Header Ads

The Cyber Resilience Act Threatens Open Source

Society and governments are struggling to adapt to a world full of cybersecurity threats. Case in point: the EU CRA — Cyber Resilience Act — is a proposal by the European Commission to enact legislation with a noble goal: protect consumers from cybercrime by having security baked in during design. Even if you don’t live in the EU, today’s global market ensures that if the European Parliament adopts this legislation, it will affect the products you buy and, possibly, the products you create. In a recent podcast, our own [Jonathan Bennett] and [Doc Searles] interview [Mike Milinkovich] from the Eclipse Foundation about the proposal and what they fear would be almost a death blow to open source software development. You can watch the podcast below.

If you want some background, you can read the EU’s now closed request for comments and the blog post outlining the problems from opensource.org. At the heart of the issue is the need for organizations to self-certify their compliance with the act. Since open source is often maintained by a small loose-knit group of contributors, it is difficult to see how this will work.

Here’s the concern in a nutshell. Suppose you write up a cool little C++ program for your own use. You aren’t a company, and you didn’t do it for profit. Wanting to share your work, you post your program on GitHub with an open source license. This happens all the time.

Meanwhile, another developer of a large open source program — let’s say the fictitious open source GRID database server decides to incorporate your code. That’s allowed. In fact, it is even encouraged. That’s how open source works.

The problem is when the GRID database has a problem that causes a data breach. The problem turns out to be a vulnerability in your code. Under the proposed law, it is possible you’d be left holding the bag for a large sum of money thanks to your generous hobby project that didn’t earn you a cent. The situation is even more complex if your code has multiple contributors. Was it your code that caused the breach or the other developer’s code? Who “owns” the project? Are all contributors liable? Faced with this, most people would probably stop contributing or levy a license making it illegal to use their code in jurisdictions where laws like this apply.

[Milinkovich] points out that hobbyists will likely be expressly exempted, so the above scenario isn’t probable. But, he asserts that hobby programmers do not make most open source software that matters (his wording). Important software is often created by paid developers working as part of a foundation or a sponsor organization. The EU mentions “commercial activity,”  and the fear is that major software like Apache, Linux, and other important open source projects would fall under this umbrella.

The consensus is that the EU doesn’t want to cripple or kill open source. But there is still time for the act to have changes that will make the law more palatable. Similar efforts are going on in other countries, as well. We understand the desire to protect consumers and critical systems from cybersecurity vulnerabilities, and [Mike] agrees it has some good points. But we also know that killing open source software won’t be helpful. We hope some revisions in the act and similar efforts in other countries will help protect open source code so it can continue to help drive innovation.


No comments