5

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

 1 year ago
source link: https://lwn.net/Articles/914840/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

[Posted November 14, 2022 by corbet]
NLnet Labs has put up a blog entry warning about the possible effects of the "Cyber Resilience Act" proposal in the European Commission.
We feel the current proposal misses a major opportunity. At a high level the 'essential cybersecurity requirements' are not unreasonable, but the compliance overhead can range from tough to impossible for small, or cash-strapped developers. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support via the CRA, the current proposal will overload small developers with compliance work.
(Log in to post comments)

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 16:35 UTC (Mon) by jmclnx (subscriber, #72456) [Link]

It is just a proposal, I doubt it will go anywhere as is, but worth for people to take action.

To me, if it does pass as is, I can see development moving out of the EU, leaving the EU stuck with proprietary environments. Maybe UK will be positioned well for this ?

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 17:36 UTC (Mon) by dvrabel (subscriber, #9500) [Link]

The regulation will apply to goods and services sold or delivered in the EU. Locating development in the UK or elsewhere in the world won't help (unless you want to exclude the EU as a target market).

I have not read the regulations in detail but from a quick skim (particularly of Annex V and VI), the requirements are what I would expect a company producing such products to be doing anyway -- the requirements are pretty basic (design docs, threat assement, test evidence etc.). If you're a company cobbling together a product from random open source components and claiming security in marketing material without any of the required engineering to ensure actual security, then, well, you're a company that deserves to fail.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 18:28 UTC (Mon) by Tov (subscriber, #61080) [Link]

So in essence this regulation is no different than all the other EU regulations that ensure our hardware goods are safe to use, do not contain hazardous substances, do not disturb nearby electronic instruments, can be recycled with minimal waste etc. etc....

Maybe the software industry will also produce better products, if challenged a bit to do so.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 17:31 UTC (Mon) by kleptog (subscriber, #1183) [Link]

The problem is: we all agree that it would be really nice if all the software systems we used were secure, but we'd prefer if the costs for making that happen weren't borne by open-source software developers. But the question is: who will do it instead? The tooth fairy? The invisible hand of the market?

It does propose an exemption for open-source software, but doesn't answer the question of who will do the work instead. We can make regulations that say something should happen, but it's all pointless unless someone actually does the work. We don't want to swamp start-ups in compliance work, but giving them a free-pass to produce shitty products isn't really a good alternative either.

One approach would be to turn such "critical software" into a public good. The regular auditing of such product would be something undertaken or funded by a central authority. Or perhaps companies that do audits of open source software they use could actually publish the results. But that doesn't really help, because audits for complex software don't tend to find all the bugs. In general you're better off ensuring a good update mechanism than proving your software is bug-free.

Overall, I'm glad people are thinking about these issues, but I don't think it's going to be solved by regulation at this point. But you know, hammers and nails and all that.

Direct link to proposal: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 21:35 UTC (Mon) by mat2 (guest, #100235) [Link]

I'm also concerned about the continued possibility of replacing proprietary firmware found on many devices with free variants, for example by installing OpenWRT on routers and LineageOS on Android devices. Vendors and auditors may consider replacing firmware on their devices as problematic (what if a hacker replaced the software with one containing a backdoor!) and block it.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 14, 2022 22:07 UTC (Mon) by mtaht (subscriber, #11087) [Link]

On my bad days, of which I have many... I would like to ban the import of devices without clear provenance and a public source tree of the gpl'd components at least. That would boot a lot of crap off the market right quick, esp inc security cameras that phone home, and a ton of crappy iot.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 15, 2022 1:24 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

It strikes me that EO 14028 (a US Executive Order Improving the Nation's Cybersecurity, about 18 months ago) is a similar context. An EO is as its name might imply if you understand the crazy US government structure, something from the Executive, thus the US President, which feeds into US Federal agencies, such as NIST and the NSA in this case.

The medium term impact of EO 14028 was stuff like P2687R0 which is the first step of a proposal for C++ 26 describing this as an "Emergency" because of course the agencies said if you want secure software you should stop writing C and C++ (this draft proposal was written by Bjarne Stroustrup whose name might ring a bell)

I see P2687 and similar efforts as mostly an attempt to say "We're doing something" in the hope that politicians will quickly forget about this, the proposed work can then be abandoned, or at least limited to documentation which is then abandoned, and life goes on. It is certainly the case that there's lots of C and C++ Free Software. On the other hand though, there's also a LOT of Free Software written in languages which these reports say you should consider instead, such as Java and Python and most relevantly in this context (and to LWN) Rust.

So this has that crisis property where aspects of danger and opportunity combine. To the extent that Free Software prefers C to something safer like Java, there are risks that world governments will decide they value safety more heavily than before and choose non-free alternatives which don't have use-after-free bugs. On the other hand, to the extent Free Software communities embrace safety features more readily than big slow proprietary behemoths there's a chance worthy Free Software solutions dominate inferior but widespread and commercially successful alternatives that can't make themselves safer enough, quickly enough.

It is unclear to me, and perhaps somebody with the right perspective can explain, why both the US and EU decided they want their computers to be secure specifically in the last 2-3 years but not say, in the 1990s or 2000s.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK