FOSS could be an unintended victim of EU crusade to make software more secure The European Union has a commendable love for the safety of its citizens. Armed with the keys to a market of 300 million of the world's richest consumers, the EU has merely to scent danger to bravely regulate. Food, consumer goods, financial markets and data processing: if it can bite the punter, the EU has a legal muzzle to …
This could get messy to implement.... For example, if I understand it correctly, in the context of open source smart homes, at first glance, Home Assistant wouldn't have to comply, because it's free and open source, but Home Assistant's cloud based remote access (Nabu Casa) would have to comply, because you have to pay for it.
However, the ability to communicate with Home Assistant Cloud is built in as standard, just not used unless you buy a subscription, so that might mean that Home Assistant has to comply after all...
I'm not sure how it applies to Fedora either. Red Hat makes Fedora which is FOSS, but then turns it into RHEL which is commercial. So would the regulation exemption for FOSS apply to Fedora or would the fact that it's used to make RHEL mean it's ineligible? Maybe Red Hat changes enough to make them distinct but who makes that call?
RHEL and Fedora are quite different. Yes, RHEL is based on Fedora, but it's based in the same way that Fedora's kernel is based on Linus' kernel: there are quite a few changes made to it. Sometimes RHEL is more conservative in what it ships (package versions), sometimes Fedora is more resistant to change (like accepting SHA-1 signatures).
Disclaimer: I work at Red Hat
Because this legislation will have one of two outcomes:
#1 Ways will be found to implement verification of secure software, with minimal disruption. A new software security audit standard will be developed defining “what actually is secure software”, that can be verified at reasonable cost, likely partially with an automated tool to identify the top 90% of security bugs. Which miraculously doesn’t throw up 100:1 Noise to Signal ratio like every other tool. While not perfect, this security audit will spot 95%+ of security issues.
In this case, not only will “the U.K.” adopt this standard spontaneously. But, most managements in every country in the world, will make a right nuisance of themselves demanding their developers run this new standard security audit, and fix all the warnings before Release. Like they do with Black Duck today. Legislation would be unnecessary if this *really* worked, because this is the holy grail.
#2 The legislation will be vague but pompous. Tens or of thousands of jobs will be created in the EU for code-reviewers and pen-testers, creating a $30bn software audit industry within the EU. The Commission will trumpet this as high-quality job creation, rather than as a $30bn cost to industry. The actual people doing the audit work will be allocated ten days to spot issues on a codebase of half a million lines they’ve never seen before. They will discover “a few issues” to justify their salary, mostly simple ones like buffer-overflow and “failed to hash passwords”. But they only identify 1% of the real security problems present. Therefore, only 1% of the actual benefit is achieved, that the Commission assume in their cost-benefit analysis. Because security is Hard, and it’s even harder for developers who don’t know the codebase inside and out. Instead, a new rentier class of software auditors is created. What incentive do they have to find more issues than fit in a few pages? Presumably the audit company is not liable, if the software is later penetrated by a bug they failed to spot?
Which of these two views of the future do you see?
> Legislation would be unnecessary if this *really* worked, because this is the holy grail.
How many projects (both open source and not) actually measure the quality of the test coverage they have?
And let me repeat: measure not even strive to improve, just measure. Stuff like path coverage, mutation score? Few and far in between.
Stuff that's already well known and proven to reduce defects in software. Stuff that's already legally mandated for safety critical software (in avionics or systems like ABS in cars).
But, as the Fine Article states, eliminating bugs reduces the cost of the use of the software (which is external to the developer), not the development cost (which is internal).
So, what will happen, is that EU users will be forced to pay more upfront for higher quality software, while UK users will continue to use subpar software (because it is cheaper) and suffer the consequences (because the PII data leaks get a slap on the wrist for the corporations that actually are responsible for them, so the cost is external to them too).
“users will be forced to pay more upfront for higher quality software” If that were the actual result, then I agree there’s a lot to be said for it. But I remain to be convinced, because we have no detail on the standard imposed, and therefore either how much “quality” vs how much cost.
I’m interpreting that you want something like DO178C level C, with security. The cost of that is many times the base cost of the software. It’s easy to say you are happy to pay until you actually are asked to pay it. A LibreOffice clone, license cost $1000 annually? Because that is what it would take. Alternatively, I suspect what you will actually get is security-theatre, with lots of box-ticking audits, but little real security benefit. Then, anything is too expensive, because the value is zero. Perhaps there is a happy medium. I’ve never seen it happen, and it’s up to them to prove that unicorn exists.
As I say, if this unicorn does exist, we will soon know it. Within a year of rollout, data breaches in the EU should fall massively. Data breaches are so common, that it’s going to be really, really obvious if this works in practice. Good luck, we’ll watch EU experiment with EU consumers money, and if it works we will do it too, and if it doesn’t, we won’t.
#3 - somewhere deep in MSFT a PEng has "signed off" on Azure, just like CE/ISO9001 or any other pointless certification soup you can use this safe in the knowledge that it is "certified" and nobody can blame you.
As soon as you decide to have your own Linux box inside your organisation you have to prove you have had a suitably certified professional go through every line of the Linux kernel and sworn that it is safe.
The Scottish and Welsh assemblies are staffed only by politicians pure in spirit to the one goal of independence and so are above such worldly matters as corruption and incompetence.
the Northern Irish assembly politicians have reached such a state of political nirvana that they are above even assembling
Not this one again.
The EU parliament amends legislation far more often than the House of Commons. It is extremely rare for HMG not to get its way due to the hopeless intermingling of executive and legislative functions in the Commons and the power this gives to the party whips.
