Why Congress should invest in open-source software


In response to past crises, investments in physical infrastructure have helped the United States recover and thrive after significant challenges. After both the Great Depression and the Great Recession, for example, increased investment in transportation infrastructure was a key part of bringing the American economy back from disaster.  

The COVID-19 pandemic and its attendant economic crisis requires a similarly significant response, but it also asks of lawmakers to consider what is next. We can’t just invest in highways—we also need to invest in the technology underpinning the information superhighway. To rebuild from one of the greatest challenges of our time, the United States must invest both in physical and digital infrastructure to secure its recovery.

For the last few years, both Democrats and Republicans have called for major infrastructure investments, only for them not to materialize. These efforts to fund infrastructure investment have focused on the physical world—highways, railroads, bridges. While those are important areas for investment, we must not forget the equal importance of digital infrastructure, especially the free and open-source software (FOSS) that is built mostly by volunteer labor and underpins the digital world. FOSS is even working its way into the physical world, as it is built into our phones, cars, and refrigerators.

FOSS began in the 1980s as an effort to give developers the ability to tinker with and alter software, which was prevented by most software vendors at the time. This led to the “free” in FOSS being defined as “Free as in Free Speech, not as in Free Beer,” although frequently the software was also free of costs. For years, FOSS was primarily the domain of hobbyists, but as computing and the internet became a larger part of daily life, so too did FOSS. The untiring efforts of countless volunteers collaborating remotely eventually led to a robust FOSS ecosystem. Now, FOSS underpins the entire digital economy in the form of operating systems (Linux, Android, etc.), databases (MySQL, PostgreSQL, MongoDB, etc.), and big data and artificial intelligence software (Hadoop, TensorFlow, etc.). Multi-billion dollar companies are regularly built on the back of FOSS. Even Microsoft, whose leadership once called Linux “a cancer” and equated it to communism, has now embraced FOSS and uses it as the core of its Azure cloud computing offering.

As the pandemic has highlighted, our economy is increasingly reliant on digital infrastructure. As more and more in-person interactions have moved online, products like Zoom have become critical infrastructure supporting business meetings, classroom education, and even congressional hearings. Such communication technologies build on FOSS and rely on the FOSS that is deeply ingrained in the core of the internet. Even grocery shopping, one of the strongholds of brick and mortar retail, has seen an increased reliance on digital technology that allows higher-risk shoppers to pay someone to shop for them via apps like InstaCart (which itself relies on, and contributes to, FOSS).

The core infrastructure of the digital world now needs major upgrades. Thirty-five years ago, the federal government invested heavily in the National Super Computing Centers (NSCC), which led not only to advances in computer hardware, but also in software – including the Apache web server, now one of the most widely used web servers, and which helped spur the construction of the internet we know today.

These kinds of investments in digital infrastructure tend to see major returns. Our research has shown that NSCC investments saw a rate of return of at least 17% for the Apache software itself, let alone the billions of dollars of technology and commerce that have since been built on top of it. This is more than double the federal government’s commonly used baseline expected rate of return of 7%.

Although such direct investment is one way to encourage positive, effective outcomes, there are additional cost-effective methods that require less upfront capital outlay. For example, my recent research has shown that changing federal procurement regulations that favor FOSS over proprietary software can have numerous positive spillovers to the private sector, including increases in company productivity, the number of technology startups founded, and the size of the technology-related labor force. This research shows that the passage of such a law in France led to as much as an 18% increase in the founding of French IT-related startups and as much as a 14% increase in the number of French workers employed in IT-related jobs.

While some FOSS contributors are paid by their employer to contribute, most contributions to FOSS are made without direct compensation. Therefore, another option is to provide tax credits to the people who volunteer their free time to help create and maintain FOSS. A bill for such a credit has been introduced in the New York State Assembly every legislative session since 2009 but has never made it out of committee. If passed, this bill would provide a $200 tax credit for expenses related to FOSS development, which would help incentivize more individuals to contribute, likely leading to spillover benefits for the state of New York similar to those from the French procurement regulation.

All three of these levers for FOSS—direct funding, procurement regulation, and tax incentives—should be included in the next infrastructure bill.

Although the $1.5 trillion infrastructure bill recently passed by the House of Representatives includes $100 billion for increasing access to broadband in underserved communities, that only solves the problem of today—it does not lay the groundwork to solve the problems of tomorrow. Our work through the Core Infrastructure Initiative, a joint project between Harvard’s Laboratory for Innovation Science and the Linux Foundation, has shown there are significant vulnerabilities in the core infrastructure of the digital economy that, unaddressed, could lead to significant problems down the road. These vulnerabilities include: a heavy reliance on FOSS components that are outdated or not regularly maintained, a lack of both transparency and consistent naming conventions, making it difficult for companies to update their software properly, and a lack of project governance safeguards, which could allow malicious actors to insert backdoors into FOSS projects.

To understand the magnitude of the vulnerabilities contained in widely deployed open-source code, consider the Heartbleed bug in OpenSSL, which affected nearly 20% of secure websites on the internet. In 2012 a bug was mistakenly introduced into the project’s underlying code. Heartbleed went undiscovered for two years, partly because the project was being maintained by only one full-time engineer and a few part-time volunteers. The Core Infrastructure Initiative was launched in response to Heartbleed, and major technology companies like Google, IBM, Intel, and Microsoft donated millions to better support OpenSSL and other critical FOSS projects. Firms that normally compete against each other realized that FOSS is so critical to the digital economy that they need to work together to help secure it.

FOSS projects are too vital to modern commerce and communications to rely on the benevolence of the private sector alone. The federal government also needs to play its part. Future infrastructure bills should also include new funding and incentives for FOSS development and maintenance. For our economy to recover and grow tomorrow, we need to invest in our open-source digital infrastructure today.

Frank Nagle is an assistant professor of business administration at Harvard Business School. His research is supported in part by the Linux Foundation.

Google, IBM, Intel, and Microsoft provide financial support to The Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.