FOSS could be an unintended victim of EU security crusade:
Opinion: The European Union has a commendable love for the safety of its citizens. Armed with the keys to a market of 300 million of the world's richest consumers, the EU has merely to scent danger to bravely regulate. Food, consumer goods, financial markets and data processing: if it can bite the punter, the EU has a legal muzzle to hand.
[...] The EU has now turned its attention to cybersecurity and more especially the lack thereof. It's certainly dangerous enough to merit attention. A proposed Cyber Resilience Act (CRA) making its way through Brussels says that for "products with digital elements" to be allowed on the EU market, manufacturers have to demonstrate they follow best practice in four areas. These are improving the security of a product through the whole life cycle, following a coherent cybersecurity framework to measure compliance, demonstrate transparency about cybersecurity efforts, and lastly to make sure customers can use products securely.
Which sounds fair enough, considering some of the horrors visited upon us in the past – and today. Cheap "smart" electronics running out-of-date Android that nobody's patched since Noah? Phones studded with "I bring you the best wishes of the People's Liberation Army" mystery-meat bloatware? Big name, big ticket office software that keeps making headlines for all the wrong reasons? Who could argue with bringing these into line?
There are just two questions that need to be answered: will the proposed regulations do the job they set out to do, and what effect will they have on the market? Here, it's not so much the devil in the details as the entire population of all seven layers of Dante's Inferno.
The effect on the market, according to the EU's own risk assessment, will be to cost some €29 billion, but with €180-290 billion saved through not having to deal with cybersecurity incidents. Exactly what counts as "products with a digital element" has been and is furiously debated, with the CRA dividing relevant software up into two categories of different importance and excluding – at the time of writing – software-as-a-service altogether.
SaaS is hotly disputed, with different EU countries taking differing stances on whether it can or should be regulated. What if a product has a chunk of software built in that talks to SaaS through an API? Will this drive more products into subscription models, taking them out of regulatory scope and into a bad revenue model for users?
But FOSS is in the most danger. The underlying assumption of the regulation is that cybersecurity exists in the digital market like fire resistance does in that for soft furnishings. Putting regulatory cost burdens on a part of the market with no revenue and no gatekeeping on its distribution channels cannot work; there are no prices to increase to absorb compliance costs and no tap to turn off to keep the stuff off the market.
[...] The EU as a whole, and many of its member states in particular, has been very pro-FOSS, seeing it as a way to disrupt de facto non-European software monopolies and encouraging diversity and transparency. The CRA draft even exempts FOSS from compliance – but only if no commercial use is made of it, including things like technical support and as part of monetized services. That breaks so many funding models for FOSS it's not even funny.
The principle of regulating digital products to make vendors take responsibility for cybersecurity is excellent but it demands proportionality. FOSS that is absolutely free of commercial interest isn't somehow more secure than one where you can buy a support contract. A far more general exemption that recognizes the intrinsic security advantages of software that is automatically transparent makes far more sense.
« MSG Probed Over Use of Facial Recognition to Eject Lawyers From Show Venues | Study: When Employees Don’t Have to Commute, They Work »
Related Stories
The Atlantic Council has published a policy report entitled "Avoiding the success trap: Toward policy for open-source software as infrastructure". It addresses the idea of Open Source Software (OSS) as essential infrastructure. OSS differs from physical infrastructure yet supports critical functions, provides dependable services, offers subtle and often unseen service delivery, and functions through decentralized control.
This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.
[...] None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.
So it seems that the establishment continues to turn its jaundiced eye towards software development.
Previously:
(2023) Opinion: FOSS Could be an Unintended Victim of EU Security Crusade
(2022) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone
(2022) Open Source Community Sets Out Path to Secure Software
(Score: 4, Insightful) by khallow on Tuesday January 31, @06:24PM (3 children)
(Score: -1, Troll) by crafoo on Tuesday January 31, @06:59PM (2 children)
I agree. and in general, governments regulate industries due to corruption. in almost every single case where a government directly regulates an activity they would be better served simply by implementing proper incentives and penalties based desired outcomes, not the actual business activities.