As for corruption, pot, meet kettle.
Of course, if the European Parliament really were just a rubber stamp then the opportunities for corruption would be minimal. No one hands over a brown envelope stuffed with cash to a rubber stamper.
-A.
Indeed, the opportunities for corruption to MEPs *are* minimal, your conclusion about brown envelopes and rubber stampers is spot-on.
When I was in that game as a senior program manager, the annual lobbying budget I was personally responsible for towards EU Commission was over €20M. Our budget for European Parliament was zero. To my recollection, I never had a single conversation with anyone anywhere in the company about EP. They simply don’t matter.
Try this: first, who is the president of Commission? Second, which political group is the largest in Parliament, what are their distinguishing policies, who are they allied with, and *what is the name of their leader*? When GPs test for dementia, not knowing the name of your Prime Minister counts a point against you. And yet barely a sprinkling of *educated, politically engaged* europhiles on this forum can tell you the name of the leader of the main party in EP, or even the name of the MEP they voted for.
I think the questions in your final paragraph are somewhat moot since the UK is no longer a member. I can answer them, but then I'm still resident in an EU country. Let me pose a contra-question: can you name a single piece of legislation passed by the UK Parliament which was initiated by an ordinary member rather than the government? They are vanishingly rare.
As for not mattering, well, that's a view.
The Parliament scrutinises legislation and has formal powers to amend or reject it. It is not the function of the Parliament to initiate legislation. This is called separation of powers, and is widely regarded as A Good Thing. Informally, however, MEPs are free to suggest legislation to commissioners, and this happens quite often.
The Parliament can also sack the entire Commission. This is not merely theoretical; it has happened.
-A.
This is not merely theoretical; it has happened.
Not that I remember. The problem is that it's an all or nothing model, the parliament can't remove individual members, it only has the nuclear option of dismissing the whole commission, which protects the commission members. Out of 8 motions of censure, none was ever adopted by the parliament.
The closest they came was in 1999 when the notoriously corrupt commission led by Jacques Santer resigned en masse, ahead of a probable sacking. Edith Cresson was the real bad apple (she famously appointed her dentist as an HIV advisor, despite him knowing nothing of the subject), and the French refused to recall her. She still gets her EU pension.
This is sophistry.
Not at all, nothing I posted was false or deceptive.
Do you deny that Liz Truss was sacked by the parliamentary Conservative party?
Now that is sophistry. The parliamentarty party cannot sack the PM, only the King has that authority. At most the party can make the PM's position untenable, so that (s)he decides to resign (as they did to Truss and her two predecessors), but sacking simply isn't possible.
Having legislation proposed only by the bureaucracy, is not widely regarded as A Good Thing. It is fundamentally anti-democratic. Name any other democracy than the EU which does that? Democracies like India, Pakistan, Australia, Japan, Canada, Uruguay, even Brazil and *Russia* manage these basics. I’ve left USA off the list, because it is an automatic hate-trigger in most of the EU, but they too have “separation of powers” which does *not* include that only career bureaucracy can propose legislation. I find it ironic that you quote “separation of powers” being a Pro of the European system, given that most European countries have politically appointed judiciaries, whereas we pride ourselves on professional independent judiciary, even at the highest level.
I simply don’t believe your claim that you can name your EP political group and leader, otherwise you would have done so.
I’ve no idea why you think that Private Members Bills are a necessary precondition of democracy, since in the U.K. the government is *directly elected*. But nor are they lacking in the U.K. While not common, there are plenty of examples where they are used, to good effect, often on moral issues that stand outside party politics or “day-to-day living” stuff. Some that spring to mind include Human Embryology authority, raising of age of consent for marriage to 18, dangerous dogs.
You can define anyone who works in an office as a "bureaucrat", if you like, but the commissioners are political appointees, selected by the sovereign and democratic governments of the member states.
Those member states could easily choose to put their commissioners to election if they so wished. They don't, because they don't want there to be an alternative pole of governance with similar or greater democratic legitimacy to their own governments. The EU has to go along with this because it is a treaty-based club of its members, and not a superstate.
You can believe what you like about what I know about my MEPs. Frankly I don't give a shit.
The point about what you choose to characterise as "private members bills" is that the UK legislature is a much more of a "rubber stamp" than the EU Parliament.
In the UK the government is *NOT* in the slightest way directly elected. The members of Parliament are directly elected; the Prime Minister and all of the cabinet and all of the rest of the payroll vote are appointed by whichever party happened to get the largest number of seats, even if without a majority of the popular vote.
Not a single UK citizen voted for Liz Truss to be PM. Or Sunak.
-A.
Every single statement you made is factually incorrect. TLDR; Facts Matter. I actually do understand this system works, because I did this for a living for over a decade,
Among your most basic misunderstandings of the EU, is that the EU Commission consists of Commissioners. It doesn’t. And that the Commissioners anyway are selected by sovereign member governments. They aren’t (what even do you think is the definition of a “National government”? How could that possibly work? Belgium didn’t have a government for nearly two years, you think they didn’t have a Commissioner?). Or that National governments would have the unilateral and sovereign power to change the way that “their” Commissioner is selected. They don’t, see MEP Buzek’s proposal, which would have been unnecessary, had your inspired guesswork about what the Treaty might contain been true.
