{
  "nodes": [
    {
      "id": 1,
      "label": "Query__CQURYPUSER",
      "query": "What happens when a government mandates open-source software for all critical infrastructure projects?"
    },
    {
      "id": 2,
      "label": "Origins and Triggers__CQURYFCSRT"
    },
    {
      "id": 5,
      "label": "Causal Mechanisms__CQURYFCSMC"
    },
    {
      "id": 7,
      "label": "Effects and Outcomes__CQURYFCSFF"
    },
    {
      "id": 9,
      "label": "Moderating Factors__CQURYFCSMD"
    },
    {
      "id": 11,
      "label": "Early Signals__CQURYFCSCR"
    },
    {
      "id": 13,
      "label": "Causal Constraints__CQURYFCSCS"
    },
    {
      "id": 15,
      "label": "Regime Transition__CQURYFCSFFDTMPR"
    },
    {
      "id": 16,
      "label": "Open Source Rules__CYTPWPQURY"
    },
    {
      "id": 17,
      "label": "Concrete Instances__CQURYFCSCRDXMPL"
    },
    {
      "id": 18,
      "label": "Open Source Rules__CNC9RPQURY",
      "query": "What happens to software security in critical infrastructure when open-source mandates exist but the auditing institutions lack technical autonomy or political independence?"
    },
    {
      "id": 19,
      "label": "Baseline Readout__CQURYFCSMDDMMRY"
    },
    {
      "id": 20,
      "label": "Open-source Software Mandates__CJ6MVPQURY",
      "query": "What happens when a country with strong technical institutions but weak inter-agency coordination mandates open-source software for critical infrastructure?"
    },
    {
      "id": 21,
      "label": "The Operative Context__CQURYFCSRTDCNTX"
    },
    {
      "id": 22,
      "label": "Open Source Rules Work When Regulators Check Them__CAFXHPQURY",
      "query": "What happens to the effectiveness of open-source mandates when regulatory oversight exists but the technical expertise to conduct sustained scrutiny is concentrated in private contractors rather than public institutions?"
    },
    {
      "id": 23,
      "label": "Regime Transition__CQURYFCSCSDTMPR"
    },
    {
      "id": 24,
      "label": "Open Source Mandates__CA9EGPQURY",
      "query": "What happens if a government with strong open-source mandates lacks public trust in its ability to manage digital infrastructure?"
    },
    {
      "id": 25,
      "label": "Origins and Triggers__CAFXHFCSRT"
    },
    {
      "id": 27,
      "label": "Causal Mechanisms__CAFXHFCSMC"
    },
    {
      "id": 29,
      "label": "Effects and Outcomes__CAFXHFCSFF"
    },
    {
      "id": 31,
      "label": "Moderating Factors__CAFXHFCSMD"
    },
    {
      "id": 33,
      "label": "Early Signals__CAFXHFCSCR"
    },
    {
      "id": 35,
      "label": "Causal Constraints__CAFXHFCSCS"
    },
    {
      "id": 37,
      "label": "The Operative Context__CAFXHFCSFFDCNTX"
    },
    {
      "id": 38,
      "label": "Who Watches The Watchers__CH2MEPAFXH",
      "query": "What happens to public oversight when private contractors who maintain critical code also advise the regulators on compliance standards?"
    },
    {
      "id": 39,
      "label": "What-If Scenario__CJ6MVFHYSC"
    },
    {
      "id": 41,
      "label": "Key Assumptions__CJ6MVFHYSS"
    },
    {
      "id": 43,
      "label": "Logical Outcomes__CJ6MVFHYCN"
    },
    {
      "id": 45,
      "label": "Branching Possibilities__CJ6MVFHYLT"
    },
    {
      "id": 47,
      "label": "Real-World Takeaway__CJ6MVFHYMP"
    },
    {
      "id": 49,
      "label": "Regime Transition__CJ6MVFHYMPDTMPR"
    },
    {
      "id": 50,
      "label": "Open Source Risk__CVHWKPJ6MV"
    },
    {
      "id": 51,
      "label": "What-If Scenario__CA9EGFHYSC"
    },
    {
      "id": 53,
      "label": "Key Assumptions__CA9EGFHYSS"
    },
    {
      "id": 55,
      "label": "Logical Outcomes__CA9EGFHYCN"
    },
    {
      "id": 57,
      "label": "Branching Possibilities__CA9EGFHYLT"
    },
    {
      "id": 59,
      "label": "Real-World Takeaway__CA9EGFHYMP"
    },
    {
      "id": 61,
      "label": "Baseline Readout__CA9EGFHYSSDMMRY"
    },
    {
      "id": 62,
      "label": "Broken Open-source Promise__CZPUPPA9EG",
      "query": "Under what conditions might open-source mandates actually reduce public trust in digital governance, reversing the intended effect of transparency?"
    },
    {
      "id": 63,
      "label": "Origins and Triggers__CNC9RFCSRT"
    },
    {
      "id": 65,
      "label": "Causal Mechanisms__CNC9RFCSMC"
    },
    {
      "id": 67,
      "label": "Effects and Outcomes__CNC9RFCSFF"
    },
    {
      "id": 69,
      "label": "Moderating Factors__CNC9RFCSMD"
    },
    {
      "id": 71,
      "label": "Early Signals__CNC9RFCSCR"
    },
    {
      "id": 73,
      "label": "Causal Constraints__CNC9RFCSCS"
    },
    {
      "id": 75,
      "label": "The Operative Context__CNC9RFCSMCDCNTX"
    },
    {
      "id": 76,
      "label": "Broken Software Watchdogs__C4JRNPNC9R",
      "query": "What happens to software security in critical infrastructure when open-source mandates are paired with auditors who have technical autonomy but operate in politically hostile environments?"
