News

EU Cyber Resilience Law Could Harm Open-Source Software and Information Security

The EU has been developing the Cyber Resilience Act (CRA) for more than half a year, which should protect Europe from cyberattacks and increase the security of products, including Internet of things (IoT) devices, computers and smartphones.

However, this law could also harm open-source software developers and increase the risk of vulnerability disclosures.

Let me remind you that we wrote about the EU fines Meta for the record $1.3 billion as well that British Airways will pay a record penalty for data leakage within the GDPR.

And also the media said that the German authorities warned against using Kaspersky Lab products.

Many organizations and individuals have already expressed their concerns about CRA. This time, constructive criticism of certain points of the bill came from the non-profit human rights organization EFF.

The law being drafted provides for liability for commercial activities that bring vulnerable products to market. Open source software is the backbone of the modern Internet and is funded through donations, grants and sponsorships. However, the law defines commercial activities too broadly and does not exempt open source developers from liability, who do not receive direct funding, but rather work on pure enthusiasm. Such “inconsistencies” can lead to legal prosecution of developers and abandonment of projects in the public interest.

Industry representatives have already expressed their concerns on the OpenSource blog. The EFF stands in full solidarity with the developers here and calls on the EU to indemnify those who provide open source software from liability, including when they are sometimes financially rewarded for their work.

The new law also requires software developers to disclose actively exploited vulnerabilities to the European Cyber Security Agency (ENISA) within 24 hours. ENISA must then pass this information on to the national security authorities. This requirement should encourage companies to identify and fix vulnerabilities faster, but it also creates risks for those who really care about the security of their products.

Disclosing data about vulnerabilities in such a short period of time can only provoke their greater exploitation by attackers. Indeed, a deep study of most problems takes much more time than a day, and simply reporting a vulnerability without having a fix in hand is quite risky. Although the law does not require public disclosure of data, leaks often occur even in government departments. Therefore, such a requirement can lead to the fact that the fixes are quick, but rather sloppy and superficial, which hackers will only be happy about.

The EFF urges the EU to refrain from hard deadlines for resolving security issues and to report even actively exploited vulnerabilities only after they have been patched. And report them publicly, and not just to special departments.

The Cyber Resilience Act is supposed to improve cybersecurity for all Europeans, but in its current form it could backfire. EFF urges the European Commission to carefully consider the proposed changes and not to implement the law until all the above risks have been eliminated.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Kurlibat.xyz pop-up ads (Virus Removal Guide)

Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…

11 hours ago

Remove Initiateintenselyrenewedthe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

11 hours ago

Remove Wotigorn.xyz pop-up ads (Virus Removal Guide)

Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…

11 hours ago

Remove Initiateintenselyprogressivethe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…

11 hours ago

Remove Nuesobatoxylors.co.in pop-up ads (Virus Removal Guide)

Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…

15 hours ago

Remove Helistym.xyz pop-up ads (Virus Removal Guide)

Helistym.xyz is a site that tries to force you into clik to its browser notifications…

15 hours ago