U.K. government isn’t equal to our PM. And the UK cabinet is appointed by PM. And in fact *the PM* isn’t appointed by the party either, even if it looks that way to you who fails to understand the system. The party appoints their party leader, that’s all. PM can be anyone who commands the confidence of the House of Commons: which can be (and has been) the leader of a minority party, or not a party leader at all, or even not a member of the House of Commons at all. It’s actually only Party rules of Conservative and Labour that their leader must be an MP, while Liberal Democrats (the supreme Europhile party) don’t have that rule, and have had leaders who weren’t MPs. And that’s not even some abstract point of law: there was a significant period after Liz Truss had been voted Tory party leader when she wasn’t PM and it really looked as if she actually wouldn’t be.
And I don’t characterise anything as Private Members Bills, that’s the literal formal name in Hansard.
Private members bills are a necessary because we live in a representative democracy, where, as the phrase suggests, our elected members of Parliament are meant to represent the views and wishes of their constituents.
Glad to be abe to enlighten you on one of the finer points of UK democracy.
Also, Parliament decided who the current President of Commission should be, via the pre-determined SpitzenKandidat procedure. Commission disagreed, installed their choice dev Leyen, gave Parliament no alternatives, and told Parliament “it’s either her, or no Commission. If no Commission Parliament gets dissolved too, your move”. Parliament backed down, as always do, and “voted” her in.
That’s not democracy. That’s just a coup.
I will help you, since you can’t answer. The largest political group in the Parliament is the EPP. They represent the “government” of Parliament. I reproduce below their recent official statement about the EU Industrial Plan, a major plank of government policy:
“ With today's plan, the European Commission initiates the beginning of its own end…… The Commission is unable to stop its regulation-centred machinery. This is evident in the overly descriptive, non-technology neutral approach to hydrogen, which will destroy any EU competitiveness compared to the US and China. With the Industrial Emissions Directive, the Commission is yet again strangling our industry to near-death, eliminating investment incentives in Europe for large corporations, but also for small and medium sized enterprises. While the Commission now tries to solve the Deal part of the European Green Deal, we are still missing the second pillar: the digital transition. Underfinancing of research and innovation in Europe and in European industry itself remains also unmentioned. We need greater support for research and innovation in Europe, this also needs to be part of the deal"
None of this sounds a *government* speaking, does it? Like a group in *control* of policy? It sounds like a minor player, raging at the dying of the light in the corner, entirely ineffectual and ignored, but putting in a plea at the end for some scraps from the emperor’s table. Which is exactly what it is. This is the *controlling* group of Parliament, and has been in control for over twenty years. Imagine how little power anybody else has.
https://www.eppgroup.eu/newsroom/news/eu-industrial-plan-is-too-late-too-little
My post proves that: a) EU Parliament has zero power against Commission, which you denied, b) At best you were “mistaken” as to how the EU system works c) When called on the facts, sourced by EU Parliament itself, rather than just admit that you needed to re-assess your assumption and claim, you just start shouting abuse because you were arguing in bad faith.
This is what always happens when you confront the EU liars with the facts. I’m not trying to convince *you*, because you never believed what you were saying anyway. You were just flag-waving whatever you think is in your self-interest, to get whatever grant or position preferment you are seeking. I’m posting so that your lies are exposed, contradicted by sourced facts, so that others don’t get sucked into your vortex.
It's time to get it out of the hands of markets, which have utterly failed to provide the proper incentives. (That includes FOSS, which also has markets, even if it's "free" in the rights and/or money sense. People elect to use FOSS after some calculation based on costs and rewards.) That is the actual problem.
In most software sectors, devoting appropriate resources to security makes you non-competitive, because buyers (or adopters, for free-in-money software) don't prioritize it sufficiently, and competitors who don't devote those resources to security can undercut or outpace you.
The alternative to markets is regulation. But regulation is rife with revenge effects, so it often needs to be introduced carefully and gradually. It needs a nimble administrator with sufficient authority to amend and except as necessary, an appeals process, reviews of effectiveness. It needs a good general framework with explicit usable legal tests, and specifics within that framework so businesses can adequately estimate cost and develop conforming procedures.
My impression of the CRA from this article – I haven't had an opportunity to look at it in depth, and I have no voice in the matter anyway – is that it fails to meet these criteria. The four areas are poorly defined ("improving the security"? "customers can use products securely"?), underspecified ("coherent cybersecurity framework"), and/or difficult to standardize, with the possible exception of the "transparency" one, which could just be another variant on the "report any X to Y within Z time". And how is "best practice" defined? It's over-broad; the approach needs to be tested in narrower categories first. It's not clear how it will be administered, and how cumbersome that bureaucracy will be.
Security regulation can pay off, producing more reward than cost. I'm cautiously optimistic about the growing demand for SBOMs, for example, as much trouble as they are for vendors. (At the very least, they increase the cost of using third-party components, so they discourage the "I'll just look for something I can throw in as Yet Another dependency" behavior.) Something like FIPS 140 may have ultimately been a benefit or at least broken even, but I'm not convinced; it's imposed a large cost that also prevents software from using established, superior mechanisms like Ed25519. Password-strength regulations? Pretty much nope.
We need to get actual cybersecurity testing straightened out first...I've messed around with quite a few "pentesters" in my time and it is vanishingly rare to find a pentester that actually knows their shit and doesn't just parrot from an automatically generated report.
One of my favourite past times is putting devices on the network for pentesters to find that are impossible...such as PCs running Windows 2000 by Sonos. The sheer number of times I've had people tell me that "you should really upgrade those Sonos PCs, Windows 2000 is massively out of date" is insane. I've even been known to place fake SNMP endpoints on the network with barking mad information on them to see if pentesters actually read the information...like the fake HP printer that advertises that it has 1,024 trays and 4TB of RAM with supported resolutions up to 20,000 dpi and a firmware date in the distant future that is managed by "Chief O'Brien".