    },
    {
      "id": 77,
      "label": "Origins and Triggers__CH2MEFCSRT"
    },
    {
      "id": 79,
      "label": "Causal Mechanisms__CH2MEFCSMC"
    },
    {
      "id": 81,
      "label": "Effects and Outcomes__CH2MEFCSFF"
    },
    {
      "id": 83,
      "label": "Moderating Factors__CH2MEFCSMD"
    },
    {
      "id": 85,
      "label": "Early Signals__CH2MEFCSCR"
    },
    {
      "id": 87,
      "label": "Causal Constraints__CH2MEFCSCS"
    },
    {
      "id": 89,
      "label": "Regime Transition__CH2MEFCSCRDTMPR"
    },
    {
      "id": 90,
      "label": "Flawed Code Oversight__C6MN5PH2ME"
    },
    {
      "id": 91,
      "label": "What-If Scenario__CZPUPFHYSC"
    },
    {
      "id": 93,
      "label": "Key Assumptions__CZPUPFHYSS"
    },
    {
      "id": 95,
      "label": "Logical Outcomes__CZPUPFHYCN"
    },
    {
      "id": 97,
      "label": "Branching Possibilities__CZPUPFHYLT"
    },
    {
      "id": 99,
      "label": "Real-World Takeaway__CZPUPFHYMP"
    },
    {
      "id": 101,
      "label": "Regime Transition__CZPUPFHYMPDTMPR"
    },
    {
      "id": 102,
      "label": "Open Source Without Trust__CE9Y0PZPUP"
    },
    {
      "id": 103,
      "label": "What-If Scenario__C4JRNFHYSC"
    },
    {
      "id": 105,
      "label": "Key Assumptions__C4JRNFHYSS"
    },
    {
      "id": 107,
      "label": "Logical Outcomes__C4JRNFHYCN"
    },
    {
      "id": 109,
      "label": "Branching Possibilities__C4JRNFHYLT"
    },
    {
      "id": 111,
      "label": "Real-World Takeaway__C4JRNFHYMP"
    },
    {
      "id": 113,
      "label": "Regime Transition__C4JRNFHYCNDTMPR"
    },
    {
      "id": 114,
      "label": "Code Audits Without Power__CR2D8P4JRN"
    },
    {
      "id": 115,
      "label": "Concrete Instances__C4JRNFHYLTDXMPL"
    },
    {
      "id": 116,
      "label": "Open Code, Silenced Critics__C352TP4JRN",
      "query": "What happens to the effectiveness of open-source mandates when auditors are technically independent but the political authorities controlling system deployment can legally override or ignore their findings?"
    },
    {
      "id": 117,
      "label": "Clashing Views__C4JRNFHYCNDCNTR"
    },
    {
      "id": 118,
      "label": "Security Audits Without Power__CGE2EP4JRN",
      "query": "What happens to software security in critical infrastructure when auditors have legal authority to enforce patches but operate in politically fragmented systems where compliance depends on consensus across rival factions?"
    },
    {
      "id": 119,
      "label": "Overlooked Angles__C4JRNFHYSCDBLND"
    },
    {
      "id": 120,
      "label": "Vendor-controlled Security Audits__C36ROP4JRN",
      "query": "What happens to public-sector software security when private vendors who set compliance standards are also responsible for auditing their own code in open-source systems?"
    },
    {
      "id": 121,
      "label": "Overlooked Angles__C4JRNFHYMPDBLND"
    },
    {
      "id": 122,
      "label": "Auditor Warning Gap__C3TAHP4JRN"
    },
    {
      "id": 123,
      "label": "Clashing Views__CH2MEFCSMCDCNTR"
    },
    {
      "id": 124,
      "label": "Vendor Rulemaking__CFEMCPH2ME",
      "query": "What would happen if oversight bodies responsible for defining software security compliance were legally prohibited from employing or contracting with entities that implement or maintain critical infrastructure systems?"
    },
    {
      "id": 125,
      "label": "Overlooked Angles__CZPUPFHYMPDBLND"
    },
    {
      "id": 126,
      "label": "Open Source In Government__CQA5RPZPUP",
      "query": "What happens to compliance enforcement if the suprainstitutional body loses political legitimacy or funding support in key member states?"
    },
    {
      "id": 127,
      "label": "What-If Scenario__CQA5RFHYSC"
    },
    {
      "id": 129,
      "label": "Key Assumptions__CQA5RFHYSS"
    },
    {
      "id": 131,
      "label": "Logical Outcomes__CQA5RFHYCN"
    },
    {
      "id": 133,
      "label": "Branching Possibilities__CQA5RFHYLT"
    },
    {
      "id": 135,
      "label": "Real-World Takeaway__CQA5RFHYMP"
    },
    {
      "id": 137,
      "label": "Concrete Instances__CQA5RFHYCNDXMPL"
    },
    {
      "id": 138,
      "label": "Trust In Watchdog__CATUEPQA5R"
    },
    {
      "id": 139,
      "label": "Baseline Readout__CQA5RFHYMPDMMRY"
    },
    {
      "id": 140,
      "label": "Enforcement Collapse In Shared Systems__CPIQ1PQA5R"
    },
    {
      "id": 141,
      "label": "Origins and Triggers__C36ROFCSRT"
    },
    {
      "id": 143,
      "label": "Causal Mechanisms__C36ROFCSMC"
    },
    {
      "id": 145,
      "label": "Effects and Outcomes__C36ROFCSFF"
    },
    {
      "id": 147,
      "label": "Moderating Factors__C36ROFCSMD"
    },
    {
      "id": 149,
      "label": "Early Signals__C36ROFCSCR"
    },
    {
      "id": 151,
      "label": "Causal Constraints__C36ROFCSCS"
    },
    {
      "id": 153,
      "label": "Regime Transition__C36ROFCSMCDTMPR"
    },
    {
      "id": 154,
      "label": "Open-source Security Gaps__C03BBP36RO"
    },
    {
      "id": 155,
      "label": "Origins and Triggers__C352TFCSRT"
    },
    {
      "id": 157,
      "label": "Causal Mechanisms__C352TFCSMC"
    },
    {
      "id": 159,
      "label": "Effects and Outcomes__C352TFCSFF"
    },
    {
      "id": 161,
      "label": "Moderating Factors__C352TFCSMD"
    },
    {
      "id": 163,
      "label": "Early Signals__C352TFCSCR"
    },
    {
      "id": 165,
      "label": "Causal Constraints__C352TFCSCS"
    },
    {
      "id": 167,
      "label": "Regime Transition__C352TFCSCSDTMPR"
    },
    {
      "id": 168,
      "label": "Audit Power Without Teeth__CK06OP352T"
    },
    {
      "id": 169,
