On March 14, 2025, an executive order directed the Institute of Museum and Library Services (IMLS) to significantly reduce operations; all but 12 of its 75 staff were placed on administrative leave, active grants were terminated for evaluation, and the FY2026 budget request eliminates all IMLS funding entirely. IMLS distributed $5.9 million in grants to 173 Native American and Indigenous tribal libraries in 2024 alone, and more than 100 libraries on federally recognized tribal lands received termination notices. Why it matters: tribal and rural libraries that lack local tax bases lose their primary source of federal support, so programs providing free internet access, technology lending, and digital literacy training in communities with no alternatives are cut, so residents in these areas lose access to job skills training, educational materials, and civic information, so the digital divide between rural/tribal communities and urban areas widens further, so entire communities become increasingly isolated from economic opportunity and democratic participation. The structural root cause is that IMLS, as an independent federal agency with a relatively small budget (~$280 million annually), lacks the political constituency and institutional protection of larger agencies, making it a target for budget elimination despite serving communities that have no substitute funding sources.
Real problems worth solving
Browse frustrations, pains, and gaps that founders could tackle.
More than 95% of public libraries in the United States and Canada rely on OverDrive's Libby app as their sole platform for lending ebooks, audiobooks, and digital magazines, processing over 739 million checkouts in 2024 and 820 million in 2025. Why it matters: a single private company controls the infrastructure through which virtually all public library digital lending occurs, so libraries have minimal negotiating leverage on platform fees, interface design, or data ownership, so if OverDrive changes pricing, terms of service, or discontinues features, libraries have no viable alternative to migrate to, so patron reading data and borrowing habits for hundreds of millions of transactions are concentrated in one company's servers with limited transparency, so the public good of library digital access is dependent on the business decisions of a private monopoly rather than on public infrastructure. The structural root cause is that decades of library technology market consolidation -- including Rakuten's 2015 acquisition of OverDrive for $410 million -- combined with the high switching costs of migrating digital catalogs, patron accounts, and publisher agreements, have created a natural monopoly that competitors like cloudLibrary, Hoopla, and ODILO cannot meaningfully challenge.
Since 2019, Hachette Book Group and Penguin Random House have eliminated perpetual-access ebook licenses for libraries, replacing them with two-year metered-access models, while Simon & Schuster shifted from one-year to two-year terms. Perpetual access availability in the U.S. dropped from 34% of titles in 2019 to just 15% in 2024, and the average initial cost for licensing a single ebook title rose from $35.54 in 2019 to $47.69 in 2024 -- a 34% increase that outpaces retail ebook price growth by more than 6x per year. Why it matters: libraries must relicense the same titles every two years at inflated prices, so their materials budgets buy fewer new titles each cycle, so patrons face longer hold queues and reduced catalog breadth, so readers in lower-income communities who depend on library access lose equitable access to current literature, so the public library's core mission of providing free and equal access to information is structurally undermined by publisher pricing power. The structural root cause is that the Big Five publishers control over 80% of trade ebook distribution and the first-sale doctrine (which allows libraries to lend physical books without restriction) does not apply to digital content under current U.S. copyright law, giving publishers unilateral power to set license terms, durations, and prices with no legal obligation to offer libraries fair or perpetual access.
Most US school districts evaluate teachers using classroom observation rubrics (such as Danielson Framework or Marzano model) combined with student test score value-added measures. Research shows a positive correlation between teachers' observation scores and their students' prior achievement levels, meaning teachers assigned to higher-performing student groups receive systematically higher evaluation scores regardless of their actual teaching quality. Only 67% of teachers believe their school's evaluation system is fair to all teachers, despite 88% feeling it is fair to them personally. Why it matters: teachers in high-poverty schools with students far below grade level receive lower evaluation scores through no fault of their own, so they face greater risk of being placed on improvement plans or denied advancement, so experienced teachers avoid or leave high-need schools to protect their professional records, so the highest-poverty schools with the greatest need for strong instruction experience the highest teacher turnover, so the achievement gap between wealthy and poor districts widens as a direct consequence of a system designed to measure teacher quality. The structural root cause is that observation-based evaluation systems were mandated by Race to the Top (2009) and state accountability frameworks as a condition of federal funding, but the instruments were validated primarily in middle-class suburban settings. The systems assume classroom context is neutral, when in reality student behavior, prior achievement, class size, and resource availability all vary dramatically by school socioeconomic status and systematically bias observation scores against teachers in the most challenging placements.
