 Watashi no nemaewa, Borek san Jeff Desu. How many would like me to do my session in English? Please show me your hand. One, two, three. How many would like me to do my session in Japanese? I wish my Japanese was better. Thank you so much for coming. I realize I'm the only thing between you and refreshing adult beverages in the showcase. So I will try and make the best use of your time. I also have IBM stickers. So anyone who would like to ask a question, a good question gets a good sticker. I have been working around open source for IBM for over a decade. And anytime I talk to an audience about open source, I like to say I stand on the shoulders of giants because 20 years ago, IBM senior executives really understood the potential of open source and the risk of open source and how to effectively manage risk. Just a quick question. Who can explain to me an example of a risk of open source? Good answer. Good sticker. Intellectual property risk. So anytime you use software, you need to understand that even if you spent money to buy the software, you don't really own the software. You bought a license to use the software. And even in open source, when you don't provide money, there is a license. And you always have to be understanding of the license responsibility, the other risk of open source. Yes. Hi. Very good. But this is not about open source security. And I can talk about that quite a bit because that's a big part of what I'm being asked to pay attention to today. But I want to just make the point that open source is no more or less secure than proprietary software. Studies have proven that whether you develop in a open distributed fashion or you develop behind the firewall does not determine how good quality and or secure your code is. Other things determine that. But this topic today is about inner source at IBM. And I will save time by skipping my agenda and giving me more time to cover it. How many know or can't explain to me what is inner source compared to open source? But in addition, it is really taking advantage of the characteristics. What makes open source development very powerful? Highly distributed. So teams of individual programmers from anywhere can effectively collaborate and make very good software. And the opportunity exists to leverage the characteristics that make open source powerful in your organization. And so this is going to discuss how to do that in a bit more detail. So I went to Google this before. But how many remember the early days of AI when IBM created computers to compete with chess champions? Deep Blue is what the initiative was called. And that happened way back in the 50s to the 60s. And there were two major initiatives where IBM played Gary Kasparov and had to have a rematch. But eventually, IBM beat the best humans at chess. About a decade ago, IBM research was thinking about what to do next. And they were at a conference. And two of the executives were sitting in one portion of the bar. And they noticed that many of the researchers were overwatching a TV program. Do they have jeopardy version in Japan? I don't think so. But in the US, there is a popular game show on TV called Jeopardy. And it's very challenging because you don't supply the answer. You supply the question. The host gives you the answer. And so it's kind of backwards. And there are also many things that make it very difficult for a computer to understand what's going on. But because of the seeing how captivated the researchers were by this TV game show. And I know they have game shows on TV that are very popular in Japan, I understand too. They thought, we should try and do this. So 10 years ago, they created an artificial intelligence proof of concept to win against the top two human players, best of all time, and IBM won on the first try. And it was very impressive. I hate to tell you, though, it's also an example of one of my personal career setbacks. Because I wanted IBM to talk about the role of open source in Jeopardy. And IBM thought, this proof of concept is really all about IBM's secrets of how they made the machine do this. And my thought was, this is an opportunity for IBM to reassert its leadership in open source, because researchers built Jeopardy. What do researchers use when they are doing proof of concept, when they're having to put complicated software solutions together? Who said that? Please pass that. Open source. So the Jeopardy solution, if I visualize it as a stack of software, the Jeopardy solution was maybe this much. Three quarters of the stack was all Hadoop, big data, Linux. So a lot of open source. But this caused IBM to try and pursue a gold rush for 10 years from 11 to 19, approximately, IBM Watson help. Taking a proof of concept and then turning that into a commercial solution, very, very difficult. IBM said it would bring commercial solutions to the marketplace. And it was overly optimistic. And to make a long story short, IBM invested a lot of money in the proof of concept and then invested even more money acquiring data sets and other technologies in support of pursuing this. And unfortunately, or fortunately, let me put a positive spin on it. IBM's entering a new era of Watson. It is the platform era. And I told you 10 years ago it was a professional setback for me, but obviously I'm still here. So I didn't give up. So I kept working with the AI and data team and said, hey, you missed an opportunity to work in open source 10 years ago. Let's not miss that again. So back in 1918, started talking with them again about the power of open source and collaboration. And IBM, a data and AI team, listened. And they decided, well, we will contribute some modules to the Linux Foundation AI initiative to share IBM technology about how to make AI more secure, how to make sure it is fair. And less biased and how to make sure it's trustworthy. And that turned out to be a good thing. About that same time, the team was looking, how do we bring IBM AI to other parts of IBM's