      "label": "Regime Transition__CQA5RFHYLTDTMPR"
    },
    {
      "id": 170,
      "label": "Cybersecurity Rules Trust__CUH92PQA5R"
    },
    {
      "id": 171,
      "label": "What-If Scenario__CFEMCFHYSC"
    },
    {
      "id": 173,
      "label": "Key Assumptions__CFEMCFHYSS"
    },
    {
      "id": 175,
      "label": "Logical Outcomes__CFEMCFHYCN"
    },
    {
      "id": 177,
      "label": "Branching Possibilities__CFEMCFHYLT"
    },
    {
      "id": 179,
      "label": "Real-World Takeaway__CFEMCFHYMP"
    },
    {
      "id": 181,
      "label": "Baseline Readout__CFEMCFHYLTDMMRY"
    },
    {
      "id": 182,
      "label": "Security Rules Out Of Touch__CKZIIPFEMC"
    },
    {
      "id": 183,
      "label": "Regime Transition__CFEMCFHYSSDTMPR"
    },
    {
      "id": 184,
      "label": "Security Audits Fail__C86YPPFEMC"
    },
    {
      "id": 185,
      "label": "What-If Scenario__CGE2EFHYSC"
    },
    {
      "id": 187,
      "label": "Key Assumptions__CGE2EFHYSS"
    },
    {
      "id": 189,
      "label": "Logical Outcomes__CGE2EFHYCN"
    },
    {
      "id": 191,
      "label": "Branching Possibilities__CGE2EFHYLT"
    },
    {
      "id": 193,
      "label": "Real-World Takeaway__CGE2EFHYMP"
    },
    {
      "id": 195,
      "label": "Clashing Views__CGE2EFHYSSDCNTR"
    },
    {
      "id": 196,
      "label": "Security Rules Delayed By Politics__CZQUOPGE2E"
    },
    {
      "id": 197,
      "label": "Overlooked Angles__CGE2EFHYLTDBLND"
    },
    {
      "id": 198,
      "label": "Trust In EU Cyber Rules__C5AQXPGE2E"
    }
  ],
  "edges": [
    {
      "source": 1,
      "target": 2,
      "relationship": "__anchor__"
    },
    {
      "source": 1,
      "target": 5,
      "relationship": "__anchor__"
    },
    {
      "source": 1,
      "target": 7,
      "relationship": "__anchor__"
    },
    {
      "source": 1,
      "target": 9,
      "relationship": "__anchor__"
    },
    {
      "source": 1,
      "target": 11,
      "relationship": "__anchor__"
    },
    {
      "source": 1,
      "target": 13,
      "relationship": "__anchor__"
    },
    {
      "source": 7,
      "target": 15,
      "relationship": "__anchor__"
    },
    {
      "source": 15,
      "target": 16,
      "relationship": "**Open-source mandates improve security only when sustained institutional support enables fast, continuous code review and patching.**\n\nGovernments that require open-source software for critical systems expect better security. This benefit only arises when strong support systems are in place. These include consistent developer staffing and clear oversight. Without such support, open source can do more harm than good. When teams are underfunded or disorganized, code flaws go unnoticed. Transparency alone does not fix broken maintenance. Real improvement comes from fast patching and constant review. That speed depends on stable teams and smart governance. Examples like U.S. Defense standards show it can work. The European Union cybersecurity framework also supports this model. But past public tech projects failed when budgets shrank. Code remained flawed despite being open. Mandates only boost security when institutions stay strong. If budgets collapse or agencies fragment, systems become less safe."
    },
    {
      "source": 11,
      "target": 17,
      "relationship": "__anchor__"
    },
    {
      "source": 17,
      "target": 18,
      "relationship": "**Open-source rules improve security only when strong institutions actively review and maintain the code.**\n\nWhen governments require open-source software for critical systems, security improves only if strong oversight exists. Germany’s approach shows this clearly. The Federal Office for Information Security enforces open-source use. It also runs a centralized system to review code and push updates. This means transparency works because experts continuously check the software. Source code alone does not reduce risks. Without active review, vulnerabilities stay longer. Most countries do not have Germany’s level of technical coordination. If a government orders open source but does not fund expert oversight, problems grow. This is especially true in older systems like power grids and railways. Therefore, open-source mandates fail to boost security without capable institutions to maintain the software."
    },
    {
      "source": 9,
      "target": 19,
      "relationship": "__anchor__"
    },
    {
      "source": 19,
      "target": 20,
      "relationship": "**Open-source software mandates improve security only when skilled institutions can maintain and audit the code, because access without expertise increases systemic risk.**\n\nWhen governments require open-source software for critical systems, they expect more transparency and better security. But these benefits do not appear if institutions cannot audit or maintain the code. Making source code public increases the need for skilled technical staff. Without enough experts, more code access creates more risk, not less. This is called combinatorial fragility. Openness expands the area where expertise is needed. If that expertise is not present, systems become harder to secure. Gaps in maintenance open doors to attacks. Some national cybersecurity efforts have failed this way. Even with full code access, weak oversight led to serious flaws. The same pattern appeared in digital identity projects in mid-sized democracies. Public code did not reduce risk when engineering support was thin. Strong institutions are needed to check and update code constantly. Open-source rules only help when such institutions are already in place. Otherwise, they give a false sense of safety. This false confidence can make systems less resilient overall."