Only 2 states meet the American School Counselor Association's recommended ratio of 250 students per counselor. Over 56% of school counselors manage caseloads of 300-400+ students, and the share of schools where counselors provide mental health services dropped from 83% to 73% between 2021-22 and 2024-25. With 55% of schools citing insufficient mental health staff as their top barrier, teachers are increasingly expected to identify and respond to student anxiety, depression, self-harm, and trauma on top of their instructional duties. Why it matters: teachers are expected to serve as frontline mental health screeners without clinical training or compensation, so they must make judgment calls about student welfare that carry serious consequences if missed (suicide risk, abuse reporting), so the emotional labor of managing 25-30 students' mental health needs daily accelerates teacher burnout (52% report burnout, highest of any profession surveyed), so teachers who burn out and leave are replaced by less experienced staff even less equipped to handle these responsibilities, so the youth mental health crisis (which has seen teen depression and anxiety rates roughly double since 2010) goes inadequately addressed at the point of greatest access. The structural root cause is that school counselor positions are funded through the same constrained education budgets as teaching positions, and when budgets tighten, counselor and psychologist roles are cut first because they are not directly tied to state-mandated instructional requirements, effectively transferring mental health responsibilities to classroom teachers by default rather than by design.
The average US school district uses 2,739 EdTech tools (up 170% from 841 in 2018), but only half are accessed monthly, indicating massive tool sprawl. Teachers are expected to manage instruction across Google Classroom, Canvas, Clever, Kahoot, Seesaw, PowerSchool, IXL, and dozens of other platforms simultaneously. 79% of teachers report experiencing technology fatigue, and nearly two-thirds of educators, principals, and district leaders say they are burned out from tech demands. Why it matters: teachers must learn, manage, and troubleshoot dozens of platforms without adequate training time, so they spend instructional time on technical logistics rather than teaching, so the cognitive load of switching between platforms reduces the quality of both lesson delivery and student engagement, so districts waste significant portions of their EdTech budgets on unused or underused tools (only 50% of tools see monthly use), so the promise of technology improving education is undermined by the chaotic, uncoordinated way it is deployed. The structural root cause is that EdTech purchasing decisions are typically made by district administrators or IT departments without meaningful teacher input, vendors market directly to decision-makers with free trials and bundled deals, and there is no standardization or interoperability requirement across platforms, so each new tool adds friction rather than reducing it. Districts lack a coherent EdTech governance process to evaluate, consolidate, or sunset tools.
95% of US public schools conduct active shooter drills, averaging 2.65 drills per school year. Research shows these drills are associated with a 39% increase in depression, 42% increase in stress and anxiety, and 23% increase in physiological health problems among participants including teachers. Middle school communities experience the steepest impact (55% increase in depression). Yet only 10% of schools provide mental health support to staff or students after drills, and 69% of teachers say the drills do not actually make them feel safer. Why it matters: teachers are subjected to repeated simulated violence scenarios that measurably harm their mental health, so they experience compounding trauma from drills layered on top of the real fear of school shootings (which have increased significantly since Columbine in 1999), so teacher anxiety and hypervigilance reduce their emotional availability for students and instructional effectiveness, so teachers in states with frequent mass shooting events face even higher psychological burden, so the profession becomes less attractive to prospective educators who view physical danger as an unacceptable working condition. The structural root cause is that schools adopted active shooter drills reactively after high-profile mass shootings without evidence that realistic simulation drills improve outcomes, and the National Academies of Sciences (2024 report) found that discussion-based practices are equally effective and far less psychologically harmful, but most districts continue high-intensity drills because they are perceived as 'doing something' and face political pressure to demonstrate visible security measures.
