Open-source software can increase security – but a long-term approach is required
The security policy landscape has changed. We are at increasing risk because we are so dependent on large US technology companies.
Trump’s second presidential term has shaken the foundation of 80 years of Western alliance. The trust that has been the cornerstone of Western security policy has been severely undermined, perhaps even destroyed – and it will take a long time to rebuild.
In the meantime, Norway and Europe must ensure that society functions and that critical services are delivered to citizens and the business sector. The current dependence on large US technology companies increases risk in a changed security policy landscape.
As long as the United States and Europe had aligned security interests, US legislation granting authorities access to data stored by US companies was an unpleasant but manageable problem. But now the situation has significantly worsened.
For example, Microsoft stated last year in the French Senate that the United States’ Cloud Act can require the company to hand over European data to US authorities, regardless of European legislation.
If we can no longer be sure that our security interests are aligned, we face the same challenge with American ICT companies as we do with Chinese ones. We must now assume that any services and data we have with these companies could be used against us.
Taking control of data
Therefore, Norway must accelerate efforts to take control of data, systems and services for critical societal functions. The fastest path away from dependence on US technology companies is likely an expanded use of open-source software.
When the source code is open, Norwegian authorities and local providers can see and control how the systems operate.
Open-source software gives users access to freely use, read and share the software’s source code. When the source code is open, Norwegian authorities and local providers can see and control how the systems operate.
However, this is not entirely without problems either.
- You might also like: Practice makes the hacker
Open-source software is vulnerable to attacks
Open-source software is only as secure as the communities, processes and resources linked to the projects. Vulnerabilities are open to everyone – including attackers.
Another challenge is the licensing of open-source projects, which can suddenly change and create issues for commercial services built on these projects. This can lead to the same cost increases as sudden changes in the pricing of commercial solutions.
The communities must trust that the authorities will not take over or control the projects.
Norway and Europe must actively build capacity and sustainability in open-source communities. In addition, we must develop open-source projects for critical societal functions. We have the financial capacity to do this.
The challenge is how to do it in a way that both strengthens the open-source communities and gives the authorities confidence in the solutions. At the same time, the communities must trust that the authorities will not take over or control the projects.
Requires a long-term approach
While this is not insurmountable, it will require focused effort, especially from the authorities. Several countries have already taken action:
- Germany has established a governmental unit for digital sovereignty that develops and supports open-source software.
- As part of a larger project to replace the tech giants, France is switching from US conferencing solutions to French ones that are based on open-source software.
- Other initiatives that could lead the way include EuroStack, which has a catalogue of alternative solutions, and EU OS, where the community develops a Linux distribution optimized for EU requirements in the public sector.
We are not able to replace solutions from the tech giants in critical societal functions in the short term. This will require long-term efforts. We should start by securing future strategic independence and digital sovereignty.
- You might also like: Currying favour with the USA won’t help, Europe has to go it alone
Independent communities are essential
Espen Tonseth. Photo: NTNU
In the short term, we can support open-source projects financially, but in the long term, the support must foster open-source communities that authorities and the business sector can use as a solid foundation for critical societal functions. This requires collaboration across nations and communities so that trust and understanding are built.
Measures could include education, research and development that harness the strength found in academia. Vocational colleges, university colleges, research institutes and universities are already major users and creators of both open-source software and knowledge about critical infrastructure.
These are also the communities that may be best suited to serve as bridge-builders between the different communities and cultures within the government, critical infrastructure and open-source software.
This feature article expresses the author’s views and does not necessarily reflect NTNU’s official position. It was first published in Altinget.
