Sure, with some caveats: You can scope it down to only very large companies very easily.
> They would pass the costs to customers. In essence, your suggestion leads to a Cyber tax collected by the IRS.
That's a bit oversimplified, I think. To the companies affected by the regulation, sure. Not every company would need to buy in. (At least, I hope not. Mom and pop shops aren't exactly flush with cash!)
> Next they have to divvy up the funding to pay OSS developers. Now you have the same problem you started with.
It's the spirit of the same problem, but the distribution is different.
Before, it's "make the US government funnel taxpayer dollars into OSS directly". Now it's "the US government forces megacorps to buy insurance, and the insurance companies figure out how to minimize risk by investing in the supply chain" one layer removed.
One reason why this might be better than the original version of the problem is that you can simply (but not easily; nothing in politics is ever easy) reproduce the same regulations and insurance business models in other countries, and the load is now balanced across the globe. Then the whims of individual countries' leadership is no longer a single point of failure.
In the abstract, you are correct. But the details matter.
Of course, I could be wrong. I'm not an expert on policy, economics, or law.
Conversely, from speaking with friends doing BI at insurance companies, I don't think there is often more than a single percent of margin in insurance. Not a lot of room to take further risks without some backing.
If the government steps in to overcome the risk, we open the door to profiteering, same as our current banking disaster. And if they don't, then insurance companies will exit the industry, since the risk isn't justified.
[1] Profiteering: The act of making an unreasonable profit not justified by the corresponding assumption of risk.
The legal/regulation problems here are valid concerns, but the model is a bit different.
The primary corruption of insurance has a lot to do with their ability to deny paying for what they ought to cover. That's a problem. The incentives at play pretty much guarantee it will always be a problem, for which strong regulations are necessary. We don't have strong regulations in the USA for e.g., health insurance, so I can understand why the word "insurance" is unattractive.
> Why this would work differently in the case of open source.
Great question.
The very incentive that makes insurance highly corrupt is what I'm proposing be leveraged to benefit open source developers.
A hypothetical insurance company would want to minimize their downside (paying money out), in order to maximize profits, because that's the economical system we live in today. The model I'm proposing is that investing in "the supply chain" would provide resources to offset risk.
On the other side, companies will want to minimize their spend on insurance. An insurance provider may offer reduced rates for companies that demonstrate some measurable commitment to security and responsible data handling practices (a.k.a. not collecting data they don't need in the first place, in case a breach does occur).
This insurance provides a currently absent mechanism for security assessors to affect positive change that protects the rest of us even if the company doesn't want to actually put in the effort.
That's why I proposed it as a contender.
It is ironic that this comes right after talking about healthcare. Strong regulation won't fix it, being able to opt out and move to other systems will fix it. The best insurance comes from community groups where people literally just come together to pool risk. There only needs to be enough legal protection that one member can't run off with the money.