US school districts can only fill 54-80% of substitute teacher requests, leaving one in five teacher absences uncovered. When no substitute is available, teachers with prep periods are drafted to cover in 35% of cases, students are split into other already-full classrooms 37% of the time, and administrators cover 12% of cases. This means teachers routinely lose their only scheduled time for lesson planning, grading, parent communication, and IEP documentation, forcing this work into evenings and weekends. Why it matters: teachers lose their contractually guaranteed preparation time multiple times per month, so they must do planning and grading during personal time (contributing to average 53-hour work weeks vs 44 hours for comparable professionals), so chronic overwork drives 43% of teachers to sleep less than 6 hours per night, so teacher health and instructional quality both decline, so the most disadvantaged schools (which have 2-4x more uncovered absences than affluent schools) suffer disproportionate harm to both teacher retention and student learning. The structural root cause is that substitute teacher pay averages $100-150/day (far below market rates for comparable day labor), creating a pool too small to meet demand, while districts treat teacher prep periods as a free labor reserve rather than the professional work time they are, and union contracts often lack enforceable limits on involuntary coverage assignments.
Since ChatGPT's launch in November 2022, 26% of K-12 teachers have caught students cheating with generative AI, and student discipline rates for AI-related plagiarism nearly doubled from 48% to 64% between the 2022-23 and 2023-24 school years. Teachers now bear the burden of becoming AI detectives: 68% rely on detection tools like GPTZero and Turnitin's AI detector, but these tools produce false positives roughly 2% of the time. In a University of Reading test, 94% of AI-written exam submissions went completely undetected by human markers. Why it matters: teachers must spend additional unpaid hours scrutinizing student work for AI-generated content on top of their normal grading workload, so false accusations from imperfect detection tools damage student-teacher relationships and can trigger formal academic integrity proceedings against innocent students, so teachers face an impossible choice between trusting students (risking academic fraud) and over-policing (risking wrongful accusations), so the fundamental teacher-student relationship shifts from mentorship to surveillance, so genuine learning and intellectual development are undermined. The structural root cause is that school districts adopted no coherent AI policies fast enough to keep pace with the technology (ChatGPT reached 100 million users in 2 months), leaving individual teachers to develop their own detection and assessment strategies without institutional support, training, or clear guidelines on what constitutes acceptable AI use versus cheating.
Post-pandemic student behavior has deteriorated significantly: 81% of superintendents identify behavior as a major concern, and two-thirds of US teachers report student misbehavior has worsened since before COVID-19. The average public school teacher loses 7 hours per month managing student outbursts and behavioral health issues, with middle school teachers losing closer to 10 hours. 80% of teachers address behavioral problems at least a few times per week, and 52% cite behavior management as their primary stressor, ranking it above low pay (39%). Why it matters: teachers spend a growing share of instructional time on de-escalation and discipline rather than teaching, so the 25+ other students in the classroom lose learning time during every behavioral incident, so academic achievement gaps widen (especially in high-poverty schools where behavioral issues are most concentrated), so teachers burn out and 16% intend to leave the profession, so the schools most affected by behavioral challenges become the hardest to staff, creating a self-reinforcing cycle of instability. The structural root cause is that teacher preparation programs include minimal training in trauma-informed practices, de-escalation, or behavioral intervention, and schools simultaneously dismantled traditional disciplinary structures (under well-intentioned restorative justice policies) without providing teachers the training, staffing, or mental health support infrastructure needed to make alternative approaches work effectively.
Special education teachers managing typical caseloads of 20+ students must complete annual IEP reviews (approximately 3-5 hours each including parent contact, teacher feedback, writing, and testing), re-evaluation reports, progress monitoring documentation, and compliance paperwork mandated by IDEA (Individuals with Disabilities Education Act). Nearly 70% of special educators report spending 6 or more hours per week on case management duties beyond their contracted day, and over a third spend 11-30 hours weekly on this paperwork alone. Why it matters: special education teachers spend more time on compliance documentation than on actual instruction or student support, so 72% report their large caseloads negatively impact their ability to meet student needs, so special ed has the highest shortage rate of any teaching specialty (reported in 45 out of 50 states), so districts hire under-certified staff or leave positions vacant, so the 7.5 million students with disabilities nationwide receive lower-quality services and their legally mandated educational rights under IDEA are functionally undermined. The structural root cause is that IDEA compliance requirements were designed around legal liability protection rather than educational outcomes, creating a documentation-heavy system where the paperwork proving services were delivered consumes more teacher time than the services themselves, and Congress has never fully funded IDEA (funding covers roughly 15% of costs vs the 40% originally promised in 1975).