    },
    {
      "source": 2,
      "target": 21,
      "relationship": "__anchor__"
    },
    {
      "source": 21,
      "target": 22,
      "relationship": "**Open-source software mandates improve security only when paired with existing regulatory systems that enable continuous, enforced scrutiny.**\n\nWhen countries enforce software rules through existing oversight bodies, open-source mandates can reduce security risks. This works best when compliance systems already audit critical sectors. The European Union's cybersecurity rules are an example. They link software checks to existing agencies. This creates real, ongoing scrutiny of code. Without such systems, open-source mandates only seem to help. They create a false sense of safety. Just requiring accessible code is not enough. Real security comes from sustained review backed by liability. When transparency and enforcement are built together, flaws are found and fixed. The key is not just open code but who checks it and whether they can enforce change. Open-source mandates only reduce threats when regulators are already in place to verify them."
    },
    {
      "source": 13,
      "target": 23,
      "relationship": "__anchor__"
    },
    {
      "source": 23,
      "target": 24,
      "relationship": "**Open-source mandates improve security only when governments build and sustain teams to constantly review and maintain the code.**\n\nGovernments often require open-source software for critical systems to improve security and transparency. But these benefits depend on having skilled teams to review and maintain the code. When governments move faster than they can build skilled teams, the software loses its advantage. Open-source software needs constant, expert review to be secure. Without a dedicated public team to audit it, flaws go unnoticed. Automated tools or private volunteers cannot fill the gap at scale. Systems become riskier, not safer. This has happened in India with Aadhaar-linked systems and during the Log4j flaw crisis. In those cases, using open-source code without strong public oversight caused more danger than using proprietary software with reliable support. A mandate only works if the state builds and funds a permanent team to manage the software. Without that, the policy creates a false sense of security. Open-source adoption then becomes symbolic, not effective. Real resilience comes only when government both requires and actively maintains the code. The proof is in sustained public technical capacity."
    },
    {
      "source": 22,
      "target": 25,
      "relationship": "__anchor__"
    },
    {
      "source": 22,
      "target": 27,
      "relationship": "__anchor__"
    },
    {
      "source": 22,
      "target": 29,
      "relationship": "__anchor__"
    },
    {
      "source": 22,
      "target": 31,
      "relationship": "__anchor__"
    },
    {
      "source": 22,
      "target": 33,
      "relationship": "__anchor__"
    },
    {
      "source": 22,
      "target": 35,
      "relationship": "__anchor__"
    },
    {
      "source": 29,
      "target": 37,
      "relationship": "__anchor__"
    },
    {
      "source": 37,
      "target": 38,
      "relationship": "**Open-source mandates reduce risk only when public agencies can independently verify code, because sustained scrutiny requires in-house expertise to challenge private contractors.**\n\nWhen governments require open-source software but rely on private contractors to monitor it, security gains weaken over time. This happens because oversight depends on companies, not public experts. If public agencies lack their own technical capacity, they cannot start or challenge audits. Audit rights are part of contracts, not built into institutions. Over time, expertise stays with private firms. These firms depend on profits and staff retention. Without public ability to verify work, oversight fails. Even if source code is available, scrutiny cannot be sustained. The real issue is not access but the ability to enforce independent review. Open-source rules only improve security when public agencies can match private technical skill. Then oversight remains active and accountable."
    },
    {
      "source": 20,
      "target": 39,
      "relationship": "__anchor__"
    },
    {
      "source": 20,
      "target": 41,
      "relationship": "__anchor__"
    },
    {
      "source": 20,
      "target": 43,
      "relationship": "__anchor__"
    },
    {
      "source": 20,
      "target": 45,
      "relationship": "__anchor__"
    },
    {
      "source": 20,
      "target": 47,
      "relationship": "__anchor__"
    },
    {
      "source": 47,
      "target": 49,
      "relationship": "__anchor__"
    },
    {
      "source": 49,
      "target": 50,
      "relationship": "**Mandating open-source software in fragmented government systems increases systemic risk because distributed responsibility prevents consistent security oversight.**\n\nWhen government agencies each control their own software, coordination often breaks down. This creates gaps in maintaining and updating systems. Even though open-source code can be seen by everyone, no single agency takes full responsibility for security. As a result, known flaws in the software may not get fixed. Different agencies use different parts of the code, but no one oversees the whole system. This weak stewardship allows serious bugs to remain unpatched. The problem worsens during updates or emergencies. A mandate to use open-source software does not solve this. Without strong coordination, transparency alone does not improve security. In fact, the gaps between agencies become easy targets. This increases the risk of system failures. The result is greater vulnerability than in systems run by a single, unified team."
    },
    {
      "source": 24,
      "target": 51,
      "relationship": "__anchor__"
    },
    {
      "source": 24,
      "target": 53,
      "relationship": "__anchor__"
    },
    {
      "source": 24,
      "target": 55,
      "relationship": "__anchor__"
    },
    {
      "source": 24,
      "target": 57,
      "relationship": "__anchor__"
    },
    {
      "source": 24,
      "target": 59,
      "relationship": "__anchor__"
    },
    {
      "source": 53,
      "target": 61,
      "relationship": "__anchor__"
    },
    {
      "source": 61,
      "target": 62,
      "relationship": "**Open-source systems fail to secure infrastructure when trust is low because public skepticism reduces the number of people reviewing the code, weakening collective oversight and allowing flaws to persist.**\n\nWhen people stop trusting digital government systems, open-source rules cannot make infrastructure more resilient. Even if the code is public, few citizens or experts will check it. Without active scrutiny, more flaws go unnoticed. This lack of oversight makes systems less secure over time. Each new failure further erodes trust. Fewer people then engage, deepening the cycle. Open-source systems start to look like window dressing. The software itself may be sound, but safety depends on people who review it. If the public does not believe in the government's role, they withdraw. Historical cases like HealthCare.gov show this pattern. Public health portals and digital IDs in Europe face similar issues. Code availability is not enough on its own. Security fails not because of bad code, but because trust keeps people away from the process of checking it."