business? And they wanted to be able to differentiate. I'm so skilled, I can do this and talk at the same time. How can we differentiate with AI? How can we act as an internal reference for Watson? But they found it was very, very difficult because each division was doing AI, but they were doing it their own way. And IBM Cloud Pack approach, which is software modernization, required a modular AI stack, which IBM didn't have. But they realized that IBM natural language processing is very high quality. And that could be the basis of a modular composable stack using both inner and open source to make a difference. So how do you do that? Watson Core and application platform. So rather than just IBM research innovation, also collaboration with open source and with inner source all feed into Watson natural language processing core. And with that core, IBM can impact products as well as potentially partner offerings as well as research clients engagements. So determining the platform capabilities, selecting the best starting points from IBM and open source, and embedding Watson Core tech into IBM products, ISV products, and research clients engagements became a hot topic. How would this work out? Well, in some respects, IBM did not have a choice because natural language processing pre-Watson Core was very rich but very fragmented. Typical patterns of NLP research and product adoption. Another question, how many different versions of natural language processing would you guess IBM had three years ago? Answer could be five, 10, 15. Any? Who said 42? No sticker for you. No, it's actually 20. Over 20 different versions of NLP. IBM's a big company, but nobody needs 20 versions of NLP. So you can see the quote here. We need an NLP stack to be adopted all over IBM. Contains IBM's best technology, provides a path from research investments to products, and offers standardization of critical NLP components. This is Dashkey, Agrawal, IBM Fellow, and CTO, June 2019. Very encouraging, but still not easy to do. Why? This is a representation of a traditional innovation flow at IBM. A market signal happens, like GDPR or some other major impact in the ecosystem, plus maybe some side tech advancements. For example, like the game show went, AI leap of improvement. That impacts IBM research innovation, which then goes into the IBM software product and then hopefully leads to revenue. And who knows what this means? Brand power, OK? Brand power. So this is the traditional way that things worked at IBM research. But because of this collaboration with them over the last three or four years, now IBM research realizes that same external forces and scientific advancements can impact the industry. But now it's not just IBM researchers. It's a broader community, both open source, but also inner source. The 20 different product teams that were all doing their own version of an NLP stack, they could now spend their time focusing on their product. And at the same time, if they had a good idea, they could contribute it back to the core project. So inner source at IBM. So what's key is two new leverage points. The broader community creates leverage point number one. And then the resulting core offering creates leverage point number two, which is that now instead of this impacting one product, it's now impacting many, many products. And that same modular approach is now something we are bringing to IBM software partners. Because if you follow that logic, the same benefit that IBM products can receive can now be advanced with IBM ISV partners. And then consulting engagements, leading to significant increase in revenue and significant increase in brand power. So IBM executives like hard numbers. So here's some hard numbers. Now, what's an NLP in the first year and a half? More than 15 product teams are now consuming and contributing back to NLP. They spend less time rebuilding the same functionality. And they rely on solid code built by the AI team, who's now, oh, by the way, in research. And they focus on their product's differentiation, not on their own version of NLP. And 75% decrease in time to value and global contributions from multiple business units across IBM. And cost savings through reuse in 2020 approached $10 million. So very significant. So I mentioned IBM Watson and Watson Health. Can anyone tell me some things that Watson Health endeavored to try and help with over the last 10 years? Any guess what IBM health? Think of one of the biggest health. Pardon me? Bingo, who said that? Now you've got two stickers. Can you pass that back? Thank you. So because of the struggles, IBM got less than favorable press. But the good news today is that the New York Times, leading newspaper in North America, just recently did a whatever happened to IBM Watson story. Artificial intelligence was supposed to transform industries. Neither has panned out. Now, IBM has settled for a new version of Watson. So the good news is that an analysis done by the New York Times, or for the New York Times, the Allen Institute of AI compared Watson's performance on NLP with other major players. Who can tell me the Allen Institute? Is that name ring a bell? Paul Allen. Paul Allen from Microsoft founded the AI Institute. And the New York Times paid the Paul Allen Institute to evaluate the technology. And they were quite surprised, chief executive said. IBM has gotten its act together. And the services offered by IBM were as good or better than other major players in the marketplace today. Very significant progress. So this is leading to a new embedded AI play targeting, again, ISV partners. The goals are to increase the adoption of IBM AI technology, focus on key use cases, initially NLP and speech, but moving on to document understanding and time series and trust. And creating a ecosystem of successful partners so that it's not all about IBM, but it's about IBM and partners collaborating through inner source to develop better solutions. Core differentiators of Watson Core