Public school teachers in the US earn 26.9% less in weekly wages than similarly educated professionals in other fields, the widest gap ever recorded by the Economic Policy Institute. This 'teacher pay penalty' has more than tripled from 8.7% in the early 1990s. The average teacher salary of $72,030 (2024-25) appears to have risen 15% over the past decade, but inflation exceeded 25% during that same period, meaning teachers have lost real purchasing power. Why it matters: teachers earn significantly less than peers with the same education level, so fewer college graduates choose teaching as a career (education degree completions have declined), so the pipeline of qualified new teachers shrinks while 411,000+ positions are already vacant or filled by under-certified staff, so students increasingly learn from inexperienced or unqualified instructors, so academic outcomes suffer most in the highest-poverty districts that struggle most to compete on salary. The structural root cause is that teacher compensation is set through rigid public salary schedules negotiated at the district level and funded primarily by local property taxes and state appropriations, creating a system where pay cannot respond to labor market competition the way private-sector wages do, and state legislatures have consistently underfunded education relative to cost-of-living increases.
K-12 teachers in the United States spend an average of $895 out of pocket per year on classroom supplies (up 49% since 2015), while the median school-provided supply budget is just $200. 97% of teachers report their school budget is insufficient to cover basic needs like notebooks, markers, and printer paper. Why it matters: teachers subsidize public education from their own paychecks, so their already-low salaries effectively shrink by hundreds of dollars per year, so 20% of teachers now work a second job (a 25% jump since 2023) partly to cover classroom costs, so teacher financial stress increases burnout and accelerates attrition from the profession, so schools in low-income districts that need the most experienced teachers lose them to wealthier districts or other careers entirely. The structural root cause is that per-pupil funding formulas in most states have not kept pace with inflation (school supplies rose 7.3% in 2025, nearly triple the overall inflation rate), and districts allocate the vast majority of their budgets to salaries and facilities, leaving classroom materials as an unfunded mandate that teachers silently absorb rather than letting students go without.
Morgan Stanley forecasts $2.9 trillion in cumulative global data center capital expenditure between 2025 and 2028, while total generative AI market revenue in 2025 is expected to reach only $30 billion, creating an investment-to-revenue ratio of approximately 97:1 that echoes the infrastructure overbuild of the late-1990s telecom bubble, and McKinsey research indicates many enterprise AI projects struggle to move beyond pilot phases to production deployment at scale. Why it matters: Hyperscalers and private equity firms are committing to 15-20 year facility lifespans based on demand projections that assume exponential AI adoption, so if enterprise AI deployment stalls at the pilot stage or efficiency breakthroughs (like DeepSeek's training cost reductions) reduce compute demand per unit of AI output, so hundreds of billions in data center assets become underutilized or stranded, so investors and lenders face write-downs that ripple through REIT markets and infrastructure debt portfolios, so the resulting financial correction could choke off funding for legitimate AI infrastructure needs just as the technology matures enough for widespread productive use. The structural root cause is that data center investment decisions are being driven by a competitive 'arms race' mentality among hyperscalers (Microsoft, Google, Amazon, Meta) where falling behind on GPU capacity is perceived as an existential risk, combined with abundant cheap capital from infrastructure funds seeking long-duration assets, creating a classic principal-agent problem where the decision-makers committing capital are rewarded for growth and penalized for caution, regardless of whether the underlying AI demand materializes at the projected scale.
The rapid pace of AI chip advancement is compressing data center hardware refresh cycles, with AWS reverting its server lifecycle from six years back to five years in 2025 and booking approximately $920 million in accelerated depreciation charges, while generative AI workloads are projected to contribute an additional 1.2 to 5 million tons of annual e-waste globally as GPUs and AI accelerators become obsolete within 2-3 generations -- far faster than traditional server equipment. Why it matters: Each new GPU generation (Nvidia Hopper to Blackwell to next-gen) delivers 2-4x performance improvements, so running previous-generation hardware becomes economically irrational even when it is physically functional, so millions of operational GPUs and servers are retired years before end of useful life, so more than 80% of decommissioned data center equipment is discarded rather than reused, so toxic materials (lead, mercury, cadmium, brominated flame retardants) from circuit boards and components contaminate landfills and recycling facilities, disproportionately affecting communities near e-waste processing sites in developing countries. The structural root cause is that AI model training economics reward absolute compute performance above all else -- a 2x faster GPU that costs the same per chip reduces training time and electricity cost by half -- creating an upgrade treadmill where 'good enough' hardware is economically wasteful to operate, and no regulatory framework requires data center operators to internalize the end-of-life disposal costs of their hardware, externalizing environmental costs to waste management systems and communities.
