OODA Loop readers will know more than most the two biggest uses of the term “Open Source.” We frequently write about both. In the context of intelligence, Open Source means information that does not come from classified channels. In terms of software, Open Source means software developed and managed in an open way, generally using open source licenses that allow code to be modified and used freely.  This has always introduced some ambiguity for technologists who operate at the nexus of technology and national security. Now it is getting even more complicated. In this post, for example, we provide some open source intelligence on open source software threats.

Some Background

• Open-source software was in the news in the context of enhancing software supply chain security.  While none of the onslaughts of cyber theft and fraud incidents that were highlighted in our 2021 Year-End Review of Cybersecurity (or the “Cybersecurity Reckoning for Web3 and Cryptocurrency Projects” OODA CEO Matt Devost pointed out in the OODA Almanac 2022 for that matter) were attributed to a particular open-source software/ The general vulnerability of Log4j was certainly a headline, although- again-without specific attribution to a particular cyber incident or attack.
• Throughout 2021 and early 2022, the White House has released Executive Orders, held press conferences, and engaged the private sector by hosting in January 2022 the Open Source Software Security Summit – all designed to highlight the national security concerns that  open source software vulnerabilities represent to the entire software ecosystem:  “For example, Biden’s executive order insists upon ‘ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within [federal government code].’ What it doesn’t do, however, is identify just how this will be done. It’s one of the key challenges for open source software, and one that an executive order can influence but not fix.”  (1)

Open-source “Protestware”

Global hackers now provide a new wrinkle to the multiple narratives surrounding the use of open-source code:  the conscious sabotage of open-source software – called “protestware” – as an act of protest or offensive or defensive act of war.

As Joseph Marks in the Washington Post points out:  “Open-source sabotage is a new battlefront…in the raging debate over whether civilian technologists should play any role in punishing Russia for invading Ukraine.” (1)

As reported in Motherboard:

“A technologist and maintainer of a popular piece of open source software has deliberately sabotaged their own code to wipe data on computers that used the program in Russia and Belarus and has faced a massive backlash for doing so, according to messages posted on Github.  The news signals the potential downsides of digital hacktivism, with the move likely impacting ordinary people that were using the code.

‘RIAEvangelist is the maintainer of the software called ‘node-ipc,’ a networking tool that’s sometimes downloaded over a million times a week. RIAEvangelist released two modules called ‘peacenotwar’ and ‘oneday-test’ recently, Bleeping Computer reported on Thursday. Peacenotwar, which RIAEvangelist has described as ‘protestware,’ was then included as a dependency in node-ipc’s code, meaning some versions of node-ipc may come bundled with peacenotwar.

‘This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite,’ RIAEvangelist wrote in the description for the peacenotwar code. RIAEvangelist’s description also explained how other people could add the module to their code in order to take part in the digital protest.”  (2)

An IT Army?

This protestware activity comes at a time when a Ukrainian IT Army has been enlisted to fight the Russians “conducting digital attacks and information operations in Russia that skirt and sometimes cross legal red lines.” (1) And talk about a convoluted information space?  That same IT Army has been warned by global security researchers that the same open-source tools they are pulling down for use against Russia have been hijacked by info-stealing malware.

End-User Mitigation Efforts in Russia

“The malicious code update quickly caused an uproar in the community of mostly volunteer open-source developers who create and maintain libraries of computer code that power large portions of the Internet.   Critics of the [protestware] developer…argued his actions are far more likely to harm Russian civilians than military and political leaders.”  (1)

“In response to the threat, Sberbank, a Russian state-owned bank and the biggest in the country, advised Russians to temporarily not update any software due to the increased risk and to manually check the source code of software that is necessary—a level of vigilance that is unrealistic for most users.

“We urge users to stop updating software now and developers to tighten control over the use of external source code,” Sberbank said in a statement reported by Russia media and cybersecurity firms.” (3)

An Extension of the Information and Kompromat War?

Want to help Ukraine? Here's an idea:

– Go to Google / Apple Maps or https://t.co/5O22GEhPw7
– Find a restaurant, school, train station, shop, ATM (they are in demand now!) in Russia
– Leave a 'review' on what is happening in Ukraine, especially with civilians

More links below

— Max Fras (@maxfras) March 1, 2022

“Protestware is just the latest of multiple attempts by activists to use tech to pierce Russian censorship and deliver anti-war messages. Activists have been using targeted advertisements to push news about the war in Ukraine to ordinary Russians who are otherwise at the mercy of accelerating censorship and ubiquitous state propaganda. Crowdsourced reviews and anti-war pop up messages are tactics that have been employed since Russian troops began their invasion.

For the most part, protestware is more proof that much of what we can publicly see from the cyberwar unfolding around Ukraine is directly related first and foremost to the information and propaganda war.  Protestware can deliver similar anti-war messages…” (3)

What’s Next?

The MIT Technology Review’s Patrick O-Neill and the WP’s Marks bet captured the forward-thinking implications of open-source as sabotage and a tool for information warfare  – especially if it turns omnidirectional in the near future:

• “…within the open-source community, there are worries that the possibility of sabotage — especially if it goes further than simple anti-invasion messaging and starts destroying data — can undermine the open-source ecosystem. Although it is less well known than commercial software, open-source software is enormously important to running every facet of the internet.
• ‘The Pandora’s box is now opened, and from this point on, people who use open source will experience xenophobia more than ever before, EVERYONE included,’ GitHub user NM17 wrote. ‘The trust factor of open source, which was based on the goodwill of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought was ‘the right thing to do.’ Not a single good came out of this ‘protest.’” (3)
• “The aggressive actions by cyber pros not backed by national governments are alarming many analysts who fear they could undermine efforts to impose rules of the road in cyberspace or create confusion that leads to escalating cyber exchanges between Russia and NATO nations.
• Global Impact:  “The update might also backfire and accidentally impact people outside Russia and Belarus or whose Internet was being routed through those countries.”
• Most importantly:  The move could set a precedent that sabotaging open-source software is a legitimate form of protest, making the Internet substantially less safe for everyone.” (1)

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.