is that it can run just about anywhere. It's enterprise ready. And it's the best of research and open and leverages that trustworthy AI foundation that I mentioned that IBM contributed before. It's also resulting in, again, more good news coverage for IBM as IBM Watson opens up AI opportunities for software vendors with embedded libraries. Even more good results from this effort. IBM is now in the Gartner Magic Quadrant in a leading position in terms of completeness of vision and ability to execute for its Watson Core AI platform. A recent article in Nature Magazine talks about IBM's AI system going head to head with humans in competitive natural language debating and doing quite well. So another example of good press from the modern update of Watson Core. And then lastly, this is a recent interview with one of the researchers who I've worked with in this space talking with a small but very influential analyst firm called Redmonk. This is a very challenging question, so I won't expect a lot of hands to go up. One, has anyone heard of Redmonk? I'd be very surprised. Half a dozen hands. Very good. Does anyone know how they chose that name? They chose that name 20 years ago because they thought there were two critical locations where software developers really were important. One of them was Redmond, Washington. So that's where the red comes from. The other one was Armok, New York. So that's where the monk comes from. So Redmonk's analyst firm for developers chose their name between the IBM corporate office and the Microsoft corporate office. But this video is an interview with the researcher. It's very interesting. If you have time, you should have a look. But this is the Watson Core architecture now and how it's leveraging both stock foundation open source components with the AI domain and the AI abstractions to provide an end to end solution that leverages both Kubernetes and Red Hat OpenShift. So a very strong architectural vision for the product for the future. And with that, I've got some time for questions and answers and stickers before refreshing adult beverages maybe served. Please. The inner source, more of a grassroots because it really came out of two things. I mentioned I've been at IBM some time working in open source for over 10 years. But I started working with the data and AI team about five years ago with another IBM colleague from Research, Jim Spore, very smart. He's since retired. But we started engaging with the data and AI team at kind of the developer and middle management level. And that's what got them trying open source. But good question. And I'll expand on the answer because it's an interesting question. It's kind of like is there a Japanese version? I know using metaphors can be challenging. But chicken and egg, so which came first? So what is better to do first, open source or inner source? Because the Watson AI team had not done a lot of open source development before they tried this initiative. Does anyone have an opinion on whether one or the other is the best place to start? Sure. So when you say inner source, that probably with an IBM means that not just different locations, but probably also different countries are involved, right? And can you comment on how you handle the arising tax and transfer pricing issue? That's for one. And my other question directly relates to your question. So what would be your opinion on how much of that inner source, these inner source activities you're doing and the inner source code you're producing, you could actually do as open source because they don't concern the differentiating knowledge of IBM? Very good questions. I will hold you some stickers for later. So to be clear, I used to believe that you had to start in open source first. Because to me, when I first started working in open source, it was very much changed my complete perspective on how the industry would evolve. It's very easy in a large organization to stay within your silo and focus on what you need to do. And when we were engaging with the data and AI team and getting them to contribute those early modules around trust, we were telling them, now, come and collaborate out in the open community. And they understood the value. And many of them wanted to take that approach. But they were under such pressure to fix internal problems that they said, gosh, we have to try this as an inner source approach first. And we had misgivings. But fortunately, Bill and the team proved me wrong because they had setbacks. But they've been very successful in working collaboratively behind the IBM firewall on creating the Watson core module that we talked about. Now, I don't have a good answer for you right off the top of my head with respect to the implications of distributed development from a corporate finance perspective. But what I can say is that this approach has fixed many challenging problems that IBM spent many years struggling with. And there is definitely initiative within the company to take these learnings and start to apply it to other parts of IBM's portfolio. Because a quick show of hands, how many, thank you. How many feel like your company does software development well? Not very many hands going up. How many think that doing software development, especially in larger organizations, is very challenging? We'll try that. Many more hands going up. Software development in large matrixed organizations is very, very difficult. And inner-source provides a very strong framework for taking a different approach that helps to. It's not a silver bullet. It won't fix every problem. But it does go a long way towards helping to reduce the fragmentation that naturally happens over large organizations. Question? Well, it's not actually a question, but it's also like an addition. Because I'm involved in inner-source commons community. And I'm also the program manager at Tudor Group. So I usually have the inner-source community and the OSPO community. And also, in fact, in the OSPO verse, we