Existing Texas data centers consume approximately 25 billion gallons of water per year for evaporative cooling, according to a January 2026 Houston Advanced Research Center report, while most of the state faces drought or near-drought conditions, and the OpenAI-led Project Stargate plans an estimated $115 billion in data center construction spanning 50+ buildings across multiple Texas campuses, including the water-stressed Panhandle region where Fermi America's construction has already paused due to permitting issues. Why it matters: Evaporative cooling towers are the cheapest and most energy-efficient cooling method, so data center operators in Texas default to water-intensive cooling to minimize electricity costs and PUE ratings, so agricultural irrigation, municipal water supplies, and data centers are drawing from the same declining Ogallala Aquifer and surface water sources, so Texas farmers and ranchers face higher water costs and potential allocation cuts as industrial demand grows, so food production costs in one of America's top agricultural states increase, passing costs to consumers nationwide. The structural root cause is that Texas water rights follow a 'rule of capture' for groundwater that allows unlimited pumping from beneath your own land with no regard for aquifer depletion, and the state's deregulated energy market (ERCOT) prices electricity but does not price water consumption into facility operating decisions, creating a perverse incentive to trade cheap water for expensive electricity savings through evaporative cooling.
Community opposition has blocked or delayed an estimated $64 billion in U.S. data center projects, causing the primary-market construction pipeline to shrink to 5,994 MW in H2 2025 from 6,350 MW at end of 2024 -- the first contraction since 2020 -- as local governments in Virginia, Maryland, Indiana, Michigan, North Carolina, and other states deny permits or impose moratoriums in response to resident concerns about noise, water, power costs, and environmental impact. Why it matters: Developers who have secured land and committed capital cannot get zoning or permitting approval, so they must either abandon sites (losing millions in sunk costs) or relocate to less-optimal locations farther from network interconnection points, so latency and connectivity quality degrade for end users, so the geographic concentration of U.S. data center capacity intensifies in the few jurisdictions that remain welcoming (primarily Texas and parts of the Southeast), so single points of failure in the national compute infrastructure increase. The structural root cause is that data center developers historically operated with minimal community engagement, relying on economic incentives and tax abatements to secure local government approval, but as the scale of individual projects grew from 10-50 MW to 200-500 MW campuses, the visible impacts on communities (24/7 generator noise, water consumption rivaling thousands of homes, transmission line construction through neighborhoods) became impossible to ignore, and no standardized community benefit framework exists to align developer and resident interests.
Data centers in Northern Virginia operate thousands of diesel backup generators, each typically 2-3 megawatts, that collectively represent gigawatts of uncontrolled diesel generation capacity in a region already designated as ozone non-attainment under the Clean Air Act, while the Virginia Department of Environmental Quality will begin requiring Tier 4-equivalent emissions controls for new diesel generator air permit applications starting July 1, 2026. Why it matters: The EPA's current 50-hour annual grid-support limit for emergency generators is being pressured for expansion as grid reliability deteriorates, so data centers may increasingly run diesel generators during peak demand periods, so NOx and particulate emissions in Loudoun County and surrounding areas will increase on the hottest days when ozone formation is already worst, so nearby communities -- including residential neighborhoods built adjacent to data center campuses -- face elevated respiratory health risks, so the region could face stricter EPA non-attainment consequences including loss of federal highway funding and mandatory emissions offsets for all new industrial sources. The structural root cause is that data center backup generators were permitted under emergency-use classifications that assumed rare, short-duration operation, but grid stress from the very same data centers is creating conditions where 'emergency' generator use becomes routine, while the Clean Air Act's permitting framework was never designed to regulate thousands of distributed diesel generators operated by a single industry sector concentrated in one geographic area.
The U.S. construction industry faces a shortage of roughly 439,000 workers as of late 2025, with an estimated 340,000 data center positions projected to go unfilled by end of 2026, while the industry needs over 300,000 new electricians in the next decade even as nearly 30% of union electricians are between ages 50-70 and approximately 20,000 retire each year. Why it matters: Data center construction timelines are extending 6-18 months beyond plan due to labor shortages, so developers are paying 30-50% wage premiums to poach skilled electricians from other construction sectors, so those other sectors (hospitals, schools, housing) face their own labor shortages and cost inflation, so the total cost of data center construction is rising while timelines slip, so the gap between announced AI capacity and actually-operational AI capacity widens, undermining hyperscaler revenue projections and enterprise AI deployment plans. The structural root cause is that the U.S. systematically de-emphasized vocational and trade education starting in the 1990s in favor of four-year college pathways, creating a 30-year pipeline deficit of skilled tradespeople that cannot be reversed quickly because electrician apprenticeships require 4-5 years of training, and data center electrical work requires additional specialized certifications in high-voltage systems and critical power infrastructure.
