The German Association of the Automotive Industry (VDA) published a brief position paper on the Cyber Resilience Act in relation to free and open source software. The Cyber Resilience Act (CRA) proposal aims at making products with software and software itself safer. The German car industry’s brief does a great job in explaining the importance of free and open source software (FOSS), and why the approach taken with the legislative proposal will harm the European economy. It’s a short paper, one and a half page, I encourage you to read it. I will discuss the paper and point to a possible solution.
Tuesday, September 5. 2023
German car industry explains why Cyber Resilience Act will harm open source software
Open source is important for the German car industry:
At present, the German automotive industry already uses free and open source software (FOSS) and plans to continue using it in cooperation with organizations such as the Eclipse Foundation and COVESA, to drive forward standardization in the automotive industry and prepare the European automotive sector for the future. The auto industry uses FOSS, i.e. software that is freely available and which anyone can modify and distribute. The deployment of FOSS has become very important in our industry owing to its numerous advantages such as cost-efficiency, flexibility, transparency and collaboration.
It is even crucial for German car industry’s competitiveness:
The efficient cooperation in the German automotive industry using FOSS is crucial to its competitiveness.
The German car industry supports the Cyber Resilience Act’s objective, but perceives a danger that the FOSS community could be harmed permanently and that this could negatively impact the European economy.
The FOSS community consists of a large number of developers, non-profit foundations and enterprises which cooperate on a voluntary basis. Together they develop FOSS code, which is made publicly available free of charge, and helps generate innovation in the European automotive industry.
Politicians may think companies want an open source exception so that they can escape their responsibilities under the coming CRA. As a result, a limited exception for free and open source software may make sense to them. However, the German car industry fully accepts that when they bring a car to the market with software, they will be responsible. It is not about evasion. The car industry wants to protect vulnerable, crucial, cooperation, done prior to marketisation. See also Simon Phipps: Diverse Open Source uses highlight need for precision in Cyber Resilience Act.
This is somewhat akin to a brain storm session. You shouldn’t be critical during the session, that would break the process. So, how to make a distinction?
We therefore propose a necessary differentiation between the collaborative development of FOSS (upstream) and its commercial use (downstream). The CRA should accordingly not be applied to the collaborative development of FOSS, irrespective of the business activities of the stakeholders (upstream). The regulation should apply only when FOSS is used in products and services (downstream). As a result, non-profit organizations like the Eclipse Foundation, the Linux Foundation and COVESA would not fall within the ambit of the CRA. The cybersecurity obligations should apply to the companies that bring FOSS to market and use it commercially, and not to the developers who make the FOSS source code available free of charge. The VDA gives its full support to this proposed solution.
An other misconception may play a role. Small and medium-sized enterprises (SMEs) represent 99% of all businesses in the EU. Of course, politicians want to protect them from too strong burdens. SMEs too depend in major part on free and open source software. 1 If the free and open source community is responsible, the burden for SMEs could be less? No, it doesn’t work that way. In order to make the burden on SMEs smaller, we should not make the burden greater for an ecosystem that is even more vulnerable than SMEs and on which not only the car industry depends, but also SMEs.
With individual developers and non-profit foundations besides companies the FOSS ecosystem is a vulnerable ecosystem. Venturebeat: “[Sponsor programs] are promising, as ‘crucial parts of the open-source infrastructure are maintained by a few underpaid, overworked individuals that often do it for free,’ commented Wolfgang Gehring, FOSS Ambassador at the Mercedes-Benz Tech Institute. ‘And that isn’t right”’.
Yes, support SMEs. But do not poison the well for all, including SMEs. It may be good to rethink aspects of the Cyber Resilience Act. Instead of rushing it through.
The VDA sketches a worst-case scenario, should the CRA enter into force unchanged:
If individual developers, projects and FOSS organizations are held responsible for fulfilling the obligations envisaged in the CRA, there will be a risk that many of them pull out of FOSS development in Europe, and that FOSS products can no longer be offered on the European market.
Instead, more FOSS products might be marketed in countries with either low-level cybersecurity requirements or none at all. This means that Europe would close itself to the successful collaboration between the FOSS community and the industry, which contributes to the development of secure FOSS products. On the other hand, the large-scale exemption of FOSS development projects from the CRA’s scope of application could lead to proven procedures from the collaborations between the FOSS community and the industry being transferred to the FOSS community and thus to the establishment of high security standards for major FOSS projects worldwide
In an earlier blog I noted that the texts by the European Parliament and council put normative provisions in the recitals where they may be ineffective. It is important to put normative provisions, like exceptions and safeguards, in the operative provisions, the articles. Unfortunately, on top of this, the co-legislators want to fast track the Cyber Resilience Act. The window of opportunity to get things right seems small. To deal with this, in the earlier blog, I suggested an approach – a shared set of high quality amendments with broad support could make the open source community’s case more compelling.
It would seem that many agree on making a differentiation between the collaborative development of FOSS (upstream) and its commercial use (downstream) in the scope of the Cyber Resilience Act. It would have to take into account that diverse open source uses highlight need for precision in the CRA.
Footnotes:
it has been estimated that FOSS constitutes 70-90% of any given piece of modern software solutions. Venturebeat: “Today, open-source software underpins almost everything: A whopping 97% of applications leverage open-source code, and 90% of companies are applying or using it in some way. GitHub alone had 413 million open-source software (OSS) contributions in 2022.”
EU Cyber Resilience Act and the emergence of proto-legislation
Vrijschrift to Dutch Parliament: EU Cyber Resilience Act will harm competitiveness
Brief Vrijschrift: EU Cyber Resilience Act zal concurrentievermogen schaden
Cyber Resilience Act may seriously harm free and open source software
De Cyber Resilience Act: een rommelige lappendeken wordt nog rommeliger