In the wake of the White House’s new cybersecurity order, how can we apply upstream thinking to our open source software supply chain health?
Join the DZone community and get the full member experience. Stop me if you’ve heard this one before. 3 friends are relaxing beside a river. Suddenly, they hear the sound of someone crying out for help. Looking out into the river, they see a child flailing in the middle of a strong current. The first friend moves quickly, jumping in and swimming as fast as they can to get the child and pull them to safety. Before the first friend is able to get back to shore, there are more cries for help. Three additional children are in the river, in need of urgent rescue. The second friend, knowing he must rescue all three at once, grabs a nearby raft and paddles out into the river. Meanwhile, more children keep popping up, all needing rescue. This second friend, overwhelmed, desperately looks around for the third friend, who is nowhere to be seen. Finally, he spots her, in the river, swimming upstream. “Where are you going, these children are going to drown!” calls out the second friend. The third friend keeps swimming and calls back: “I’m going upstream to find out who is throwing all of these children in the river!” This parable is at the heart of what is known as upstream thinking. In his recent bestseller Upstream: The Quest to Solve Problems Before They Happen, author Dan Heath introduces the concept this way: “So often in life, we get stuck in a cycle of response. We put out fires. We deal with emergencies. We stay downstream, handling one problem after another, but we never make our way upstream to fix the systems that caused the problems. Cops chase robbers, and doctors treat patients with chronic diseases, and call-center reps address customer complaints. But crime and chronic disease and customer complaints are preventable! So why do our efforts skew so heavily toward reaction rather than prevention?” So if downstream thinking focuses on solving problems after they occur (fishing children out of the water, in our parable), upstream thinking focuses on efforts to prevent problems before they occur (“I’m going to find out who is throwing all of these children in the river!”). Those who practice upstream thinking, also known as upstreamists, are systems-level thinkers, seeking to understand the root causes of downstream emergencies. This brings me to the recent White House cybersecurity executive order. TL;DR: the cybersecurity executive order is an attempt by the United States government to use its purchasing power to create positive changes to the way cybersecurity is addressed around the world. Recent high-profile breaches like the Colonial Pipeline ransomware attack or the SolarWinds software supply chain attack have shown that our cybersecurity defenses are woefully inadequate. This executive order forces a higher standard of cybersecurity for any organization selling software to the federal government, which in turn makes it the de facto global standard for all software in the future.