For those interested in how you do this, you just need to add a bunch of fixed Mac addresses to the ARP cache in a switch or just use an ARP spoofing tool to broadcast to the network periodically (the vendor string for Sonos is 54-2A-1B) and to mess with fingerprinting you just need a device like a Raspberry Pi or something that can run Linux and use "macchanger"...to ensure they fingerprint as Windows 2000 or your operating system of choice, just spawn a bunch of netcat open ports that would normally see on a Windows 2000 desktop and have them respond with fake headers/banners and adjust your network parameters such as TTL to match your operating system of choice...most fingerprinting tools use TTL and other network parameters to fingerprint a device and lazy pentesters won't properly read the results...
If you decide to have fun with pentesters, the best part is where they warn you about your "print server" that has Telnet enabled with no password called "Terok Nor" managed by "Chief O'Brien" which is located next to "Quark's Bar".
Typically if these things are dropped into the meeting in a nonchalant manner, I'm not sure whether I should be more upset that they can't see the joke or that the pentester has never seen DS9.
There is a whole subfield of cybersecurity that goes a lot wider and deeper than this - Deception Technologies.
You can deploy whole fake but utterly believable networks of totally fake "assets" using minimal resources. Then arrange a Red Team exercise and have fun reading their report (or watch them in real time if you can). If you tell them deception has been deployed in advance they'll start running from their own shadow.
Oh man, if I could make a living being a pain in the ass for red teams, I'd do it in a heartbeat. Pentesting has become such a cliche at the bottom end of the market. It's almost paint by numbers because of the kind of training these people get. It's so laughably cloned, you can detect pentesters a mile away...and I don't just mean that RGB covered van that's in the car park pumping out extra loud dubstep that you've never seen in the car park before that says "pwn mobile" or "hack the planet" on the side of it.
I recall with some amusement the pen testers who called out my DNS servers.
"Here's a list of vulnerabilities for your DNS servers "
'Are you sure that's valid'
"Definitely, that's the vulnerability list for BIND 4.9"
'Why do you think they're running BIND 4.9'
"That's what they reported to our software"
'You surely didn't believe them did you?'
This.
My Google Pixel 7 Pro has a Bluetooth name of "Nokia 3210" and the number of times people have scanned it and look confused is incredible.
"Do people still use those?"
I'm still waiting for the one smart person that comes to me and says "That's weird, they didn't even have Bluetooth!".
Computer says b0rked! Modern pentesting in a nutshell.
1. Run a scan.
2. Grab the banners.
3. Do a lookup on a vulnerability database.
4. Print the list.
5. I can haz money plz?
I always like to point out that this isn't a pentest, this is a vulnerability scan...a pentest actually involves *testing* the vulnerabilities...because even though something has a known vulnerability, it doesn't mean it is actually vulnerable...it's possible to be aware of a vulnerability and mitigate it...in fact, mitigation to reduce risk is one of the things you're supposed to learn when you qualify as a cybersecurity expert...because updating to the latest version of something isn't always possible, so to reduce risk we implement mitigations...i.e. putting something behind a proxy or WAF, disabling vulnerable features, restricting access etc etc etc.
The current one size fits all "just patch everything and put MFA everywhere" policy is absolute fucking bollocks. It's like asking someone to knock their house down and rebuild it because the locks are fucked. It's absolutely nuts.
I'm eagerly awaiting the first pentester that comes to me and suggests getting armoured and shielded cable in case someone tries to eavesdrop (through concrete and 18 feet of earth) using a Van Eck phreaking device..."it could happen mate, I'm just here to tell you the risks".
I'm also eagerly awaiting a pentester that provides a proper risk assessment with their list of vulnerabilities as well...because not one of the pentesters I've met has successfully managed to quantify a risk and therefore stop the CEO absolutely shitting himself...despite risks being incredibly remote.
"We're not here to make you look bad!"
Yeah, I know that...you're here to sell shit to the CEO on a three year contract with a support bolt on, that you know full well that he's going to tell me to turn off within 3 days because it's "getting on his tits" and you'll never have to support it...then in three years, it'll be automatically renewed because nobody can remember why the fuck it's there in the first place.
You missed step 6 ...
Manglement accepts their list without question, gives it to the IT team, and expects every single item to be fixed. Never mind if there are items there that aren't supported by the OS (at the time, SCO OpenServer didn't have the ability to lock an account after n failed logins) or if you know the fix will cause problems (locking a "terminal" line isn't useful if it's a virtual line used on a first-come-first-served basis by all telnet users - thus causing random login failures anywhere in the business when it gets locked). I've also seen "this shouldn't be there" kind of entries - but actually it's something essential for the workings of "something the auditors haven't heard of"). OK, this was a long time ago, but I don't suppose anything has changed.
I'm ignoring the FOSS/prop problem, in fact I'll stay clear of the whole load of snake-filled pits involved with this kind of legislation. But the overall impact will be one of increased profits for the corporates, and almost 100% likely a PITA for consumers.
The Corp$ WIll Benefit
...cost some €29 billion, but with €180-290 billion saved...
When advertising for tobacco was outlawed in the UK sales of baccy did not fall. Marketing spend did though. So the corps benefited, hugely. No single tobacco company would have benefited from going-it alone and dropping marketing spend, they would probably have lost market share. Forcing all $Corps to comply will mean they can all shift their pricing without breaking market positioning. For a larger profit margin, ofc.
Short term outlook: increased revenue for the corporates; for the consumer, every app has "We use cookies" plastered all over it.
