Lets destroy some Open Source Myths …
The Internet has never, ever been “Free.” Someone has always paid for the bandwidth, infrastructure, facilities, power, software, and people who build and run the “Internet.”
Open Source has never been “free.” Someone spends the time to write open source code. Someone spends resources on the computers and systems to code, compile, test, and distribute the open source. Someone spends hours debugging, fixing, and focusing on the quality of the open source project.
If you have not noticed, open source is mainstream. CxOs need to be aware that there is open source in their network today. The embedded open source software is in software, switches, services, and IOT devices. Open source is the logical shortcut many vendors take to get the product working now. Why create something new when someone else has already created it? Open source integration makes sense. It has enormous benefits, but there are way too many who think all this open source code is free.
- Vendors use open source to cut down their development cost and shorten their deployment cycles … and don’t give back to open source effort.
- Service Providers all over the world depend on and use open source as critical infrastructure – cutting their cost and getting high-quality software in return for … nothing. Most telecommunications service provider around the world pay nothing for the open source software critical to their networks.
- ALL financial institutions depend on critical open source software in their operations. Simple thing like time synchronization using Network Time Protocol (NTP) or Precision Time Protocol (PTP) are part or all open source software. Financial system depends on time sync. These organizations pay their brand vendors but don’t ask their vendors how they are supporting open source code in their product.
Open Source – What can you do now?
Pick one critical open source project and support it with funding. If you do not know where to start, consider time synchronization. EVERYTHING CONNECTED IN YOUR NETWORK AND TO ALL TELECOMS REQUIRES TIME SYNC! People take time sync for granted. Taking “time synchronization for granted has created a crisis in the industry (see NTP’s Fate Hinges On ‘Father Time’ ). 100% of the networks connected to the Internet is using an open source NTP in their vendor’s equipment. Most do nothing to support the continued upgrade, bug fixes, and enhancements for an open source function critical to the Internet. If you are a key decision maker, this is one of the areas you can make a small difference now.
CxO Action. If you are a CxO reading this blog, get one of your staff to draft the paperwork to approve annual funding of the Network Time Foundation(http://nwtime.org/).
Staff Action. If you are a critical staff, craft the appropriate paperwork for software support to get annual funding approved for the Network Time Foundation.
Vendor Action. If you are a vendor and have any open source APIs, software, or other modules in your code, please declare them and include annual support in your business model. There are too many vendor “solutions” that think that the open source in their code is a “solution” that requires no funding. Someone else will pay for it. That error is flawed. It is what got the Internet into issues in with our OpenSSL distribution (now being worked on by a collective who are contributing to the.
Consequences of inaction?
Unfortunately, it takes a business impacting crisis to wake up businesses who depend on open source. The SSL “Heartbleed” vulnerability from 2014 finally knocked organizations into action.The Core Infrastructure Initiative (CII) is a project hosted at the Linux Foundation to “fund open source projects that are in the critical path for core computing functions.” Core computing functions mean “functions” critical to the business. Like SSL, most business will take the open source for granted until it is too late.
What should a CxO do with the CII work? First, ask all your vendors if what their role will be in supporting the CII? If you audit the code of your vendors, you’ll have 100% of them have some part of the open source software in their products. You are paying them. They are cutting cost by using this open source software. They in turn should fund directly to the open source they use or fund the Core Infrastructure Initiative as “aggregate support.” Second, if your organization is large enough, consider funding directly into the CII. Assign someone on your team to volunteer and participate. The benefits from direct open source participation provide persistent returns. Returns that many of the most profitable companies connected to the Internet leverage as part of their “competitive edge.” CxOs should consider how they can also leverage direct open source support to be part of their competitive advantage.
The first step is supporting Network Time Foundation (http://nwtime.org/).
The second step is support Core Infrastructure Initiative(http://www.linuxfoundation.org/programs/core-infrastructure-initiative).
Need More Help?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at email@example.com. The Operator’s Security Toolkit is the place to start for all Operators. It provides details to help them build more security resilient networks.
➥ Barry Greene is Business Development Executive ★ Internet Technologist ★ 25 Year Veteran of Internet Security ★ Emerging Technology Mentor ★ Advisor to Innovative Startups
➥ Barry connects to peers, colleagues, and aspiring talent via Linkedin (www.linkedin.com/in/barryrgreene/). You can also follow on Barry on Twitter (@BarryRGreene) or his blogs on Senki (www.senki.org).