19/11/2025 –, Main Room
Cases like XZ Utils highlight the pressing need for better security in open source software. OS communities and concerned policymakers agree that more needs to be done to secure code from these supply chain attacks; however, there is still no significant agreement on how best to approach these challenges. The current debate about OS software security mirrors discussions around trade security that surfaced soon after 9/11. Industry argued then that regulations requiring importers to fully certify the security of their supply chains – as well as mandating “100% screening” of cargo containers – would result in the collapse of global trade. While policymakers and the security community understood these concerns, they also felt that industry’s approach up to that point was insufficient for countering threats to global security. Ultimately, the stakeholders were able to create a series of initiatives that balanced the needs of trade and security and provided effective incentives for “voluntary” compliance from industry. In this session, the presenters will provide the initial results of an on-going research project funded through the Digital Infrastructure Insights Fund that for the first time compares the historical example of supply chain security for tangible goods with the current challenges facing open source software supply chain security, focussing on the impact of governmental and industry trade security and the current outlook for OSS security, identifying overlaps and evaluating lessons learned from the historical case study.
This working paper examines how lessons from post-9/11 global trade security initiatives can inform current open source software supply chain security challenges. The authors argue that despite dealing with different domains—physical goods versus digital code—both face similar fundamental questions about managing risk in complex, multi-actor systems where trust is essential but vulnerable to exploitation. The ongoing research, funded by the Digital Infrastructure Insights Fund, analyzes successful trade security programs like C-TPAT and CSI, focusing on their incentive-based structures, public-private partnerships, and harmonized international standards, to develop actionable recommendations for software security policy. Rather than punitive regulatory approaches, the authors advocate for a framework that emphasizes positive incentives, investment in critical infrastructure, collaborative risk assessment tools, and international standards—moving beyond simple analogies like Software Bill of Materials to create trusted actor programs similar to those that succeeded in trade security