    },
    {
      "source": 18,
      "target": 63,
      "relationship": "__anchor__"
    },
    {
      "source": 18,
      "target": 65,
      "relationship": "__anchor__"
    },
    {
      "source": 18,
      "target": 67,
      "relationship": "__anchor__"
    },
    {
      "source": 18,
      "target": 69,
      "relationship": "__anchor__"
    },
    {
      "source": 18,
      "target": 71,
      "relationship": "__anchor__"
    },
    {
      "source": 18,
      "target": 73,
      "relationship": "__anchor__"
    },
    {
      "source": 65,
      "target": 75,
      "relationship": "__anchor__"
    },
    {
      "source": 75,
      "target": 76,
      "relationship": "**Open-source software is not more secure when auditors depend on the same authorities they are supposed to monitor, because oversight fails without independence.**\n\nAuditors must be independent to ensure software security. If they lack technical or political freedom, their oversight fails. This is true even when source code is open and available. In some countries, IT policy and security operations are controlled by the same authorities. Auditors in these places often answer to the same leaders who run the systems they must check. This creates a conflict of interest. When auditors depend on the bodies they oversee, they hesitate to report flaws. Vulnerabilities get ignored. Patches are delayed. Problems are hidden. The result is weaker security. Open-source code alone cannot fix this. Transparency only helps when independent experts can freely review and challenge the system. Without that, the promise of open code goes unfulfilled."
    },
    {
      "source": 38,
      "target": 77,
      "relationship": "__anchor__"
    },
    {
      "source": 38,
      "target": 79,
      "relationship": "__anchor__"
    },
    {
      "source": 38,
      "target": 81,
      "relationship": "__anchor__"
    },
    {
      "source": 38,
      "target": 83,
      "relationship": "__anchor__"
    },
    {
      "source": 38,
      "target": 85,
      "relationship": "__anchor__"
    },
    {
      "source": 38,
      "target": 87,
      "relationship": "__anchor__"
    },
    {
      "source": 85,
      "target": 89,
      "relationship": "__anchor__"
    },
    {
      "source": 89,
      "target": 90,
      "relationship": "**Public oversight fails when contractors control both code and audits, because lasting scrutiny requires permanent in-house technical power.**\n\nWhen private contractors both maintain critical code and set how it is audited, oversight weakens. This happens because audits follow procurement schedules, not real-time threats. Expertise stays with the contractors, not the public agency. When contractors rotate out, the agency loses the ability to restart review on its own. Compliance checks become isolated events, not continuous monitoring. Without in-house technical capacity, scrutiny gaps open. These gaps allow configuration errors to grow unseen between audits. Incidents often arise during these silent periods. The problem lasts as long as audits depend on third parties. It ends when public agencies can re-audit independently, without contractor help. Oversight fails not because code is hidden, but because public technical authority is temporary."
    },
    {
      "source": 62,
      "target": 91,
      "relationship": "__anchor__"
    },
    {
      "source": 62,
      "target": 93,
      "relationship": "__anchor__"
    },
    {
      "source": 62,
      "target": 95,
      "relationship": "__anchor__"
    },
    {
      "source": 62,
      "target": 97,
      "relationship": "__anchor__"
    },
    {
      "source": 62,
      "target": 99,
      "relationship": "__anchor__"
    },
    {
      "source": 99,
      "target": 101,
      "relationship": "__anchor__"
    },
    {
      "source": 101,
      "target": 102,
      "relationship": "**Open-source mandates lose public trust after system failures because transparency is seen as damage control, not accountability, reducing civic engagement in code review.**\n\nWhen major system failures shake public confidence, open-source policies often fail to deliver their intended benefits. This happens even when code is freely available. Public trust declines after high-profile tech failures. People and experts stop participating in code review. They see the systems as fundamentally broken. Skepticism reduces engagement despite transparency. Without active outside review, security flaws go unnoticed. This weakens essential digital systems. Examples include digital ID programs in several EU countries. Public repositories existed, but few people used them. The same occurred with HealthCare.gov. Open code did not lead to real public oversight. Citizens doubted the government's ability to manage the system. When trust is low, transparency alone does nothing. Problems keep happening across software updates. The cycle continues until institutions regain credibility. Structural reforms are needed to restore confidence. Open-source mandates can backfire after major failures. People view transparency as a cover-up. They do not believe in the system's integrity. As a result, scrutiny drops when it is most needed."
    },
    {
      "source": 76,
      "target": 103,
      "relationship": "__anchor__"
    },
    {
      "source": 76,
      "target": 105,
      "relationship": "__anchor__"
    },
    {
      "source": 76,
      "target": 107,
      "relationship": "__anchor__"
    },
    {
      "source": 76,
      "target": 109,
      "relationship": "__anchor__"
    },
    {
      "source": 76,
      "target": 111,
      "relationship": "__anchor__"
    },
    {
      "source": 107,
      "target": 113,
      "relationship": "__anchor__"
    },
    {
      "source": 113,
      "target": 114,
      "relationship": "**Open-source software mandates fail to improve security in critical systems when auditors lack independence because political leaders can block or delay fixes to protect institutional stability.**\n\nIn countries where software auditors answer to the same central authority that runs government systems, independent code review cannot work. This is true even if laws require open-source software. The same leaders who set policy also control technical oversight. This allows them to time software reviews to match deployment schedules. Vulnerability disclosures are delayed to avoid disrupting operations. Auditors must get approval before reporting flaws or pushing fixes. Higher officials may block or slow corrections to protect institutional stability. Technical actions become subject to political risk management. This reduces accountability and leaves flaws unpatched for months. Public access to code does not help if no one can act on it. Without independent power, auditors cannot enforce fixes. Open-source rules alone do not make critical systems safer when oversight serves political control."
