Hackers use software as their chosen tool of destruction, and protections against cybersecurity threats MUST address the threat posed by software. The EU Parliament is considering regulations that contain steps to identify risky software, providing consumers with the type of transparency they need to protect themselves from risky software.
Four specific objectives were set out [in CRA]:
1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
3. Enhance the transparency of security properties of products with digital elements, and
4. Enable businesses and consumers to use products with digital elements securely.
The letter linked below (Read More) from OASIS is profound in that it accurately and clearly makes the case:
The proposed CRA provides a scheme for addressing vital issues for any software and devices: reliability, safety, and protection against cyber threats. We support the idea that producers and vendors of products, licenses, and other commercial offerings should be accountable to their users and buyers.
I agree with the above statement but I do not agree with giving open-source projects exemption from cybersecurity requirements, as indicated in this excerpt:
However, open source development also often includes many volunteers who provide intermediate incremental work, individually contributed, such as public repository contents or volunteer code patches. They receive no financial compensation and are “paid” only with the gratitude of their users. These volunteers cannot be treated fairly like commercial enterprises and should not be discouraged or chased away.
For this reason, committees of the European Parliament are working this month to identify and exclude appropriate FOSS cases and volunteer participants from some of the burdens proposed by the new CRA regulatory plan.Â
These "volunteers" work hard and they should be properly compensated for their contributions. Open-source software and solutions require significant labor from highly talented engineers, tech writers and others. THE SOLUTION IS TO PROPERLY COMPENSATE THESE PEOPLE FOR THEIR CONTRIBUTIONS AND CONTINUED SUPPORT, INCLUDING CYBERSECURITY MEASURES.
Excluding open-source projects from cybersecurity requirements is the open-door that will allow hackers to continue using these channels to inflict harm. We need to change the business model to ensure that cybersecurity measures are implemented and the people working on these open-source projects are properly compensated for their commitments to providing safe and secure software solutions.
Â