"The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about their security properties."
The act enters murky waters when it comes to open-source software.
As a reminder, open-source is a pillar of modern software.
It typically accounts for 70% to 90% of code in Web and cloud applications - application security firm Synopsys found that 98% of applications analyzed using its service included open-source software, and 75% of the average codebase came from open-source projects.
They should ensure that all open-source components have been accurately evaluated.
The primary worry comes directly from the open-source community itself.
Many prominent open-source projects express concern because the Cybersecurity Act appears to suggest that the responsibility of compliance should fall on the shoulders of open-source developers.
This literal interpretation could potentially create an unsustainable situation for those contributing to open-source projects.
It's important to note that the CRA does specifically exempt open-source software that is developed or supplied outside of commercial activities.
The issue seems to lie in how the CRA defines open-source activity.
The act seems to be permeated with the notion that most open-source activity stems from "Benevolent work," a perspective that is largely considered out-of-date in today's context.
This view couldn't be further from the reality: open-source and commercial activities are often intertwined in complex hybrid operating profiles.
Many open-source companies are developing open-source products with permissive licenses, while they monetize their activity through the selling of support services and premium features.
Conversely, it is not uncommon for tech giants to employ full-time engineers to work exclusively on some of the biggest open-source projects.
This highlights a significant misalignment between EU lawmakers and the open-source community.
Key players in the open-source field, such as OpenSSF and the Debian Foundation, have criticized the legislators for failing to consult them during the drafting of the act.
The Future of Open-Source Under the CRA. Despite prevailing concerns, it's unlikely that the Cyber Resilience Act will signal the end of open-source software in the European Union.
The potential upheaval caused by mandating every software producer to scrutinize all its open-source components is simply too vast.
Are the fears of open-source organizations bearing the burden of security responsibility justified?
These refinements should aim to enhance, rather than impede, the innovation and resilience that open-source technology brings to the digital landscape.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000