The European Union's proposed Cyber Resilience Act (CRA) aims to bolster cybersecurity standards for products with digital elements. While the intention is commendable, its current form could inadvertently stifle the open-source community, which forms the backbone of modern software development. It was a main topic at Open Source Summit Europe this year, where the slogan #FixTheCRA could be found on stickers and slideshows everywhere.
The Hippocratic Oath and Open Source: A Mismatch
Doctors take the Hippocratic Oath, vowing to do no harm and to act in the best interests of their patients. This oath is a commitment to uphold specific ethical standards, ensuring that the patient's well-being is always the priority. The CRA, in its current form, seems to impose a similar oath on open-source developers, holding them accountable for the software they release.
However, the comparison between doctors and open-source developers starts to break down when we consider scale and control. A doctor typically has a direct relationship with their patients, allowing them to diagnose, treat, and follow up. In contrast, an open-source maintainer might release software that is downloaded by millions, with no direct relationship or even knowledge of the end-users. Moreover, once the software is out, the developer often has no control over how it's used, modified, or integrated.
The CRA's Impact on Open Source
-
Commercial Support of Open Source: The CRA's current text only excludes open-source software (OSS) that has no commercial activity around it. This vague definition could mean that if the main contributors to an OSS project are employed, the project might be considered commercially tainted. Such a stance could discourage commercial entities from supporting open-source projects, leading to a potential decline in the quality and quantity of open-source contributions.
-
Vulnerability Disclosure: The CRA would require vulnerabilities to be disclosed within hours of discovery, even if no fix is available. This could jeopardize coordinated disclosure efforts, where researchers give vendors time to develop security patches before vulnerabilities are disclosed publicly. Such a move could inadvertently expose software to more risks.
-
Zero-Days and the CRA: Zero-day vulnerabilities are software vulnerabilities unknown to those who should be interested in mitigating them. If the CRA mandates immediate disclosure of vulnerabilities without allowing time for a fix, it could lead to an increase in zero-day exploits. Attackers would have information about vulnerabilities before patches are available, giving them a significant advantage.
-
Compliance Overload: The CRA could impose a heavy compliance burden on open-source developers, especially those working on critical products. Many open-source projects operate without the financial or legal resources to navigate complex regulatory landscapes. The potential legal risks could deter developers from contributing to open-source projects.
Conclusion
While the CRA's intentions are noble, its potential impact on the open-source community could be detrimental. The open-source ecosystem thrives on collaboration, innovation, and shared responsibility. Imposing stringent regulations without considering the unique dynamics of this community could stifle innovation and hinder global collaboration. It's crucial to strike a balance that ensures cybersecurity without compromising the spirit of open source.
On a personal note, this article was in part inspired by the NHS Doctors Strike in the UK this week. It’s made me reflect very deeply on how much harm can come from putting too much burden, with too little support, on people in critical services.
More Resources to Understand #FixTheCRA:
[DevOps] [Linux Foundation] [[Digital Strategy EC](https://https://[Digital Strategy EC)] [TechCrunch]
Title Image developed by deepai.org, inspired by this article’s title words.