I would suggest your comparison to tobacco advertising is flawed.
WHO estimates the removal of advertising and marketing resulted in a 7% decline in tobacco consumption in European countries where the bans were in-place and resulted in significantly lower numbers of new smokers.
From numbers released by tobacco companies, the marketing and advertising budgets were still being spent but on initiatives to help sellers versus advertising targeting consumers (i.e. smoking areas/smoking "gardens" in pubs and bars).
And the bans paved the way for tougher anti-smoking legislation as opinion wasn't being swayed by consumer focussed advertising.
Unfortunately, almost none of the issues with cyber security overlap with tobacco - cheap (relative to cost of manufacturing), poorly supported IoT/similar low cost devices (versus hugely profitable tobacco where even with huge taxes on products, tobacco manufacturers made billions) means vendors have even more reason to disappear while offering no support. And a "replace rather than fix" policy would eventually come into conflict with other EU policies around environmental issues.
My suspicion is that the "€180-290 billion saved" figure won't come from manufacturers if end users (companies rather than individuals - per incident cost for individuals likely don't pay for support or carry out maintenance for a variety of reasons from stability to system validation to poor practice (amongst others).
The "market" approach seems to be cyber insurance but it's immature at present based on spiralling costs and how it is implemented/paid out. I suspect it will arrive at a workable solution long before the manufacturer regulation approach without making products unviable in the EU
(That's not meant as a general "regulation" vs "free market" opinion, just a criticism of attempting to regulate an area that is poorly understood and I'm sure regulations will become a part of this in coming decades as viable paths appear)
I totally agree that as an analogy it'll be flawed somewhere. Regarding impact on tobacco I was pointing out an immediate (short term) effect, while you are (quite correctly) using accrued data, ie. hindsight. As, I'm sure, will be shown with CRA by your follow up: And the bans paved the way for tougher anti-smoking cyber legislation...
Hopefully they'll not go into a knee jerking circle.
As for the insurance angle, well, the underwriters will be wringing their grubby mittens for a legislation "must be insewered against cyber rapscallions" akin to motor insurance!
Banning advertising is very profitable, you don't have to pay for advertising because all you need to do is send spam.
These days spam is everywhere all the time, I wonder if an EU reconfiguration might stop spam - if spam could be totally eliminated in Europe by new regulations and email organization then I wonder if all the Brexiters would suddenly reverse?
I know this sounds like a joke but I would be so extremely happy if I didn't get spam every day!
Then there must be some people cooking with it, insulating with it, or smoking like unfashionable chimneys.
Because there are substantially fewer people smoking, fewer smoking so much, and fewer dying of several of thd conditions caused, exacerbated, or contributed to by smoking.
tl;DR: Balls!
I'm reminded of a TV series many moons ago 'misleading cases'. On one occasion it revolved around an individual being hit by a company's blanket policy. In the judges summing up he says "Blanket policies are applied to blankets. This is not a blanket - case dismissed".
I can see, and agree with what the overall objective is, but this needs a lot more thought.
P.S
I also have a (very small) dog in this fight. I'm one of a very small team developing a FLOSS soft-synth.
The problem isn't with companies using FOSS. The problem is with companies using FOSS without examining and auditing the code, and without pushing fixes back to the community.
The result is a mess, as we have seen time and time again. Someone in their spare time put together some useful gadget (for example, a logger) and many companies with vast development budgets (compared to the original author, anyway) took the code uncritically and baked it into, well, pretty much everything.
Legislation like this will (hopefully) force the people developing software that powers the things we own to examine and audit FOSS code, and (hopefully) the FOSS licenses will force them to push back bugfixes.
So that means
1) the commercial users of FOSS will be forced to pull their weight
2) the code the poor user gets will be less hopelessly insecure
Honestly, I cannot see why this is anything other than a good thing.
No, they will not drop FOSS, because of the costs involved in developing all software in-house.
Instead the sort of commercial user you are describing will get their FOSS from someone who can offer that legal throat, most likely along with a support contract. Companies like Red Hat and Canonical are already offering these services.
The effect of legislation like this will increase the market share of Red Hat, for example, but will also encourage Red Hat to audit and fix the software they offer.
In a world where software is ubiquitous, the improvement in quality will be a good thing.
Microsoft concerned industry bodies tried this 20years ago with a proposal that you could only use software signed off by a professional engineer - for safety.
So you could use Windows ME and VB since somebody at MSFT had ticked a box, but not that Linux stuff that wasn't safe.
Reading the first lines of your article I assumed satire? Reading the rest of the article you seem to have a gushing love for dropping trow and grabbing ankles for the EU, but they are now looking to interfere with something you care about
"The principle of regulating digital products to make vendors take responsibility for cybersecurity is excellent but it demands proportionality"
Governments are not very good at the proportionality bit. Government cannot account for everything and thats assuming smart people with perfect information, far from reality.
I make bespoke MES software for industrial plants. I'm fairly sure the type of programs I make are going to fall under the strictest guidelines, requiring third-party certification. I don't directly move tons of screaming metal, but I'm closer than most.
On one side, I'm nervous about this, because it would mean that I have to invest a lot of time and effort in securing everything and getting it certified. So far, I haven't done it, because no customer is willing to pay for it, and I can't get undercut by competitors - not by that much. I already charge high fees riding on a good reputation, but there are limits to that.