    },
    {
      "source": 109,
      "target": 115,
      "relationship": "__anchor__"
    },
    {
      "source": 115,
      "target": 116,
      "relationship": "**Open-source code does not improve security when auditors depend on political authorities because fear of retaliation blocks honest defect reporting and meaningful fixes.**\n\nWhen auditors inspect critical software, their work only leads to real security improvements if they can act independently. In some governments, these auditors depend on the same political authorities they are meant to oversee. This creates a conflict. Auditors may find flaws but fear reporting them. Speaking up could harm their careers or lead to punishment. As a result, problems in widely used systems go unaddressed. The source code might be fully available, yet no one challenges its weaknesses. This false sense of safety grows when top agencies oversee both software deployment and its review. In contrast, systems where auditors have legal independence lead to faster fixes and stronger security. When oversight bodies lack the power to enforce changes, open-source rules become symbolic. Real scrutiny needs not just access to code but the right to demand corrections, even when powerful groups resist. Studies from U.S. and European cybersecurity agencies confirm this pattern. Without autonomy, audits fail to prevent risks."
    },
    {
      "source": 107,
      "target": 117,
      "relationship": "__anchor__"
    },
    {
      "source": 117,
      "target": 118,
      "relationship": "**Software security in critical infrastructure fails to improve when audits lack legal power to enforce fixes, making transparency meaningless without sanctions.**\n\nIn many government systems, software audits cannot fix critical flaws. This is not because auditors lack access or technical skills. It is because they lack legal power to act. Even with full access to source code, auditors cannot force fixes. They cannot block deployments. They must rely on approval from higher authorities. In centralized systems, such enforcement powers are missing. Open-source rules do not solve this. Post-incident reports show delays in patching. These delays link to weak audit authority. The problem is not political will. It is institutional design. Auditors can find flaws but not require action. Without legal tools to bypass slow chains of command, their work has no force. Technical review becomes a formality. Thus, open-source mandates fail to improve security. This occurs when audits lack sanction power. Scrutiny alone cannot fix software if no one can enforce changes."
    },
    {
      "source": 103,
      "target": 119,
      "relationship": "__anchor__"
    },
    {
      "source": 119,
      "target": 120,
      "relationship": "**Software security weakens when private vendors control audits because public oversight depends on transient expertise and vendor cooperation, not independent, continuous monitoring.**\n\nWhen governments outsource cybersecurity audits to private companies, a conflict of interest can arise. These companies often help set the rules they are later paid to enforce. Even if source code is open and technically reviewable, security suffers. This happens because oversight relies on temporary experts who rotate in and out. Public agencies lose their ability to independently verify system safety over time. Re-audits depend on vendor cooperation, and review cycles follow procurement schedules, not real-time threats. As a result, configuration changes or new vulnerabilities between audits go undetected. This gap has led to repeated security failures. Examples include incidents in EU countries applying the NIS2 Directive. ENISA's annual reports confirm the growing risk. The problem is not closed code or lack of skill. It is the absence of a permanent, independent public authority to re-audit systems. Without such oversight, the promise of open-source security remains unfulfilled."
    },
    {
      "source": 111,
      "target": 121,
      "relationship": "__anchor__"
    },
    {
      "source": 121,
      "target": 122,
      "relationship": "**Security improves only when auditors can act on findings; political pressure prevents action even when flaws are known.**\n\nEven when auditors work independently, political pressure can block the reporting of serious security flaws. In governments that punish bad news or fund agencies based on favorable results, auditors face pressure to hide or delay critical findings. This shift in incentives means real dangers get ignored, even if the code is open and the audit is sound. Technical skill does not guarantee action when organizational survival depends on avoiding blame. Cases like the 2017 Equifax breach show accurate warnings often go unheeded in high-pressure settings. As a result, open-source rules and skilled auditors fail to improve security if political hostility changes how risks are treated."
    },
    {
      "source": 79,
      "target": 123,
      "relationship": "__anchor__"
    },
    {
      "source": 123,
      "target": 124,
      "relationship": "**Security oversight fails because firms that maintain software help write the compliance rules, allowing them to shape standards in their own interest and weaken independent verification.**\n\nPrivate companies that maintain government software often help write the rules for security compliance. This creates a conflict of interest, because their business success depends on being seen as compliant. When the same firms shape how compliance is measured, they can influence what counts as secure. Regulators end up adopting vendor-friendly definitions of security. This influence grows stronger over time, because regulators rely on these firms for technical knowledge. As a result, audits focus on checking boxes rather than proving real security. True oversight weakens, not because of poor resources or opaque code, but because the firms defining security have a financial interest in appearing secure. They benefit from long contracts and fewer reported flaws. Independent checks become unstable when those being checked help write the rules. Major security failures like the SolarWinds hack show that the problem is not missing rules, but who controls them."
    },
    {
      "source": 99,
      "target": 125,
      "relationship": "__anchor__"
    },
    {
      "source": 125,
      "target": 126,
      "relationship": "**Open-source mandates in fragmented government systems do not cause systemic fragility because compliance frameworks enforce accountability through standardized oversight and audits.**\n\nNational infrastructure systems often lack strong coordination between agencies. Yet they may still enforce technical standards through central bodies like cybersecurity authorities. When open-source software is required, code stewardship can vary across agencies. This does not always lead to systemic weakness. Binding compliance rules help maintain accountability. These rules work even without centralized control. The EU's NIS2 Directive shows this pattern. Member states have fragmented administrations. Still, they ensure security through mandatory coordination. They also use auditable benchmarks. Uniform reporting and version tracking matter. Third-party audits are required. These steps ensure procedural enforcement. Oversight happens across all contributing groups. Compliance replaces unified ownership. This is how distributed systems stay secure. Accountability is preserved through process, not ownership."