U.S. transmission operators report more than 2,600 gigawatts of proposed generation and storage projects waiting for grid interconnection approval, representing more than twice the country's current installed generation capacity, while the median time from interconnection request to commercial operation now averages five years and historical data shows only 19% of projects entering queues between 2000-2018 ever reached commercial operation. Why it matters: Data centers require dedicated power feeds but cannot get grid connections for 3-5 years in most markets, so developers are forced into behind-the-meter generation (often natural gas or diesel) that increases emissions, so renewable energy projects that could supply clean power to data centers are stuck in the same queue with over $22 billion in renewable projects canceled in the first half of 2025 alone, so the entire premise of 'green AI' powered by renewable energy is undermined by the physical inability to connect clean generation to the grid, so climate commitments made by Microsoft (carbon negative by 2030), Google (net-zero by 2030), and Amazon (100% renewable by 2025) are being missed or quietly redefined. The structural root cause is that the U.S. interconnection study process was designed for an era of infrequent, large power plant additions and uses a serial, first-come-first-served queue structure that collapses under the weight of thousands of simultaneous applications, while FERC Order 2023 (issued November 2023) attempted reform but implementation varies by region and legacy queue backlogs will take years to clear.
TSMC's Chip-on-Wafer-on-Substrate (CoWoS) advanced packaging process -- required to bond high-bandwidth memory (HBM) dies to GPU compute dies -- remains the binding constraint on AI chip production, with TSMC CEO C.C. Wei confirming capacity is 'sold out through 2025 and into 2026,' while all three HBM producers (SK Hynix, Samsung, Micron) have their 2025-2026 supply fully committed and have raised prices nearly 20%. Why it matters: Lead times for data center GPUs now range from 36 to 52 weeks, so hyperscalers like Microsoft, Google, Meta, and AWS are locked in a zero-sum allocation battle for limited GPU supply, so mid-tier cloud providers and AI startups cannot secure enough compute hardware to train or deploy models, so the AI industry is bifurcating into compute-rich incumbents and compute-starved challengers, so innovation is being throttled not by ideas or talent but by physical manufacturing constraints in a handful of Taiwanese and South Korean factories. The structural root cause is that the entire AI accelerator supply chain funnels through a single advanced packaging technology (CoWoS) at a single manufacturer (TSMC), creating a monopoly bottleneck that cannot be resolved quickly because building new packaging capacity requires 18-24 months of facility construction and qualification, and no alternative packaging technology delivers equivalent performance for AI workloads.
Large power transformers -- the critical link between high-voltage transmission lines and data center facilities -- now require 128-week lead times for standard units and up to 144 weeks for generator step-up units, with some transmission-class transformers taking three to six years to deliver, while unit prices have increased 77% since 2019. Why it matters: Data center buildings can be constructed in 12-18 months but cannot operate without transformer-fed power, so completed facilities sit idle for years waiting for electrical equipment, so developers are paying 2-3x premiums on secondary markets to secure transformers faster, so these inflated costs get passed through to cloud computing customers as higher rack rates, so AI startups and enterprises face unpredictable infrastructure costs that undermine business planning and slow AI deployment timelines. The structural root cause is that decades of underinvestment in domestic transformer manufacturing -- the U.S. has only a handful of large power transformer factories -- combined with a sudden demand surge from data centers, EV charging infrastructure, and grid modernization simultaneously competing for the same limited production capacity, while the specialized grain-oriented electrical steel required for transformer cores is sourced from only a few global suppliers.
