CRA(P): Will Europe throw the open source baby out with the bathwater?
"The major concerns are that the responsibility for compliance would fall on the wrong parties..."
At the Linux Foundation's Open Source Summit Europe, when The Stack put its ear to the ground to find out what is plaguing OSS developers and enterprises there was one clear malady: The EU Cyber Resilience Act (CRA).
See also: CRA antagonises, troubles OSS sector
The main aim of the CRA is to "rebalance responsibility for compliance towards manufacturers".
Many who are regularly let down by wilfully insecure software may think this is, perhaps, no bad thing.
However, OSS contributors are concerned that the onus of compliance will fall unfairly on small-scale developers, whose code contributes significantly to myriad projects and products.
A few weeks back, Head of Community at Percona Joe Brockmeier told The Stack, "This legislation is likely to be very damaging if enacted," and that was a sentiment echoed by most open source stakeholders at the summit.
The Stack spoke to Omkhar Arasaratnam, General Manager of the OpenSSF, a cross-industry organisation committed to improving security standards across the board for open source.
"The OpenSSF acknowledges the good intentions behind the Cyber Resilience Act (CRA) but finds it flawed, failing to account for how individual contributors and Foundations support the open source software community," Arasaratnam said.
He told The Stack that the fundamental concern with the act was it would discourage the participation of foundations and individual contributors due to liability concerns.
This doesn't bode well, given that nationality and positionality agnostic contributions make up the bedrock of open source development.
Assaratnam compared the EU stance with the American position on open source. He praised the US government for their strides in "in open source software security through the RFI on open source security and memory safety."
He added: "We urge the EU to seek similar input for amending the CRA and future legislation."
See also: The State Department is running 27,000 end-of-life systems but its CIO has been hamstrung...
In a sit-down interview with The Stack, Gab Columbro, the General Manager of Linux Foundation Europe, also lauded the "mature approach" taken by the US.
"Last week, we were at the White House with some of the largest big tech and financial institutions, so it really is a proof of maturity there," Columbro said.
He told The Stack he was "not massively concerned about legislation in America because the current administration is very technically savvy and has a deep understanding of how software is built, and how the full software supply chain works."
It's the lack of technical grasp and openness to industry input that has got the CRA lagging.
"The goals of the Act are very commendable, and I think it's important to understand that cybersecurity is National Security effectively, given that in the current geopolitical context, we are in wartime in Europe," Columbro added.
"The major concerns are that with conformance requirements that are coming down with the CRA the responsibility for that compliance would fall on the wrong parties, meaning individual developers, package managers and foundation nonprofits."
Columbro also expressed his disappointment in the lack of "proactive outrage" from policymakers regarding the Cyber Resilience Act.
"On one hand, you are pushing open source as a key driver for digital sovereignty. On the other hand, if the CRA is passed as it is, it might really impact the ICT sector in Europe, especially the Small Medium Enterprises that make up so much of the European GDP and are so critical to the European economy," he said.
A number of panels at the Open Source Summit also focused on the need for increasing security within the ecosystem and to better interfacing with the public sector.
See also: The five key habits of top CISOs
However, it is Arpit Joshipura, Executive Director of LF Energy and therefore in charge of deploying OS solutions in the most regulated of industries, who takes a somewhat contrarian stance.
Joshipura is of the opinion that a mountain is being made out of the CRA molehill. "The press just wants to be dramatic about it," he told The Stack with a shrug. "We have to look at the end goal, right? And the end goal for all of us is the same. We want to secure software, and we want to secure open source software."
He contends that the conflict is about the method of reaching this goal. "Now, you can go about this through regulations and have a very hard line drawn, or you can do it through processes and governance," he said.
For Joshipura, the CRA is a cog in the machine, needed to achieve a global standard and to meet well-intentioned resilience goals in the EU.
John Smith, CTO of the EMEA region for intelligence software company Veracode, is in favour of the debated legislation.
"Software supply chain vulnerabilities have continued to make headlines in 2023, highlighting the considerable knock-on effect of a single vulnerability on potentially thousands of companies and individual citizens," he said.
"These incidents exposed the need for cybersecurity standards that address the full software development life cycle, and it is encouraging to see that these have served as a wakeup call for regulatory bodies and spurred on government action, as demonstrated in the supply chain focus of the CRA," he continued.
Smith perceives the regulation as a sign that EU member states are communicating and coming to a common position on tech regulation, which can only be a good thing.
"The CRA is a landmark piece of regulation, put in place to rectify a number of current weaknesses in the European technology market," he concluded.
However, Smith and Joshipura remain in the minority, and the consensus at the OSS was clear. No one doubts that more resilient cyber operations are needed, yet that cannot be done without policymakers listening to industry experts and taking seriously what they have to say.