Resilient Digital Infrastructure: Addressing Software Supply Chain Vulnerabilities

Free and open-source software (FOSS) components are the bedrock on which our digital infrastructure is built. Most software-be it code that logs a user into their phone in the morning or checks the weather, or government systems that authenticate digital identity, streamline payments, and distribute health benefits-use public code written by volunteer developers as part of their codebases. Code reuse is a common practice in software development where large software projects are made up of a collection of public projects so that developers and companies do not reinvent the wheel every time they need to perform ancillary tasks. Despite the well-known practical benefits of code reuse and its prevalence in all digital products and services, several security incidents in widely used FOSS projects have shown that such projects are often underfunded and poorly maintained. Such lapses are opportunities for targeted interventions in both technical and social aspects of OSS security. Policy solutions can help treat FOSS as the digital infrastructure that it is, by investing in maintaining critical software components used by the government and industry. For software being created for government and public service initiatives like digital identity or welfare distribution platforms, efforts can be made to compel vendors to contribute to the maintenance of FOSS components they use,furtherstrengtheningtheecosystem they draw from. With the governments participating in and supporting the existing open-source communities, they can contribute to sustaining and nourishing an existing pool of expertise that is already passionate about the security and resilience of the software they create.a