But then how would they directly pick winners and losers in that industry? Which is of course the actual goal.
(Score: 2, Interesting) by Anonymous Coward on Tuesday January 31, @07:34PM
You say
I understand this sentence as "The government has a strong desire to specifically pick, very specific, individual companies, as winners and and wants to specifically designate very specific others as losers including all the way up to throwing the entire might of the government behind affecting this specific desire for those very specific companies"?
If that is the case, would you mind naming some names? Who in government, which individuals? Be as specific as you can be. Maybe even list their full names, departments, divisions, and e-mail addresses?
And here's something that would be even more useful: which companies are designated as winners? That way I can go and put my resume in there and be secure in employ for the rest of my life since that company has the backing, logistical, legal, force, etc. from the government to be a winner. Can't go wrong, amirite?
Clearly, you're on the distro list where these pieces of information are discussed and I, as a pleb, am not, but I would love to move up in the world...
Or was this just some cheap rant against something ("The Government") that you don't quite understand but that ticks you off for some reason?
(Score: 5, Insightful) by Ox0000 on Tuesday January 31, @07:55PM
I think you're painting with a tad bit too broad a brush...
Is all all regulation even-handed? Of course not. Should some of them be reconsidered and maybe repealed? Heck yes.
But does government "in general" put out regulations just to make everyone's life more miserable with some hidden agenda because it happens to tickle the prostate of some government employee just right? Fuck no.
You know what would do you well? Some time in government service. To actually see how it's done, who the people are that make those regulations, and why. What they consider and how they collect input. I'll admit that it's a very flawed process, but the nefariousness you ascribe to it is just grotesquely exaggerated, misinformed, but more damningly, misinforming.
If you went through civics class, you should have known better. Son, I am disappoint!
(Score: 5, Interesting) by gnuman on Tuesday January 31, @08:19PM
No, it does not. The purpose of *monetizing* things like support is to sell this support as a valid product. If then you are unwilling to actually do this support, then what is it then for?
Literally, I work in this industry. The message we are selling customers is Secure Software Supply Chain, certifications, etc. etc. This is exactly how we make money from FOSS. And everything we do is FOSS. So, why do customers pay us for this and not just use random github projects?
It's not about being "more secure". It's about being "more secure". What's the difference? The difference is when you download some container from dockethub or github, you know nothing about where it comes from. You download some package from Debian, then you can actually trust it a little more since you get build logs and can audit this. But if you are buying certified bits of whatever, then you should be able to know exactly which binaries are used to build this thing in the first place and in what environment it was build and you should be able to get those bits yourself and try to rebuild it.
This stuff is about knowing what changes are put during support contracts. And these support contracts are different for different customers.
And it's more about those binaries and not about the sources ;) Think SolarWind type attack. Or how Android get shit support because manufacturers just want to sell more new crap and old, working stuff they don't want to support. It's not about Apache Foundation suddenly getting screwed over because they have a bunch of old Java code lying around. It's about vendors being lazy and not supporting stuff they *sell*.
(Score: 4, Insightful) by Rich on Tuesday January 31, @09:10PM
Another front in the war against general computing. Without reading TFA, just from the quote "The CRA draft even exempts FOSS from compliance – but only if no commercial use is made of it, including things like technical support and as part of monetized services." it can be seen how shameless they are. Not involving "critical infrastructure", "official communications", or whatever. Just "monetized services". The part "make sure customers can use products securely" clearly needs to be read as "mandate bootloader lockdowns". Oh, and to prove security, rather than the corporate bullshit list theater mentioned, how about a look into the sources that exactly generate the shipped binaries?
By the way, we've already got a taste of it, in the form of lockdown requirements for software radios, to save the children from all the dangers that arise from some locally messed up RF bands.