I appreciate the clarity and lack of hyperbole. It’s a refreshing change from the typical Chicken Little rhetoric.
Did the EU just require me to make software that can withstand (unspecified) denial of service attacks? Something that is mathematically proven impossible?
I think that this has to be read in context. This requirement is part of a hardening suite given “where applicable” to compensate for a “risk assessment”. (b) says to forbid unauthorized access, (c) says to encrypt when cryptographers would have expected encryption, etc. In this light, (f) asks that we mitigate amplification attacks when writing clients, and mitigate slow-loris attacks when writing servers. Similarly, (h) is an exhortation to avoid weird machines.
Who is going to audit Linux? And who is the Linux vendor? If you download a US software product to Europe, are you then an Importer under the terms of the CRA?
I think that the author knows the hilarious answer already. I don’t know whether we’re going to see a European Linux, but this would not be the first time that software regulations created opportunities for downstream forks which are kept in regulatory compliance.
The author is completely correct about ETSI’s unfairness. But, again, consider the hilarious outcome; I don’t think that Free Software will vanish from Europe, and I don’t think that we’re going to see a rise in European non-Linux datacenters either. This sets us up for something closer to the CA/B, where software authors get to bully capitalists and governments with technical arguments.
Yeah, out of context this seems like a bizarre impossible requirement, but it’s pretty clear given where it shows up in the document that this is intended as specifying that you can’t just ignore a CVE just because its effect is to bring the system down and it doesn’t actually allow any RCE.
That said, it’s sloppy writing on the part of the document; more explicit wording is needed.
TL;DR Lobbying groups are pushing for new standards and “certifications”, so that they can sell audits, or certify audit resellers. Most CTOs are happy because there’s the word cyber in there too, and it even talks about Linux, so it must be important.
The security audit industry isn’t exactly looking for more work at the moment. I think what we’re seeing is quite the opposite; there’s no Volkswagen/PSA-sized European software company giving politicians their marching orders, giving them the impression that the economic cost of implementing these directives will mostly be borne by the US and China.
They’re not considering that the multi-million dollar US-made office product they’re using might have a critical dependency on a library made by a 27 year-old living in a small apartment in Riga. And if they are, they probably see it as something that should be outlawed.
They’re not considering that a lot of employment in the software industry (especially in the EU) isn’t found in the offices of multinationals making consumer apps that are used by billions, but in small shops producing tailor-made software for a specific sector of industry or country.
The security audit industry isn’t exactly looking for more work at the moment.
Clearly, a remarkable fact about the tech industry is that it is content with a paced growth rate, and not looking for ways to make the line go up faster…
This act will mainly make vendors slap another badge on their website to prove that they have jumped through various hoops and filed security compliance forms. That is is about “cyber” security is almost a detail…
Security audits (currently) don’t scale the way the rest of the tech industry does; Automated scanning tools exist, but as far as I understand, a lot of the auditing process is fairly labour-intensive work.
I think we can count ourselves lucky if this act amounts to “just” another badge to slap on a website.
Is the EU bureaucracy going to pay the increased costs of developing these utilities and requirements in code, or is that being left to industry as to further suppress salaries and raise prices?
idk, is industry going to pay the costs associated with their users and customers having their PII stolen and downtime due to their systems failing, or will those costs just get transparently passed on to the customer or soaked out of their own workers’ wages to keep stock prices high?
Software notoriously has ridiculous profit margins. That’s why you hear so many companies trying to grow the “services” section of their income pie chart. There is plenty of room for some minimal cybersecurity requirements to be imposed (not saying the ones in this article are the right balance).
(k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.
I’d like to see this strengthened: you should be able to opt in to security updates and only security updates. A lot of people avoid installing updates because they are so accustomed to finding that the update which fixed a vulnerability also made the UI of another feature they rely on much worse, or removed a feature altogether. This practice trains people to avoid updates, and prevents them from benefiting from security patches.
Edit: at the same time I understand that the EU is doing something so radically new that it’s probably wiser to limit the scope for the first iteration; the above feels a bit like asking for a pony. Let’s start with some basic protections for users and work forward from there!
Program verification is not provably impossible. It’s impossible to say whether an arbitrary program satisfies a spec. It’s possible to make a program that provably satisfies just about* any spec.
It is however impractical given the current state of the tooling.
* There are some strange specs for which you can’t do this, because the spec requires you to compute something uncomputable. They never appear in a non academic context because it’s also impossible to make the program (or at least know that you make the program) in the first place.
Well they could define real test suites, and require that to be done regularly.
Like “EU-Version of Qualys” = EULYS (<= completely made up.)
The admins have to test each 6 months and in the footer of the app, webshop, whatever there has to be a link back to the https :// eulys.eu / results /domain.tld so that everyone can see that you have an A+ since years or carry an F.
each even year a penetration test.
each odd year some fuzzing would also not hurt.
Even this minimal measures would stop a lot of fiscally grounded bitrot, and tech department had a better lever against management.
