One such performer is New York–based Margin Research, which has put together a team of well-respected researchers for the task.
“There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder. “A lot of existing infrastructure is very fragile because it depends on open source, which we assume will always be there because it’s always been there. This is walking back from the implicit trust we have in open-source code bases and software.”
Margin Research is focused on the Linux kernel in part because it’s so big and critical that happening here, at this scale, means you can make it anywhere else. The plan is to analyze both the code and the community in order to visualize and finally understand the whole ecosystem.
Margin’s work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that—like Huawei—has been sanctioned by the US government, says Aitel. Margin has also mapped code written by NSA employees, many of whom participate in different open-source projects.
“This subject kills me,” says d’Antoine of the quest to better understand the open-source movement, “because, honestly, even the most simple things seem so novel to so many important people. The government is only just realizing that our critical infrastructure is running code that could literally be written by sanctioned entities. Right now.”
This kind of research also aims to find underinvestment—that is critical software run entirely by one or two volunteers. It’s more common than you might think—so common that one common way software projects currently measure risk is the “bus factor”: Does this whole project fall apart if just one person gets hit by a bus?
While the Linux kernel’s importance to the world’s computer systems may be the most pressing issue for SocialCyber, it will tackle other open-source projects too. Certain performers will focus on projects like Python, an open-source programming language used in a huge number of artificial-intelligence and machine-learning projects.
The hope is that greater understanding will make it easier to prevent a future disaster, whether it’s caused by malicious activity or not.
“Pretty much everywhere you look, you find open-source software,” says Bratus. “Even when you look at proprietary software, a recent study showed it’s actually 70% or more open source.”
“This is a critical infrastructure problem,” Aitel says. “We don’t have a grip on it. We need to get a grip on it. The potential impact is that malicious hackers will always have access to Linux machines. That includes your phone. It’s that simple.”