The protocols for email and the internet are often maintained by overstretched volunteers, causing security holes when they fail. Berlin wants more support for this behind-the-scenes technology.
Germany is set to launch a sovereign tech fund to support the open source software that underpins the internet amid fears the US could withdraw support for this neglected but crucial building block of digital infrastructure.
Initial backing of €3.5 million per annum for the fund is far less than campaigners hoped for. But supporters see it as a crucial first step to bolstering European resilience against internet security flaws, for example, that can cripple companies and research institutions.
“Whenever we use a piece of software there’s lots and lots of base technologies being used,” said Fiona Krakenbürger, a technology researcher who has helped scope out the fund for the German government. “But that’s often neglected.”
These technologies can include the protocols and systems running in the background that make the internet and email secure.
One consequence of this neglect hit in November last year when a cyber security team discovered the so-called Log4J vulnerability, which allowed attackers to leak sensitive information from computers. Firms and organisations scrambled to patch the flaw, with the Belgian Ministry of Defence forced to shut down part of its computer network in response.
The problem is that these behind-the-scenes open source systems are often maintained by volunteers with day jobs who may lack the time and resources to keep them up to date, rather than big companies with the workforce to check them for errors.
“The entire structure behind this is pretty fragile,” said Krakenbürger. “We think that the state is responsible for supporting these structures just as much as bridges or roads.”
Last year, a Commission report concluded that open source software was increasingly pervasive in digital technologies, and said it should be treated as “public good”. Given that it underpins so much of the digital economy, just a 10% increase in spending could bump GDP by around half a percent, it estimated.
“Over the last couple of years, these basic technologies were only discussed when something was going wrong,” said Felix Reda, a German former Pirate Party MEP and now copyright researcher at Harvard University, who has been pushing for the fund.
“It's the same way that politicians only talk about building bridges when the bridge has just collapsed,” he said. The protocol for encrypting email “was basically maintained by a single guy in Germany for years and years without any funding,” added Reda.
Underlying technologies
While this lack of support has been a problem for years, what particularly spooked European software experts was a threat in 2020 by the US administration of Donald Trump to cut funding for the Washington DC-based Open Technology Fund (OTF).
The OTF has been key in maintaining many of these underlying technologies and also has a mission to preserve internet freedom and privacy. It has given millions of dollars to the Tor Project, for example, which allows users to browse the web anonymously.
“Why is it that we're basically relying on…the US government to provide funding for these open source tools that we all need and all benefit from?” asked Reda. “Because we're basically making ourselves extremely vulnerable to a change in policy.”
Ultimately, the Trump administration’s attack on the OTF was headed off, but even so, campaigners in Europe remain convinced the EU needs more of its own support for open source software.
The German government has now committed €3.5 million annually for its sovereign tech fund to support these base digital technologies, confirmed a spokeswoman for Maik Außendorf, digital policy spokesman for the Green Party, which is part of the governing coalition.
“This is a good beginning,” the spokeswoman said.
But this budget is just a third of the €10 million recommended by a feasibility study written by Krakenbürger and colleagues last year.
“It's not as much as we initially thought,” said Reda. “My hope is that it would be increased. So that before long, we would be able to reach this budget of €10 million a year, which I still think is necessary.”
By contrast, the US’s OTF has a budget this year of $27 million. Meanwhile, since 2014 the EU has also launched two rounds of funding to catch software bugs, through bounties and hackathons.
Because the software supported by such initiatives is open source, campaigners aren’t particularly worried that autocratic regimes will erode privacy and internet freedom norms by stepping in to fill a funding void. Any changes that choke off privacy, for example, can be easily spotted.
But what could undermine internet freedom is if security vulnerabilities aren’t spotted in time, which plays into the hands of intelligence services and hackers in all countries.
“The better the software projects are maintained, the better the chances also that problems get fixed, before they end up in the hands of a secret service, or a hacker group that might be selling those vulnerabilities for profit,” said Reda.
The nature of open source software means Germany’s investment will benefit companies all over the world. Still, the campaigners think that despite this free-rider problem, it’s worth it.
“It will still be an incredibly good investment,” said Reda. “It will still be much, much more effective than giving money to a single company to build some proprietary [non open source] solution that we might become dependent on in ourselves in the future.”