    },
    {
      "source": 126,
      "target": 127,
      "relationship": "__anchor__"
    },
    {
      "source": 126,
      "target": 129,
      "relationship": "__anchor__"
    },
    {
      "source": 126,
      "target": 131,
      "relationship": "__anchor__"
    },
    {
      "source": 126,
      "target": 133,
      "relationship": "__anchor__"
    },
    {
      "source": 126,
      "target": 135,
      "relationship": "__anchor__"
    },
    {
      "source": 131,
      "target": 137,
      "relationship": "__anchor__"
    },
    {
      "source": 137,
      "target": 138,
      "relationship": "**Compliance fails when trust in the overseeing body drops, because adherence relies on shared belief in authority rather than legal mandates.**\n\nSupranational agencies enforce software transparency through standard audits and third-party checks. These rules depend on consistent political and financial backing. When support in key countries weakens, enforcement breaks down. This is true even when technical standards are clear. The EU’s NIS2 Directive uses ENISA to coordinate national efforts. ENISA ensures all countries follow the same rules. But its power comes from trust, not legal force. Countries comply because they accept ENISA’s role. If confidence in the agency drops, cooperation falls. States delay reports and cut effort. This happens not due to cost or technical issues. It happens because the system relies on shared belief in the body’s authority. Without ongoing trust, the whole framework weakens. Compliance drops when the central body loses legitimacy. The system depends on credibility, not code."
    },
    {
      "source": 135,
      "target": 139,
      "relationship": "__anchor__"
    },
    {
      "source": 139,
      "target": 140,
      "relationship": "**Compliance collapses when enforcement relies on voluntary cooperation because consequences for noncompliance are not credible without sustained political support from major members.**\n\nSuprainstitutional bodies often depend on countries to voluntarily enforce rules. When key countries lose funding or political will, cooperation drops. This is not due to unclear rules, but to weak enforcement capacity. Some countries follow through because they have strong oversight. Others delay or ignore requirements by using unclear penalties and weak audits. The issue is not monitoring alone. It is whether noncompliance leads to real consequences. Without credible follow-through, compliance breaks down. This happened under the NIS2 Directive. Enforcement relied on peer reviews and reporting. These did not lead to visible actions. So, consequences were not taken seriously. Compliance held only where domestic systems were strong. The system fails when major members stop supporting it. The reason is structural. Enforcement depends on ongoing political support from powerful members. Without that support, rules lose force. This occurs even when standards are clear."
    },
    {
      "source": 120,
      "target": 141,
      "relationship": "__anchor__"
    },
    {
      "source": 120,
      "target": 143,
      "relationship": "__anchor__"
    },
    {
      "source": 120,
      "target": 145,
      "relationship": "__anchor__"
    },
    {
      "source": 120,
      "target": 147,
      "relationship": "__anchor__"
    },
    {
      "source": 120,
      "target": 149,
      "relationship": "__anchor__"
    },
    {
      "source": 120,
      "target": 151,
      "relationship": "__anchor__"
    },
    {
      "source": 143,
      "target": 153,
      "relationship": "__anchor__"
    },
    {
      "source": 153,
      "target": 154,
      "relationship": "**Public-sector software becomes less secure when audits depend on private vendors because oversight gaps grow between compliance cycles, allowing hidden flaws to persist despite open code access.**\n\nWhen government cybersecurity rules rely on private companies to set standards and audit open-source software, problems arise. These companies often help build the same projects they are supposed to review. Audits happen only when vendors are available, not on a fixed schedule. This creates delays in finding security flaws. The timing of checks follows procurement cycles, not the pace of new threats. Even when code is open and accessible, scrutiny stops between audits. A new audit must be requested from outside, not triggered by risk. This breaks continuity and weakens oversight. In many EU countries, authorities cannot re-audit without vendor cooperation. Public agencies lose the ability to act independently. As a result, dangerous configuration changes go undetected. This pattern was seen under the NIS2 Directive. ENISA’s reports confirm that gaps in monitoring persist. Security fails not because code is hidden, but because no permanent public body can audit on its own. Without independent oversight, vulnerabilities survive longer than they should. Continuous public verification is needed to fix this. Only then can open-source rules deliver real security."
    },
    {
      "source": 116,
      "target": 155,
      "relationship": "__anchor__"
    },
    {
      "source": 116,
      "target": 157,
      "relationship": "__anchor__"
    },
    {
      "source": 116,
      "target": 159,
      "relationship": "__anchor__"
    },
    {
      "source": 116,
      "target": 161,
      "relationship": "__anchor__"
    },
    {
      "source": 116,
      "target": 163,
      "relationship": "__anchor__"
    },
    {
      "source": 116,
      "target": 165,
      "relationship": "__anchor__"
    },
    {
      "source": 165,
      "target": 167,
      "relationship": "__anchor__"
    },
    {
      "source": 167,
      "target": 168,
      "relationship": "**Audits fail to ensure security because they lack independent authority to enforce fixes, even when flaws are known.**\n\nWhen audit agencies are part of the executive branch, they lack real power to fix critical software flaws. They may find problems, but they cannot force changes. The authority to act stays with political leaders who run the systems. These leaders often delay or ignore fixes to avoid disruption or bad publicity. Even full access to source code does not help if no one can enforce action. Audits become routine checks, not tools for real accountability. This delay creates a gap where known flaws remain unpatched. Similar patterns appear in past system failures across different countries. Independent cybersecurity reviews have found the same issue: oversight fails when it depends on the same leaders it should question. More transparency or code access does not fix this. The core problem is the lack of independent power to demand change. Without that, audits cannot ensure security."
