plan that will work.”

The Summit II plan outlines approximately $150 million of funding over two years to rapidly advance well-vetted solutions to the 10 major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action,” said Brian Behlendorf, executive director of Open Source Security Foundation.

Open Source Software Security Summit II in Washington D.C., May 12, 2022.

Open Source Software Security Summit II in Washington D.C., May 12, 2022. [L/R] Sarah Novotny, Open Source Lead at Microsoft; Jamie Thomas, Enterprise Security Executive at IBM; Brian Behlendorf, executive director of Open Source Security Foundation; Jim Zemlin, executive director of The Linux Foundation.


Highlighting the Plan

The proposed plan is founded on three primary goals:

  • Securing open source security production
  • Improving vulnerability discovery and remediation
  • Shorten ecosystem patching response time

The full plan contains elements to achieve those goals. They include security education that delivers a baseline for software development education and certification. Another element is to establish a public, vendor-neutral objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.

The plan proposes the adoption of digital signatures on software releases and establishing the OpenSSF Open Source Security Incident Response Team to assist open source projects during critical times when responding to a vulnerability.

Another plan detail focuses on better code scanning to accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.

Code audits conducted by third-party code reviews and any necessary remediation work would detect up to 200 of the most-critical OSS components once per year.

Coordinated data sharing industry wide would improve the research that helps determine the most critical OSS components. Providing Software Bill of Materials (SBOM) everywhere would improve tooling and training to drive adoption and provide build systems, package managers, and distribution systems with better supply chain security tools and best practices.

The Storehouse Factor

Chainguard, who co-created the Sigstore repository, is committing financial resources towards the public infrastructure and network proposed by OpenSSF and will collaborate with industry peers to deepen work on interoperability to ensure Sigstore’s impact is felt across the software supply chain and every corner of the software ecosystem. This commitment includes a minimum of $1 million a year in support of Sigstore and a pledge to run it on its own node.

Designed and built with maintainers for maintainers, it has already been widely adopted by millions of developers worldwide. Now is the time to formalize its role as the de facto standard for digital signatures in software development, said Lorenc.

“We know the importance of interoperability in increasing adoption of these critical tools because of our work on the SLSA Framework and SBOM. Interoperability is the linchpin in securing software throughout the supply chain,” he said.

Related Support

Google on Thursday announced that it is creating an “open -source maintenance crew” tasked with improving the security of critical open-source projects.

Google also unveiled Google Cloud Dataset and Open-Source Insights projects to help developers better understand the structure and security of the software they use.

“This dataset provides access to critical software supply chain information for developers, maintainers and consumers of open-source software,” according to Google.

“Security risks will continue to span all software companies and open-source projects and only an industry-wide commitment involving a global community of developers, governments, and businesses can make real progress. Google will continue to play our part to make an impact,” said Eric Brewer, vice president of infrastructure at Google Cloud and Google Fellow, at the security summit conference.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security