by Luis de Sousa
Sun Oct 15th, 2023 at 03:48:39 PM EST
Foreword: This article was submitted a few weeks ago to EurActiv but was not published. Still, I believe it deserves to be read by a wider audience. You may replace the references to EurActiv for the company or institution your work for.
Image from Flickr.com
Software is everywhere, in the appliances and gadgets we use, running the services we rely on, in all the conveniences making modern life comfortable and straightforward. But that software is not perfect, it is vulnerable in places and on occasion fails, exposing sensitive data or allowing unauthorised access to critical systems. These failures result in costs, financial and other, that now the European Parliament, Commission and Council attempt to tackle with the Cyber Resilience Act (CRA). Whereas widely welcomed in its premises, the proposed legislation is about to set in motion a regressive process of unpredictable consequences.
Frontpaged - Frank Schnittger - an important contribution to a live current debate
A read of the draft CRA meets terms such as "finished product", "manufacturer", "market" or "commercial activity", alien to the reality of software development. Ninety percent of the software used worldwide is created under the open source paradigm, anyone can contribute to development and everyone benefits. Some economists call it a novel form of conducting business, based on cooperation rather than competition. The legislator leaves the impression of being unfamiliar with this reality, merely attempting to regulate the modern economy with concepts of the XX century.
A computer programme is not an industrial product, as an automobile produced in an assembly line or tomatoes packaged in a sealed box. Software development is eminently a creative process, akin to construction with lego pieces, constantly adapting to new standards and methodologies, swiftly responding to vulnerabilities. In this domain there are no products, rather projects, no manufacturers, but contributors, there is no industry, instead a community of persons and an ecosystem of projects. Enterprises operating in this space do not manufacture or sell products, they simply provide services to software users. In Europe almost all of these are small and medium enterprises (SMEs).
By missing the nature of software as a commons, the CRA falls into several fundamental errors, the most important being the equation of software to a manufactured product, for which someone is entirely responsible. Contributors become liable for vulnerabilities and their ultimate consequences, with fines starting at three million euros. To convey the outcome of this liability I must tell you a story.
My father was born in a small mountain village where today a community oven still exists. For centuries all the bread consumed in the village was cooked in this oven, that everyone used but belonged to no one. Every week one of the families would start the fire with their own wood, and for as long as the oven remained warm everyone else cooked their bread too. This simple system benefited everyone, against the occasional contribution of each individual family. Imagine now that a new law would make the family starting the fire liable for the wholesomeness of every loaf cooked in that occasion. It is not hard to guess the fate of the community oven under such circumstances.
If you watched the recent "Oppenheimer" masterpiece by Christopher Nolan, you might recall that on July of 1945, when the first atomic test was conducted, there was still a narrow theoretical chance of a runaway reaction igniting the atmosphere. The European digital space contemplates a catastrophe of similar magnitude with the CRA, an unintended knock-on effect of inter-dependent software projects outright exiting the EU. The terms "unworkable", "chilling", "paralysis" floated around in the community are no hyperbole. Early estimates point to one hundred thousand direct jobs at risk, affecting tens of thousands of European SMEs. And that is just the tip of the iceberg.
Euractiv is in itself the perfect example. The pages of this publication are managed and served by a software project named WordPress, a global leader in content management. Together with other heavy weights in this domain, the WordPress project made it clear in an open letter that it would not remain present in Europe in case the draft CRA is approved. In that scenario Euractiv must undergo an expensive migration to an alternative technology before the CRA comes into force (possibly early 2025). If a compliant alternative exists at all, and at an affordable cost. Otherwise, Euractiv might attempt to re-host its infrastructure outside the EU and serve its publication from abroad. And in your case? Are you aware of which open source projects depends the company or institution you work for?
On a broader perspective the proposed CRA leaves an especially bitter aftertaste for how detached from the real economy it reveals the legislator to be. Perhaps shedding some light on the sentiment of marginalisation fuelling populist and anti-democratic movements. It is time for the legislator to download the upgrade and enter the XXI century. Protecting citizens from cyber-threats is certainly possible without damaging the software ecosystem. The time has perhaps come for a bottom-up approach to legislation, with civil society invited to initiate the drafting process. If there is a community versed in creation through compromise is precisely that of open source.