    },
    {
      "source": 133,
      "target": 169,
      "relationship": "__anchor__"
    },
    {
      "source": 169,
      "target": 170,
      "relationship": "**Compliance fails when trust in the oversight body breaks down, because shared rules depend on belief in fair and credible evaluation.**\n\nIn systems where countries must follow shared regulations, compliance depends on trust in the organization overseeing the rules. This is true for cybersecurity standards managed by groups like the European Union Agency for Cybersecurity. These rules work not because of strong penalties but because countries accept routine audits and reviews as fair and routine. When governments lose faith in the system due to political or budget issues, compliance does not stop right away. Instead, countries start treating reports and audits as box-ticking exercises. Over time, this weakens the accuracy and reliability of the data shared across nations. The problem grows when several important countries cut funding or reject the authority of the overseeing body. Without trust, the entire system of mutual review breaks down. The rules fail not because they are unenforceable but because the process relies on a shared belief in fair evaluation. When key members stop seeing the overseer as legitimate, the system can no longer gather trustworthy data. This collapse of confidence dissolves the foundation of enforcement."
    },
    {
      "source": 124,
      "target": 171,
      "relationship": "__anchor__"
    },
    {
      "source": 124,
      "target": 173,
      "relationship": "__anchor__"
    },
    {
      "source": 124,
      "target": 175,
      "relationship": "__anchor__"
    },
    {
      "source": 124,
      "target": 177,
      "relationship": "__anchor__"
    },
    {
      "source": 124,
      "target": 179,
      "relationship": "__anchor__"
    },
    {
      "source": 177,
      "target": 181,
      "relationship": "__anchor__"
    },
    {
      "source": 181,
      "target": 182,
      "relationship": "**Security oversight becomes disconnected from real operations because regulators cannot consult infrastructure operators, leading to rigid standards that fail in practice.**\n\nRegulatory bodies that certify software security are sometimes legally blocked from talking to operators of critical systems. This separation stops regulators from being unduly influenced. But it also creates a gap between rules and real-world operations. Auditors focus on meeting theoretical standards. They ignore practical limits on implementation. This disconnect appears in policies like the EU's NIS2 Directive. It also appeared after the Colonial Pipeline incident. Compliance rules grow in isolation from real failure experiences. Standards become abstract and rigid. They fail to reflect actual risks. Systems appear secure on paper. But they remain vulnerable in practice. Regulators lack firsthand knowledge of operational challenges. This weakens their ability to prioritize real threats. Security checks become box-ticking exercises. They do not build real resilience. Federal audits show high compliance scores. Yet breaches remain common. The result is oversight that is independent in name. But it lacks practical understanding."
    },
    {
      "source": 173,
      "target": 183,
      "relationship": "__anchor__"
    },
    {
      "source": 183,
      "target": 184,
      "relationship": "**Security audits lose value when regulators are kept from operators, because reliance on static documentation replaces real testing, allowing vulnerabilities to persist undetected.**\n\nWhen regulators cannot work directly with infrastructure operators, they rely too much on third-party certifications. These certifications focus on paperwork instead of real-world security. They check documents, not performance. This creates a gap in true security verification. Audits use static reports like SOC 2 or ISO certificates. They do not test systems under real attack conditions. As a result, systems appear secure but remain weak to known attacks. The problem grows because oversight becomes detached from technical reality. Standards turn into bureaucratic exercises, not technical safeguards. This was seen in EU and U.S. systems, where audits missed major flaws. The system stays broken until a major breach forces regulators and operators to work together. After events like the Colonial Pipeline hack, direct contact returns. Only then is the gap briefly exposed. Keeping regulators separate from operators weakens the accuracy of compliance checks. It makes audits more about form than function."
    },
    {
      "source": 118,
      "target": 185,
      "relationship": "__anchor__"
    },
    {
      "source": 118,
      "target": 187,
      "relationship": "__anchor__"
    },
    {
      "source": 118,
      "target": 189,
      "relationship": "__anchor__"
    },
    {
      "source": 118,
      "target": 191,
      "relationship": "__anchor__"
    },
    {
      "source": 118,
      "target": 193,
      "relationship": "__anchor__"
    },
    {
      "source": 187,
      "target": 195,
      "relationship": "__anchor__"
    },
    {
      "source": 195,
      "target": 196,
      "relationship": "**Security rules fail when enforcement depends on political consensus, because rivals delay action unless penalties are certain and centralized.**\n\nIn systems where political divisions are deep, security rules for critical systems work only if enforcement agencies can punish rule-breakers without political bias. When penalties depend on cross-party agreement, compliance suffers. Rival groups use delays in audits and consensus rules to weaken urgent fixes. This happens in both U.S. nuclear oversight and EU cybersecurity efforts. Punishment must be automatic and certain to work. Without it, even strong audits and public code access fail to ensure timely fixes. Enforcement power must be centralized and independent. Only then can timely action be guaranteed. Political fragmentation without strong enforcement leads to weak security outcomes."
    },
    {
      "source": 191,
      "target": 197,
      "relationship": "__anchor__"
    },
    {
      "source": 197,
      "target": 198,
      "relationship": "**Compliance with EU cybersecurity rules weakens when trust in EU institutions falls, because adherence depends on voluntary cooperation driven by perceived fairness rather than enforced mandates.**\n\nIn systems where countries share cybersecurity oversight, lasting compliance depends on trust. This trust relies on the governing body being seen as technically competent and fair. The European Union Agency for Cybersecurity shows this pattern. When member states lose confidence in EU institutions, they follow the rules less faithfully. Compliance drops even when national resources are sufficient. The main factor is not technical capacity but trust in fairness. If political leaders frame EU oversight as overreach, cooperation fades. Even strong audit systems are then delayed or poorly reported. This happens not because the tools fail but because cooperation is voluntary. It depends on shared values and belief in legitimacy. Standardized enforcement does not guarantee results if trust is weak. Without political support, the link between design and results breaks. Systemic vigilance needs ongoing consensus, which can easily weaken. When it does, enforcement falters despite solid frameworks."
    }
  ],
  "query": "What happens when a government mandates open-source software for all critical infrastructure projects?"
}