On the other, I'm giddy about this, because it would mean that finally I could invest the proper time and effort in securing everything, and get paid for it. Because most of my competition would just implode. They're mostly tiny businesses run by cowboys. Mind ya, that goes for me too, but at least I know I would be capable of securing my stuff if I could just get paid for it. Lots of them get their software done by an electrician. Good luck securing that.
On the other other hand, I'm nervous again, because another way this could fall is that some of the really big companies decides to eat my niche. I guess that in that case I'll either try to make mad money while they gather steam and retire early before they crush me, or get them to hire me.
In all cases, this is a potential earthquake. Unnerving.
the strictest guidelines, requiring third-party certification
I wouldn't bet on the final regulations actually requiring 3rd-party certification. They say that "to be allowed on the EU market, manufacturers have to demonstrate they follow best practice...", so in all likelihood that will end up like the fairly useless "CE mark", where manufacturers are simply allowed to self-certify compliance. Rather like ISO9001 certification, a manufacturer will need to set up a department (yourself for a one-man show) with lots of pretty documentation saying what they do, put someone with CISSP certification in charge (yourself again), and be prepared to bullshit the auditors when they occasionally show up. Best-case it might make the developers a little more aware of potential problems, but since you already are...
Moi, cynical?
I haven't read the entire proposal, but I did skim it. If you're making office stuff, you can self-certify and that's probably meaningless... but for "critical" applications, it does explicitly require 3rd party certification. The list of "critical" applications is quite extensive. All OSes, all networking, anything that controls sensitive data, anything that controls systems that could harm someone, and more. SCADA software is in it. MES software isn't, but it's often a fuzzy distinction.
Chances are that we'll end up with a florid economy of certificators who just take their fee, look for the bare minimum, and stamp, but that's still going to add to costs. Especially depending on what the bare minimum turns out to be. If the certificators can get a share of liability in case of accidents, it could get interesting.
I got this comment by 'thegarbz' on Slashdot
How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?The EU proposes to function the way it always has by publishing a piece of legislation you just commented on without reading. I invite you to absorb clause 10:(10) In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation. This is in particular the case for software, including its
source code and modified versions, that is openly shared and freely accessible, usable,
modifiable and redistributable. In the context of software, a commercial activity might
be characterized not only by charging a price for a product, but also by charging a
price for technical support services, by providing a software platform through which
the manufacturer monetises other services, or by the use of personal data for reasons
other than exclusively for improving the security, compatibility or interoperability of
the software.
So, a big nothingburger. Poor ol' Redhat will need to meet the requirements when they sell their product or services, but your free functioning open source dependent internet will keep on internetting along just fine.
The devil, surely, is in the details: but it looks like the intention is that 'commercial activity' benefiting from free open-source software is required to get certification. That would leave a lot of grey area in defining 'commercial activity' and indeed how 'free and open-source software' is defined.
Like many, I think that encouraging requiring those that benefit commercially from FLOSS to contribute to FLOSS would be a good thing, and help to avoid xkcd:2347
It depends how far down the rabbit hole they go with "commercial use". What worries me is the possibility that even a "buy me a beer" button or "contribute to our server costs" will count as commercial use. That would shut a lot of good projects down.
So what do the likes of MS do? Their windows OS Anna’s built in software like Internet Explorer (in whatever incarnation) has had more security vulnerabilities that anyone can count - must be in the multiple hundreds of thousands by now!
How could MS possibly claim this software to be secure?
I’m really nut just having a go at MS here - honest I’m not - it’s just the most obvious example
>How could MS possibly claim this software to be secure?
That's the beauty of this sort of security. Microsoft don't have to actually make the software secure. They simply have to have a process which can be audited to show they are following the processes - and anybody who can't afford to have an audited process isn't allowed to compete anymore.
Oh dear: "doesn't stop innovation" is about the lowest possible bar you could set - let me guess the tone of the rest of the article.
This opinion piece goes out of its way to make clear it doesn't like "libertarians" (hey, I guessed right!).. and then goes on to make exactly the argument that many such people make: that over regulation, and the unintended consequences of regulation can be disruptive, costly and deeply invasive.
The cost arguments themselves are pretty ridiculous - clearly the numbers the EU has plucked out of the air are nonsense - costs €29 billion (that's a €40 tax on every man, woman and child in Europe) to save €290 billion (is Cyberfraud really costing every one of us €400?). Is this per year? But if we take them at face value, then those pesky libertarians will point out that maybe this is a solved problem - with each company needing to spend €1 to save €10, why do we need incentives? Most companies already pay for public liability insurance, so it's already baked into the system, with not only compensation but also paths to address problems in place, ready to activate without the need for a secondary channel of regulation.
Of course, there are so many problems to consider besides the plight of FOSS developers - consider the burden on small businesses that will certainly not be excluded from such regulation, but will suddenly have to bring in yet more overpaid consultants to 'advise' them on compliance. Small businesses make up a huge proportion of working individuals in Europe, and generate about 50% of our GDP - and for whom an audit/consultation/regulatory fee would amount to a significant proportion of their turnover. That 'paltry' €29 billion cost would not be evenly distributed, despite the likelihood that small businesses contribute a much smaller portion of the cybersecurity harm (mom and pop websites vs. online marketplaces - which do you think has the most risky data?).
So um... well done, you've realised regulation can be a problem, even if only through a very odd lens. There's hope for you yet.
(I won't wait for the downvotes!)
"This opinion piece goes out of its way to make clear it doesn't like "libertarians" (hey, I guessed right!).. and then goes on to make exactly the argument that many such people make: that over regulation, and the unintended consequences of regulation can be disruptive, costly and deeply invasive."
