Member post originally published on SparkFabrik’s blog by SparkFabrik Team
Technological developments have made cyber security a top priority, especially considering the increase in cyber threats. In this context, the Cyber Resiliency Act has been presented as an attempt to strengthen cyber security. However, there is an ongoing debate about the potentially negative impact this legislation could have on open source, a key pillar of technological innovation. In this article, we will explore concerns about the Cyber Resiliency Act and how it could affect open source.
What does the Cyber Resiliency Act involve?
The Cyber Resiliency Act is a proposed European regulation that aims to improve the cyber resilience of critical infrastructures through increased cooperation between the public and private sectors. It introduces the idea of an advisory council of experts to develop cybersecurity recommendations and promote the adoption of advanced technologies. And what’s wrong with that? Nothing in the objectives set, much misalignment between intentions and actual dynamics in how they are implemented.
These are the two crucial points around which the discussion revolves:
- the CRA does not distinguish between the collaborative development of upstream technologies and their introduction onto the market
- the CRA does not limit the foreseeable use of the product to the manufacturer’s intended scope by making upstream open source communities responsible for vulnerabilities even in the most unexpected use cases
In essence, the risk is that the responsibility for the security of the code falls on the upstream contributors, who, however, have no visibility of the software and hardware context in which their code will later be inserted.
The example Mirko Boehm of LFE proposes in his article is explanatory: it is as if an open source contributor could suddenly become responsible for the vulnerabilities of software written in a decontextualised context if it were then used downstream to control a nuclear power plant.
Concerns for Open Source
Although many of us are well aware of what it is, we also reiterate this for those who might come across this article and not be experts. Open source is a development model in which source code is publicly available, based on collaboration and sharing. Although the Cyber Resiliency Act has been very positively received for its goal of securing the entire sowftare/hardware supply chain, it is nevertheless raising concerns among the open source community, mainly for the following reasons (we simplify them, other articles will offer different insights)
Excessive Constraints and Regulations
The Cyber Resiliency Act could introduce excessive regulations and constraints on open source. As source code is publicly accessible, stricter restrictions could be imposed on modifications or operations to ensure compliance with security regulations. This could limit the agility and open nature of open source.
Additional Financial Burden
Implementing the security measures required by the Cyber Resiliency Act could generate significant financial burdens for open source projects. Developers may be forced to invest additional resources to ensure compliance, putting the economic viability of open source projects at risk.
Compromising Sharing and Transparency
Open source is based on sharing and transparency. Requiring restrictions or limitations on information disclosure could compromise the very essence of open source. Fear of violating regulations might discourage developers from opening up their code and sharing it with the community.
Reducing Collaborative Innovation
Restrictions may discourage developers’ active participation in open source. If laws are too stringent, developers might opt for more flexible projects or avoid contributing at all. This could lead to a decrease in the collaborative innovation that is the basis of open source’s success.
While the Cyber Resiliency Act aims to virtuously strengthen cyber security, it is crucial to balance security efforts with the open and collaborative nature of open source. Addressing cyber threats is crucial, but it is equally important to ensure that security measures do not stifle the innovation and sharing that characterises open source.
An open and continuous dialogue between stakeholders is essential to develop effective policies that take both objectives into account. Hopefully, the legislative process will allow the necessary time and question the most appropriate experts for this type of involvement.
#FixTheCRA: what the Linux Foundation Europe is doing
In this scenario, the Linux Foundation Europe is at the forefront with the #FixTheCRA initiative that SparkFabrik fully supports.
As mentioned above, the European Union’s Cyber Resilience Act (CRA) is going through its legislative process and is currently being discussed in the European Parliament (rapporteur Nicola Danti) and the European Council. It will soon enter the EU trilogue phase, essentially the last step before the European Parliament votes on the CRA in plenary.
The CRA’s policy objectives (reducing vulnerabilities in digital products, ensuring cybersecurity throughout a product’s lifecycle, and enabling users to make informed decisions when choosing and using products) are widely supported by the open source community, as well as formally by LF Europe. But strong concerns remain about how the CRA intends to achieve these goals, especially in the context of the open source ecosystem.
Although the Linux Foundation wholeheartedly endorses the goal of strengthening the security of the software supply chain, the Open Source Security Foundation (OpenSSF) being the most concrete example of this, there continues to be a broad consensus that the way the law is currently drafted inadvertently risks placing a heavy burden on open source contributors and non-profit foundations.
This is why it has taken action on several fronts to avert the risk that the CRA will stifle open source innovation, a pillar that the EU itself has identified as fundamental to achieving its human-centred technological and social goals (recall here also the commitment to adhere to the 17 Sustainable Development Goals defined by the UN and to which LFE together with the larger Linux Foundation has adhered).
Its response is divided into five areas:
- LFE is working alongside other open source organisations under the auspices of the Open Forum Europe (OFE) to support concrete and common sense amendment proposals by engaging with policy makers to offer guidance and advice on how the open source ecosystem works
- It is tenaciously disseminating to all Linux Foundation Europe participants the potential critical aspects of the legislative proposal and promoting action.
- It sent an open letter, signed by a broad coalition of open source foundations, asking the EU for closer cooperation and consultation with open source communities on the CRA and future legislation.
- It organises roundtables and Birds of a Feather sessions to discuss the issue with the EU, as happened in a panel at Kubecon Europe or at the recently concluded Open Source Summit Europe (September 2023).
- It is actively working to create forums for collaboration between foundations, with the aim of providing a broad representation of the open source community and an interlocutor for ongoing dialogue with policy makers.
Whether you are an open source enthusiast, whether you have built a business on it, whether you are a staunch activist or a developer of corporations that base their success on open source, the Linux Foundation Europe, and us with it, calls on the broader community to act now: your active participation is important. We invite you to voice your concerns. On the LFE website you will find social-ready content, a large number of in-depth reports and a Discord channel where you can have a concrete discussion.