The European Union (EU) should consider replicating the US government’s approach to open source software regulation with its Cyber Resilience Act (CRA), according to a leading expert.
Speaking to ITPro at KubeCon 2023, Gabriele Columbro, general manager for the Linux Foundation in Europe, said the CRA’s current iteration would “change the entire community dynamic” and hamper European businesses.
An open letter signed this week by major industry organizations, including Linux Foundation Europe, said the proposal in its current form will have a “chilling effect” on open source software development.
Under the current iteration, open source developers themselves would be held liable for vulnerabilities in software.
By contrast, the US government’s Cyber Security Strategy, unveiled in February this year, excluded liability for open source software developers and projects.
The decision was hailed at the time as a highly positive move from the Biden administration.
Columbro warned that the EU’s current approach could have a significant impact on the European open source community if the bill was to pass in its current form.
Automating application-driven container elasticity
For platform and DevOps engineers looking to operationalize speed to market while assuring application performance
“I think this will have an impact at multiple levels,” he said. “The one I’m worried about the most is what this will mean for our contributors. I think the Linux Foundation and others will feel an impact, but we’re maybe better positioned than others to address those.”
“In the worst-case scenario, individual contributors could be worried that they’ll be slapped with lawsuits and eventually just decide not to put a project in the open.”
Columbro noted that the inclusion of liability for open source projects appears ‘idiosyncratic’ due to the fact that Europe actively benefits from open source projects and software.
Millions of businesses spread across 27 member states rely on open source software, which is developed and maintained by a dedicated pan-continental community.
The entire community dynamic will change,” he said. “And this would primarily hamper Europe. Because outside of Europe, open source innovation will continue - will GitHub have to block open source downloads from inside Europe?”
“Europe bets a lot on open source, but with this it shoots itself in the foot.”
The CRA’s wider failings
Columbro noted that with the EU’s approach to open source software, which appears to have been influenced by the disastrous Log4shell incident, there are particular differences. Not least of all with regard to national security concerns.
In the wake of Log4Shell, the White House actively sought to engage with software vendors and open source communities such as the Linux Foundation to plan its future approach and mitigate potential supply chain risks.
But this was from a national security perspective, he added. The US government has a national security mandate while the EU does not, instead delegating national security to individual member states.
This creates somewhat of a headache for the Linux Foundation and other communities, he said, who are now faced with engaging with multiple different governments across the union.
“The reason the US was so quick in the wake of Log4shell to bring together the Linux Foundation, Apache Software Foundation, and all the major tech vendors to discuss the response was, of course, from the angle of securing their critical infrastructure and national security.”
“That’s because the federal government in the US has a national security mandate. The EU doesn’t have a national security mandate, that is delegated to individual sovereign states.
“That is a completely different approach that we need to take as an open source community to work with the 27 member states. But that’s a more humongous approach.”
Positive engagement
Columbro’s comments follow the open letter’s publication and he is confident that this could spark a positive discussion - and outcome - about CRA-related concerns.
“The intent of the open letter was to offer up a global, broad consensus with deep experience in this world as foundations,” he said.
“It was really to let the European Union know that we can work together with each other and we want to create an ongoing dialogue and offer up a conversation to help refine [the act].”
“I do think, ultimately, that there is definitely willingness from the EU to improve. I am positive that there is going to be a positive outcome to the CRA,” he added.
