LF Europe Chief Warns Developers on EU’s Cyber Resilience Act
European developers face being unable to download or contribute to open source software if the EU’s Cyber Resilience Act (CRA) is passed as it currently stands, Linux Foundation Europe chief Gabriele Columbro has warned.
Even though proposed amendments to the legislation address some of the open source community’s most pressing concerns, Columbro told The New Stack, the industry faces years of uncertainty and risk as policymakers, standards bodies, lawyers, and developers thrash out what the legislation means in practice.
The wide-ranging legislation, unveiled just over a year ago, casts cybersecurity as a national security issue, and aims to improve tech resilience and protect consumers in Europe. It envisages a single vulnerability reporting platform and envisages a “baseline” of security for IoT and other connected products.
But, in the eyes of the open source community, it potentially shifts responsibility for vulnerabilities and breaches onto open source contributors and maintainers, rather than the entities that implement and commercialize open source code.
Fix the CRA
Kicking off the Open Source Summit in Bilbao last month, Columbro called on the community to make its feelings known and to back its #FixTheCRA campaign.
He warned that the text loads liability onto upstream developers and foundations. “There’s very much a chance that in order to prevent liability, open source projects could be blocked for download into the EU or be published with a disclaimer [saying they are] not approved for use in the EU.”
As a former release manager, he said, “If at a certain point, my build starts breaking, because my upstream dependencies all of a sudden are not available, I’ll be quite pissed”.
The CRA, perversely, was at odds with the EU and member governments’ previous backing of open source, he said and could scupper the EU’s own efforts to assert digital sovereignty.
The act is still a work in progress, and a revised text, agreed in July, read “This Regulation should only apply to free and open source software that is supplied in the course of a commercial activity.”
But while these amendments might reassure some open source advocates, there is no guarantee they will make it into the final act. And with such a wide-ranging piece of legislation, other clauses could have unintended consequences for open source.
The CRA now faces a trialogue process between the European Parliament, the European Council, and the European Commission, which should conclude by the end of this year. It will then enter “a technical stage”, with finishing touches by lawyers and linguists, which should take three to four months. This will be followed by an up to three-year implementation process as national governments implement the final text.
While this might seem a Byzantine, long-winded process, Sachiko Muto, CEO of OpenForum Europe, told an OpenSSF panel that the CRA’s progress was uncommonly quick. “The legislative process is being fast-tracked right now because the main political institutions are more or less in agreement, which is not always the case.”
Speaking to The New Stack, Columbro said he did not have a problem with the aims of the act. “We’re very supportive of the fact that software security is now considered national security. That makes a lot of sense.”
The revised drafts contained “welcome changes,” he added. “[But] will they make it in the final compromise text? I don’t know.”
Risk and Liability
In the meantime, the software world faces potential years of uncertainty over risk and liability, as the law is finalized, implemented, and quite possibly, tested in court.
In addition, contributors and organizations might seek to protect themselves from liability, Columbro said. “I’m thinking especially of those smaller foundations that just simply have no capability, both monetary and resource-wise, to ensure conformance.”
“Nobody likes risk,” he said.
He said that the act was flawed from a purely technical standpoint because it “assumes that upstream developers are the ones that are best placed to assess the cybersecurity of an open source project. They’re the maintainers.”
But, he continued, “Every cybersecurity expert will tell you it’s wildly dependent on the runtime where you’re actually running the open source project.”
Linux runs on the Mars Rover, in cars, and power plants, he said. “How would the Linux maintainers know how to test and certify that a downstream usage of Linux is actually secure? It doesn’t make sense.”
The situation has wider potential implications for the Linux Foundation, as well as other open source foundations, and groups. Columbro said the LF had not quite seen this situation coming. The Linux Foundation Europe was created just as the CRA was made public, meaning it has been playing catchup ever since.
There was a question over how the LF should confront similar issues in the future.
“We’re not a lobbying organization,” he said, but he also said it was hard to represent a distributed entity, like an open source community, compared to large companies that have very structured Public Affairs departments.
It was difficult for an organization like the Linux Foundation to “talk on behalf of every single constituent. So that’s why we launched the campaign to really ask people to have their voice heard,” he added.
Ultimately, the issue is in the hands of European politicians and bureaucrats. But, Columbro pointed out, “There are now six million estimated developers in Europe, and those are electors.”