have seen a lot of organizations seeing the cultural challenge, like having adopted inner-source principles as the solution to avoid the cultural challenge that open-source are facing. So it's just like a different way of seeing this. But it's similar to your presentations. And I'm really glad and really happy that I attended to this presentation. And thanks a lot for bringing to all of us. Because I think culture, it's not only for inner-source, but also for OSPO and for open-source as a way to face this cultural change. I did not pay her to ask that question or make that statement. But I will add to your thought, though. I appreciate that very much. And I appreciate the work you're doing in the Tudor Group. Because we as an industry have to change. So here's another question. How many like change at work? Raise your hand. Not many hands go up. Sometimes I see more hands go up. And I say something controversial, like you're not telling me the truth. Because as humans, the reptilian brain is programmed to be change adverse. And that worked very well for thousands of years. Because if you were change adverse, it made you a little bit more conservative. But in fact, how many have heard of Darwin? Survival of the fittest, right? Change? There's actually new thinking around that that basically says, it's not so much survival of the fittest. It's survival of the friendliest. And the example they use are dogs. I know dogs are very popular pets in Japan. Think of dogs obviously came from wolves, right? And wolves, you could argue that dogs have done better in terms of evolutionary progress because a subset of wolves decided to be friendly with humans and hung out with early humans and realized that they could do better with the pack of humans than the pack of wolves. And so the ability to work with others, the ability to be friendly, has researchers now, some researchers thinking that Darwin did not, I wasn't wrong, but didn't really see a bigger picture. And it's not so much survival of the fittest, it's survival of the friendliest. There's one other call to action, and I haven't seen my five minute card yet, but now I do. We all have to change. And I know this is really hard, but I want you all to take back this thinking with you to your organizations. How many are aware of the challenges? I started my talk talking about the risk of intellectual property and the risk of security. How many are aware of the open SSF? Only a few hands going up. How many are aware of the growing challenge of the software supply chain and security? So not quite half. So what's happening is an under... open source is somewhat, again, a victim of its own success. I mentioned that open source software is no more or less secure than proprietary software at the beginning of my talk. But because open source has been so popular, especially now in this era of cloud, there is so much open source software in today's modern enterprises that the sheer volume has created a attractive attack surface. Everyone know what a CVE is, critical vulnerability? I feel better, at least people have heard that one. So the average software package has approximately 150 CVEs. Now some of them are low, right? They start to go one through 10. 10 is critical, 9 is high, and then 8, 7, 6, 5. But anything higher than 9 or higher needs to be remediated promptly. How many know what I mean when I say, how was your December last year with Log4j? Many organizations, including mine, spent too much of their holiday break searching for Log4j packages in their software stacks. The problem is that it's easy if you are a consumer of open source to realize the value of, oh, I'll just take this package and I'll use it and I'll do something else with it. But if someone says to you, well, hey, wait a minute. That package that you're using has unremediated high or critical CVEs in it. Do you realize that? Oh, no, I didn't realize that. Well, what do you think you should do about that? Well, it's not my code. It's the community's code. Maybe the community will fix it for me. Well, the days of leveraging open source without being more thoughtful about how you consume open source are changing. So one last question. How many have heard of the term S-bomb? That's about half. That's good. Software bill of materials. So about a year and a half ago, not because of open source, really, it was because of how many have heard of SolarWinds. That should be a popular one that gets hands up. So SolarWinds was the major hack of a company that was actually in the business of providing security software tooling to major governments and major corporations. And bad actors infiltrated that software and took advantage of the access they had. And because of that, the government in the US a year and a half ago issued an executive order on cybersecurity. And basically put the industry on notice to say, hey, the software industry has to change. It's like the early days of package food industry. And by that, I mean, when we all go to the grocery store today and you pick up a product, the government has made the producers of those products declare what the ingredients are. The government is going to use that metaphor for the software that it buys. So not today, not tomorrow, but sometime soon, major governments, not just the US, but Japan, Europe, they will all start to say, hey, when we buy software, we want to know what the list of ingredients is. It makes it even more challenging because when you consume software, especially open source, that package could even be bringing other packages in, along with the package you're using. And so the vulnerabilities can nest quite far down. So I've told you a lot of interesting, hopefully interesting information over the last time of my session. I hope it's caused you to think differently about the situation of open source and inner source. And gee, I have some stickers left over. If you'd like to come up and get one, please come say hello. Thank you very much.