Dominion Energy in Northern Virginia is processing over 60 gigawatts of data center power applications against only 8 gigawatts of available grid capacity -- a 7.5x demand-supply gap -- forcing the utility to propose its first base-rate increase since 1992, adding $8.51 per month to household bills in 2026 and potentially driving electricity costs up 25% or more for residential customers in the region. Why it matters: Data centers consume one in every five kilowatt-hours produced by Dominion Energy in Virginia, so capacity market prices in the PJM Interconnection have spiked nearly tenfold, so retail electricity rates in the region have increased over 15% in some service areas, so residential customers who have no connection to the AI industry are subsidizing infrastructure buildout through higher bills, so low-income households in Loudoun and Prince William counties face energy poverty risk as utility costs consume a growing share of their income. The structural root cause is that Virginia's data center tax incentives (enacted in 2009 and expanded repeatedly) attracted massive concentration -- the state hosts roughly 300+ data centers representing 35% of global hyperscale capacity -- without requiring developers to fund proportional grid upgrades, leaving the cost of transmission and distribution infrastructure socialized across all ratepayers rather than allocated to the data center operators driving the demand.
Despite US Executive Order 14028 (May 2021) requiring SBOMs for federal software procurement, CISA's updated 2025 minimum elements expanding required metadata, and the EU Cyber Resilience Act making SBOMs legally mandatory for the EU market by December 2027, a 2025 academic study found that only a limited fraction of real-world SBOMs contain minimum or recommended information, and many are non-compliant with existing standards (SPDX, CycloneDX). Why it matters: incomplete SBOMs give organizations a false sense of security about their software composition, so when a vulnerability like Log4Shell is disclosed, companies cannot quickly determine if they are affected, so incident response takes weeks instead of hours (the average Log4Shell incident response cost was $90,000+), so regulators imposing SBOM requirements receive unusable data that does not actually improve supply chain security, so the entire SBOM ecosystem becomes a compliance checkbox exercise rather than a functional security tool. The structural root cause is that SBOM generation tooling cannot reliably detect all transitive dependencies across polyglot codebases (JavaScript, Python, Java, C/C++ mixed in one project), two competing standards (SPDX and CycloneDX) fragment the ecosystem, and open source projects themselves have no incentive or capacity to produce SBOMs because the mandate falls on commercial manufacturers who merely consume their code without funding SBOM creation upstream.
In February 2024, the Paris Court of Appeal ruled that Orange (France's largest telecom, with 266 million customers) must pay Entr'ouvert over 900,000 euros (500,000 compensatory, 150,000 moral damages, 150,000 disgorgement of profits) for incorporating the GPL-licensed LASSO single sign-on library into commercial products without releasing source code or obtaining a commercial license. Why it matters: this ruling establishes binding precedent in the EU's largest market that GPL violations carry six-figure financial penalties, so companies that have been casually ignoring copyleft obligations in their products now face quantifiable litigation risk, so legal teams must audit every open source component for license compliance (over 53% of codebases have conflicts per Black Duck 2024 data), so the cost of open source license compliance is shifting from 'nice to have' to 'legal liability,' so companies that built products on GPL-licensed components without compliance infrastructure face retroactive exposure across their entire product portfolio. The structural root cause is that for decades, GPL enforcement was treated as a theoretical risk because lawsuits were rare and damages were minimal, so companies built compliance-ignoring cultures, and now that courts are awarding substantial damages, there is a massive gap between the scale of non-compliance (53%+ of codebases) and the legal and technical infrastructure needed to achieve compliance.
The 2024 Open Source Software Funding Survey (a collaboration between GitHub, the Linux Foundation, and Harvard University with 501 respondents) found that while organizations collectively contribute an estimated $7.7 billion annually to open source, 86% of this is employee labor time on company-selected projects, not transferable financial contributions to independent maintainers. The median organization invests $520,600 of annual value, but only 14% reaches maintainers as money. Why it matters: independent maintainers of foundational libraries receive almost none of the $7.7 billion because it stays inside corporations as salary, so maintainers outside Big Tech cannot sustain themselves on open source work, so the projects corporations do not directly use but indirectly depend upon (transitive dependencies) receive zero investment, so critical low-level libraries like core-js (used by 75% of the top 1,000 websites) have maintainers who publicly document financial hardship, so the funding model systematically directs resources to visible high-profile projects while starving the invisible foundational layer. The structural root cause is that corporations optimize open source investment for their own strategic needs (hiring, product integration, ecosystem control) rather than ecosystem health, and no mechanism exists to redistribute corporate open source labor budgets toward the transitive dependency maintainers who actually underpin the software supply chain.
