EU Cyber Resilience Law Could Harm Open-Source Software and Information Security

The EU has been developing the Cyber Resilience Act (CRA) for more than half a year, which should protect Europe from cyberattacks and increase the security of products, including Internet of things (IoT) devices, computers and smartphones.

Let me remind you that we wrote about the EU fines Meta for the record $1.3 billion as well that British Airways will pay a record penalty for data leakage within the GDPR.

And also the media said that the German authorities warned against using Kaspersky Lab products.

Many organizations and individuals have already expressed their concerns about CRA. This time, constructive criticism of certain points of the bill came from the non-profit human rights organization EFF.

The law being drafted provides for liability for commercial activities that bring vulnerable products to market. Open source software is the backbone of the modern Internet and is funded through donations, grants and sponsorships. However, the law defines commercial activities too broadly and does not exempt open source developers from liability, who do not receive direct funding, but rather work on pure enthusiasm. Such “inconsistencies” can lead to legal prosecution of developers and abandonment of projects in the public interest.

Industry representatives have already expressed their concerns on the OpenSource blog. The EFF stands in full solidarity with the developers here and calls on the EU to indemnify those who provide open source software from liability, including when they are sometimes financially rewarded for their work.

The new law also requires software developers to disclose actively exploited vulnerabilities to the European Cyber Security Agency (ENISA) within 24 hours. ENISA must then pass this information on to the national security authorities. This requirement should encourage companies to identify and fix vulnerabilities faster, but it also creates risks for those who really care about the security of their products.

Disclosing data about vulnerabilities in such a short period of time can only provoke their greater exploitation by attackers. Indeed, a deep study of most problems takes much more time than a day, and simply reporting a vulnerability without having a fix in hand is quite risky. Although the law does not require public disclosure of data, leaks often occur even in government departments. Therefore, such a requirement can lead to the fact that the fixes are quick, but rather sloppy and superficial, which hackers will only be happy about.

The EFF urges the EU to refrain from hard deadlines for resolving security issues and to report even actively exploited vulnerabilities only after they have been patched. And report them publicly, and not just to special departments.