Glad I am not the only one to see this. While a bit excessive my first impression was 'oxymoron or just moron'. He seems to confuse libertarian with anarchist, or that regulation = good, remove regulation = bad and there is no grey area. But at least he seems to be slowly noticing the grey area of balance.
…or will does it require corporations baking FOSS components into commercial products to be a bit more grown up about it and put some investment into making sure it’s properly configured and (where appropriate) regularly updated?
On the face of it I have to say this looks more like the latter than the former. And not before time.
Use Edge and you can stick a Microsoft certified sticker on your wall. Use Chrome or Opera or Brave and you are responsible for employing a properly qualified person to go through millions of lines of code.
Now that we are all using "security certified" Windows and Edge there can be no more malware and there will be no spam or phishing attacks if you are reading email from that Nigerian Prince with MSFT-Edge that has a security certification
If the EU genuinely believes that it would cost €29 billion (just 0.2% of EU GDP) to save €290 billion, why on earth is it spending time on regulation?
Why doesn't it set up a task force to upgrade the cybersecurity of FOSS (a public good) and other software - since it would clearly (a) cost a fraction of it's budget and (b) benefit every single EU citizen?
Because people that benefit from it (users) don't want to pay more for software to get it.
Just like you need regulation to force people to buy cars with catalytic converters so the same people have better air to breathe, you need to force people to buy software developed with good practices so that we don't have a new headline every month about yet another data breach.
You missed my point completely. I'm saying the EU should provide this service for free.
If it saves the population of the EU money (290 billion) - which would otherwise increase GDP (and hence tax into the system), why aren't the EU committing to spend a tiny fraction of that increase themselves to fix the problem?
No cost at all to users of FOSS software - a free service provided by the EU that (according to their own figures) returns an order of magnitude more to the region than it costs to supply.
Note that making this a regulated activity absolutely guarantees the end users will pay for it through one route or another as companies directly claw back the cost of meeting regulatory burden.
It comprised 99 directives.
There were to be 100 but the UK blocked one. It was to prevent pattern parts. If you don't know what a pattern part is, think "this isn't any old radiator hose, this is a reassuringly expensive BMW radiator hose".
I see this measure in exactly the same light. It reserves the market to big players and makes it more difficult for small or new entrants.
It looks like FOSS might be caught in a backwash of a protectionist tendency.
The are large companies that use FOSS to avoid getting locked into monopolistic behaviours. Why else did IBM invest so much money developing the Linux kernel?
Why does the Open Innovation Network exist?
I have no idea how this will pan out but if you think e.g., the diesel emissions scandal was a trifling misstep then you see the natural functioning of the now EU in a different way to me.
In 1957, France, West Germany, Italy, the Netherlands, Belgium, and Luxembourg signed a treaty in Rome which established a common market. Enlargement of the original six to nine countries was established by 99 directives passed into UK law by the European Communities Act 1972 establishing the European Economic Community which through further treaties became first the European Community and then the European Union.
Are we OK now?
The solution is pretty simple, the reliance for a secure system is on the business incorporating the FOSS software, they have to fix it if it is not up to scratch before releasing their product, if the FOSS software itself is insecure then it should not be released for 'retail' use by itself until security issues have been resolved.
If all those companies that include FOSS, like log4J, in their products, where suddenly held accountable for the security of said software, they would then need to provide funds to support said FOSS and get it certificated.
Yes I get complete solutions such as Gimp or Libra Office may struggle, but this would only be in the corporate space where usage is limited anyway.
Instead of thinking this is a bad thing, think of it as an opportunity to get those that have been living off the back of FOSS to actually contribute to the security and support of the product.
I would have thought this should be easy to solve.
If you're making money out of free software then it's your responsibility to check the code and certify that to the best of your knowledge it is fit for the use to which you are putting it.
Otherwise, as you were.
-A.
The difficulty is, if such companies are delivering to the EC, the EC will expect them to carry full liability for every line of code. This means, if a problem is found in an open source module, the company concerned has to undertake to rewrite the module with a proprietary licence (which they must transfer to the EC upon delivery). Few companies want to take on this level of liability/risk.
All the developers using FOSS source code to make their products could band together and pay for audits/maintenance instead of rewriting things. Nothing in the proposal says they have to make bespoke proprietary code, in fact quite the opposite is the case. Companies will all want to be able to tick the boxes for their BOM and point to each other as examples of good apples.
This will have the effect of making FOSS cheaper to use than rolling a bespoke proprietary solution, while also encouraging many eyes (all the companies which would be liable) to keep an eye on the supply chain by vetting each others contributions. Instead of just Google, Microsoft, Red Hat, Apple, Canonical, French/German/Swiss governments and a handful of others paying for audits, you’ll get serial offenders like Sony who are all take, take, take (and who never patch their stuff properly) incentivised to contribute back now too. This is good!
While I'm not against EU regulation, having been involved with it for many years, I can say that the beaurocracy means that lawyers and polticians end up finalising these regulations without thought to the technicalities. I remember when they wanted just one variety of oak trees along European roads.. an ecologically devestating proposal. Also, the Water Framework Directive was fiddled with for so long that there are internal inconsistencies in the legislation.
The regulation applies to the finished product - this means that (FOSS) components themselves do not necessarily have to be compliant. The end product has to be, and, as new threats may appear and be applicable to the product, this regulation stipulates that the manufacturer has the obligation to fix vulnerabilities. If the problem comes from an imported (FOSS) component, the resolution has to come from there. In many FOSS projects, the manufacturer of the end product may be able to commit a corrective suggestion.