Sonatype's 2024 State of the Software Supply Chain report documented 512,847 malicious packages discovered across open source registries in a single year, a 156% increase over the previous year, with techniques including typosquatting, dependency confusion, and protestware. In 2025, malware on open source platforms rose a further 73%. Why it matters: developers install malicious packages that steal credentials, SSH keys, and crypto wallets from development machines, so compromised developer credentials provide access to production systems and source code repositories, so attackers use stolen npm tokens to publish trojanized versions of legitimate packages, so the malicious package becomes a force multiplier infecting all downstream consumers, so trust in the entire open source package ecosystem erodes, slowing adoption and increasing costs. The structural root cause is that package registries like npm (with 2.5+ million packages) and PyPI operate with minimal staff -- npm has no pre-publication security review, anyone can publish any package name, and the registries rely on post-hoc detection by volunteer security researchers and automated scanners rather than preventing malicious uploads, because the registries were designed for developer convenience in an era before software supply chain attacks became industrialized.
The EU Cyber Resilience Act, published December 10, 2024, introduces the novel legal category of 'open source software steward' -- foundations and organizations that systematically support open source projects used in commercial products. These stewards must implement documented cybersecurity policies, report actively exploited vulnerabilities to EU authorities (ENISA), and facilitate information sharing, with some requirements taking effect September 11, 2026 and full applicability by December 11, 2027. Why it matters: open source foundations like the Apache Software Foundation, Eclipse Foundation, and Linux Foundation must build compliance infrastructure for hundreds of projects, so foundations already operating on thin margins must hire legal and security staff or risk non-compliance, so smaller open source organizations without EU legal expertise may simply stop distributing software in Europe, so commercial manufacturers using open source must treat every open source component like first-party code for vulnerability handling, so the compliance burden falls disproportionately on the least-resourced participants in the software supply chain. The structural root cause is that the CRA was designed primarily for commercial software vendors and IoT manufacturers, and while the final text exempts non-commercial open source development from the heaviest requirements, the 'steward' category creates a gray zone where nonprofit foundations face regulatory obligations without corresponding revenue streams or government funding to meet them.
Between 2023 and 2024, three of the most widely deployed open source infrastructure projects changed their licenses to restrict cloud provider usage: HashiCorp moved Terraform from MPL 2.0 to BSL 1.1 in August 2023, Redis switched from BSD to dual RSALv2/SSPLv1 in March 2024, and Elastic had previously moved from Apache 2.0 to dual SSPL/Elastic License. These licenses are not recognized as open source by the OSI. Why it matters: enterprises using these tools in cloud environments face sudden license compliance uncertainty, so engineering teams must evaluate whether to accept restrictive terms or migrate to forks (OpenTofu, Valkey, OpenSearch), so migration projects consume thousands of engineering hours that could go to product development, so the open source ecosystem fractures into competing incompatible forks with diverging feature sets, so companies that built their infrastructure on the promise of open source permanence lose trust in all open source projects' license stability. The structural root cause is that venture-funded open source companies face an irreconcilable conflict: they need permissive licenses to build community adoption but cannot sustain revenue when cloud providers (AWS, GCP, Azure) offer managed versions of their software without contributing proportionally, and no legal or community mechanism exists to prevent a project's corporate steward from unilaterally changing the license.
On March 14, 2025, attackers compromised the tj-actions/changed-files GitHub Action (used by 23,000+ repositories) by stealing a personal access token from the @tj-actions-bot account, then modified all existing version tags to point to malicious code that dumped CI/CD runner memory -- exposing access keys, GitHub PATs, npm tokens, and private RSA keys from every repository that ran the action. Why it matters: thousands of repositories' secrets were written to public workflow logs, so attackers could harvest credentials for downstream systems including cloud providers and package registries, so compromised npm tokens could be used to publish malicious versions of legitimate packages, so a single compromised GitHub Action created a cascading supply chain attack vector across the entire ecosystem, so the attack demonstrated that GitHub's tag-based versioning model for Actions provides no integrity guarantees. The structural root cause is that GitHub Actions' versioning system allows maintainers (or attackers with maintainer access) to retroactively modify what code a version tag points to, and the ecosystem convention of pinning to major version tags (e.g., @v45) rather than immutable commit SHAs means a single compromised PAT can silently replace trusted code across thousands of CI/CD pipelines simultaneously.