(p. A15) The recent discovery of a vulnerability in Apache log4j, a widely used open-source software tool, has exposed a significant security issue with our digital world.
. . .
We’ve had security issues with open-source software occur every couple of years, including the Heartbleed Bug in 2014 and the npm Left-Pad Vulnerability in 2016. According to the Cybersecurity and Infrastructure Security Agency, in 2020, two of the most routinely exploited information-technology vulnerabilities were related to open source.
One of the primary reasons for these vulnerabilities is that popular open-source software such as log4j is often maintained by volunteers who may not have sufficient resources to prioritize security. But these volunteers aren’t to blame. What appears to be an esoteric technical problem is actually one of funding and the sustainability of the entire digital ecosystem. While some open-source projects are supported by companies and nonprofit organizations, other pieces of code are maintained and released by people who struggle to monetize their work. The open-source security problem is, at its core, a tragedy of the commons. When the underlying health of our digital infrastructure is unsound, the whole system suffers.
For the full commentary, see:
(Note: ellipsis added.)
(Note: the online version of the commentary has the date January 27, 2022, and has the same title as the print version.)