In any way, the manufacturer needs to be keen on the risks of using third party components in its product. Are these maintained? Is it stable? Is it trusted? Can it be assessed prior to integration?
Common questions to ask (I would. In fact, I am)
In the end, if the vulnerability cannot be fixed, the product is to removed from the market.
"And FOSS can't be outlawed. To re-engineer infrastructure and applications to exclude it would be unthinkably expensive and undoubtedly vastly destabilizing for cybersecurity resilience."
I was involved in a procurement, made by an international organisation on behalf of the European Commission. One of the requirements demanded by the EC was that no FOSS would be included in any of the deliverables. There were two reasons for this:
- by the end of the project, all deliverables were to be transferred to the EC, to include ALL intellectual property rights and licences;
- the regulator (another EC body) for this system demanded traceability/accountability for all elements of the system and that includes individual software modules.
The prime contractor decided to use FOSS in a particular area, despite protestations form us (their client) and the availability of well known and relatively inexpensive COTS. In an attempt to avoid issues with OS licence contamination, they were engaged in an exercise of identifying "acceptable" licences in older versions of various OS modules. My time time on this project ended with COVID, so I don't know how this is panning out for the prime contractor but I would not be at all surprised if the EC were to reject their deliveries in a few years time.
There are different FOSS - the legit one where responsible people set up companies and use it as strategy while being accountable for their software, and irresponsible one where people post on NPM their hobby projects without any warranty or security guarantees -- and how many businesses depend on random packages that could be re-uploaded with malicious code at any given time? Personal and sensitive data of tens of millions of Europeans is at direct threat to the now well-established ideology that to make a website you need to start a new project and install a 1000 dependencies each of which can contain a payload to gain access to your company's database. It doesn't have to be that way. For those saying "lock your dependencies", the accent is on start the new project where the latest versions will be installed. And even if you audited your direct dependencies, some of them will depend on tildas ie ^1.0.0 which will be pulling the latest version of transitive dependencies and you have no control over it unless you fork the original dep, but then you loose on timely "security patches". The only way is to rewrite everything, or to get it from a legal entity, which currently is not the case.
The proposed legislation is a good step forward to make people wake up and address the fact that software industry has been devastated and instead of stable, honest and fair situation where software companies get their high-quality components from other software companies that specialise in SE and pay real wages, we have this completely utterly unprofessional condition that is on top of being unprotected from supply chain attacks, is incompatible with modern anti-slavery laws. The problem is that individual engineers don't necessarily have the will to do all the paperwork, and don't have the platform to sell their work.- this is why there need to be publishers working with them that deal with it and act as intermediaries between coders and consumers. Like NPM, but where you actually validate code your developers submit, pay them, and also take full legal responsibility. Sure the "ecosystem" of free packages has grown big, but we need to start somewhere. In fact, I already have and let me tell you it's not that difficult if you know what you're doing.
There must be software companies making software, not random dudes writing code in spare time who can upload a virus and nuke everybody's machines based on their political views at will. Open Source should be left to communities without money who want to have fun, while if you want to operate a business working with people's data, please contact your software vendor for all of the required, secure components. While there are already solutions like RedHat that operate that kind of business on infrastructure level as mentioned in the comments, there should also be businesses that operate on devltools/framework/componentry level too within a legal framework and not blind trust. This is where we are heading by 2030.
Variants of government mandated computer security restrictions have been done many times in the past, always with disastrous results.
Superficially it's an attractive concept that boils down to "No Bad Allowed". Who could possibly object?
In the 80's and early 90's, U.S. military product development was restricted to U.S. sourced chips and vetted U.S. developers. This worked very well for awhile, ignoring the laughably insecure code produced as compared to modern standards, because at that time the U.S. was the pinnacle of technological products and the systems were highly isolated. The chip restrictions were lifted later when TPTB (The Powers That Be) could no longer ignore that the rest of the world had caught up and in many cases passed U.S. suppliers.
Nevertheless, high security organizations (use your imagination) continued to insist on using special vetted Operating Systems instead of Commercially available products. This looked really impressive in Org Charts and Departmental measurement posturing for groups to claim how special and secure they were. It didn't take long before these special OS products slipped farther and farther behind their commercial counterparts. The career enhancing aroma of working on these special systems very quickly became the putrid reek of irrelevancy.
For non-developers, the market selection of government vetted products automatically meant you were restricted to a small choice of products at least two years out of date due to the time and expense required to obtain the government stamp of approval. For a number of years this was considered an acceptable trade-off, particularly for military systems.
In today's world of internet time, years out of date is a non-starter for commercial activity. Government and military software markets are no longer the dominant customer and few companies are willing to spend time, money, and effort on this relatively small market in order to get the security version of a Good Housekeeping Seal of Approval. Even when they do, it's often a customized spin-off that will be poorly maintained.
Check Boxes for Everyone!
So... Basically the market has "failed" because the typical consumer of software doesn't give a crap about security as long as it does the job at hand, right now...
And the "solution" is going to be to order everyone who doesn't give a crap about security to spend most of their security budget ticking off checkboxes on government forms, at an estimated huge cost, with totally unverifiable benefits (How do you calculate security breaches that never happen and the costs thereof? It's voodoo. They can fill in whatever numbers they like to make it look good and nobody can gainsay them.) How often are the estimates of cost an benefit accurate, even when they can be precisely measured? Past performance doesn't guarantee future results, but it's a decent way to bet...
The idea of convincing the consumers to care about security when judging quality, and then respecting their judgement about how best to go about that... Why, that's just absurd. The government knows best about how to do everything and the peasants had better fall in line if they know what's good for them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
