Light Dark
February 19, 2024 By Mark Stone 3 min read
News

Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents.

While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new legislation that specifically addresses cyber resilience?

The European Union’s recent amendment to the Cyber Resilience Act (CRA) has sent ripples through the tech world. The legislation was proposed in September 2022 and achieved political agreement with a controversial amendment in December 2023. The act aims to bolster cybersecurity across the EU but has taken an unexpected swerve by redefining the very essence of open-source software.

The amendment redefines open-source software, which could signal a potential paradigm shift in how open-source software is developed, shared and perceived in the European digital landscape.

The tech industry’s reaction has been an unholy recipe of cautious optimism mixed with apprehensive scrutiny, reflecting the diverse implications for open-source developers and the broader software ecosystem.

By exploring the layers of the CRA’s latest amendment, we can focus on its impact on the open-source community, the industry’s temperature check and the journey of open-source software through the legislative labyrinth of the CRA.

The amendment and its implications

The CRA has recently undergone significant amendments, particularly concerning the definition and handling of open-source software. The amendment states, “Free and open-source software is understood as software the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable.”

This redefinition has sparked a debate within the tech community, raising questions about its alignment with the traditional understanding of open source.

A mixed bag of industry reactions

The tech industry’s response to this amendment has been varied. On one hand, organizations like the Python Software Foundation have expressed relief. The final text of the CRA introduces the concept of an “open source steward,” which seems to acknowledge the unique nature of open-source software development. On the other hand, there is still significant concern about the broad implications of this redefinition and how it aligns with the realities of open-source development.

Impact on open-source developers

For open-source developers, the CRA’s amendments could mean navigating a new landscape of legal responsibilities and definitions. The act shifts a significant portion of the security burden onto software developers, which could be challenging for those in the open-source community. The notion of an “open source steward” is new in European law — and its practical implementation remains to be seen.

The open-source journey in the CRA

The journey of open-source software through the iterations of the CRA has been rather complicated. Initially, there was apprehension surrounding the potential legal responsibilities that could be imposed on open-source developers, especially in terms of security issues in products built using open-source components.

The final text of the CRA seems to have addressed some of these concerns by exempting non-profit open-source contributors from certain obligations, provided they do not engage in “commercial activity.” However, this exemption has its own ambiguities, especially regarding the definition of commercial activity.

Stepping forward with caution

The CRA’s latest amendment represents a significant step in recognizing the unique nature of open-source software within European law. However, the open-source community remains cautious. The redefinition of open-source software in the CRA and the introduction of the “open source steward” concept require careful monitoring to ensure they align with the intent and practicalities of open-source development. As the CRA moves towards finalization, the open-source community’s input will be crucial in shaping a law that supports and understands the nuances of open-source software development.

 |  |  |  |  | 
Mark Stone

More from News
April 29, 2024

The major hardware flaw in Apple M-series chips

3 min read - The “need for speed” is having a negative impact on many Mac users right now. The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP). DMP’s benefits and vulnerabilities DMP predicts memory addresses that the…

April 22, 2024

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role. “In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said…

April 15, 2024

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature