Resilient Cyber
Resilient Cyber
S3E24: Chinmayi Sharma - Tragedy of the Digital Commons

S3E24: Chinmayi Sharma - Tragedy of the Digital Commons

- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career?

- Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication?

- You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that?

- Your paper is broken down into several sections, so let's step through those and dissect each area a bit.

- You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those?

- You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been?

- In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them?

- You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues?

- In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are?

- You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements?

- How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? 

Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives? 

Resilient Cyber
Resilient Cyber
Cybersecurity, Cloud, DevSecOps and Software Supply Chain Security