Also it could impose pressure on certain software vendors to make it possible to minimize the software size and package count. Like installing Windoze without everything unnecessary.
Also it could put pressure on the industry to open source binary blobs in drivers (or at least have reproducible builds) - because how should you otherwise prove the complete application.
If someone remembers the 1-floppy-installer of QNX from 20 years ago? Why is it today so much more bloated? Why is it so much hard work to unbloat a system - even linux ones like ubuntu?
I appreciate the clarity and lack of hyperbole. It’s a refreshing change from the typical Chicken Little rhetoric.
I think that this has to be read in context. This requirement is part of a hardening suite given “where applicable” to compensate for a “risk assessment”. (b) says to forbid unauthorized access, (c) says to encrypt when cryptographers would have expected encryption, etc. In this light, (f) asks that we mitigate amplification attacks when writing clients, and mitigate slow-loris attacks when writing servers. Similarly, (h) is an exhortation to avoid weird machines.
I think that the author knows the hilarious answer already. I don’t know whether we’re going to see a European Linux, but this would not be the first time that software regulations created opportunities for downstream forks which are kept in regulatory compliance.
The author is completely correct about ETSI’s unfairness. But, again, consider the hilarious outcome; I don’t think that Free Software will vanish from Europe, and I don’t think that we’re going to see a rise in European non-Linux datacenters either. This sets us up for something closer to the CA/B, where software authors get to bully capitalists and governments with technical arguments.
Yeah, out of context this seems like a bizarre impossible requirement, but it’s pretty clear given where it shows up in the document that this is intended as specifying that you can’t just ignore a CVE just because its effect is to bring the system down and it doesn’t actually allow any RCE.
That said, it’s sloppy writing on the part of the document; more explicit wording is needed.
TL;DR Lobbying groups are pushing for new standards and “certifications”, so that they can sell audits, or certify audit resellers. Most CTOs are happy because there’s the word cyber in there too, and it even talks about Linux, so it must be important.
The security audit industry isn’t exactly looking for more work at the moment. I think what we’re seeing is quite the opposite; there’s no Volkswagen/PSA-sized European software company giving politicians their marching orders, giving them the impression that the economic cost of implementing these directives will mostly be borne by the US and China.
They’re not considering that the multi-million dollar US-made office product they’re using might have a critical dependency on a library made by a 27 year-old living in a small apartment in Riga. And if they are, they probably see it as something that should be outlawed.
They’re not considering that a lot of employment in the software industry (especially in the EU) isn’t found in the offices of multinationals making consumer apps that are used by billions, but in small shops producing tailor-made software for a specific sector of industry or country.
Clearly, a remarkable fact about the tech industry is that it is content with a paced growth rate, and not looking for ways to make the line go up faster…
This act will mainly make vendors slap another badge on their website to prove that they have jumped through various hoops and filed security compliance forms. That is is about “cyber” security is almost a detail…
Security audits (currently) don’t scale the way the rest of the tech industry does; Automated scanning tools exist, but as far as I understand, a lot of the auditing process is fairly labour-intensive work.
I think we can count ourselves lucky if this act amounts to “just” another badge to slap on a website.
Is the EU bureaucracy going to pay the increased costs of developing these utilities and requirements in code, or is that being left to industry as to further suppress salaries and raise prices?
idk, is industry going to pay the costs associated with their users and customers having their PII stolen and downtime due to their systems failing, or will those costs just get transparently passed on to the customer or soaked out of their own workers’ wages to keep stock prices high?
There’s seldom one side to any story.
Software notoriously has ridiculous profit margins. That’s why you hear so many companies trying to grow the “services” section of their income pie chart. There is plenty of room for some minimal cybersecurity requirements to be imposed (not saying the ones in this article are the right balance).
Also consider the staggering cost of insecure software. It’s rich for well-paid software workers to complain of suppressed salaries when everyone else is paying billions to trillions every year for our own carelessness: https://www.cisa.gov/sites/default/files/publications/CISA-OCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf
If it is, it will be through increased taxation, and “everyone” pays.
Raised prices makes Chinese import even more affordable and no one will care about any regulation in that context.
Sweet ideas on paper, but this will likely hurt most where it should do the most good.
I’d like to see this strengthened: you should be able to opt in to security updates and only security updates. A lot of people avoid installing updates because they are so accustomed to finding that the update which fixed a vulnerability also made the UI of another feature they rely on much worse, or removed a feature altogether. This practice trains people to avoid updates, and prevents them from benefiting from security patches.
Edit: at the same time I understand that the EU is doing something so radically new that it’s probably wiser to limit the scope for the first iteration; the above feels a bit like asking for a pony. Let’s start with some basic protections for users and work forward from there!
Point: Poorly written software causes a lot of misery so there must be standards
Counterpoint: Program verification is provably impossible and politics is broken, so how can legislating verification help?
Program verification is not provably impossible. It’s impossible to say whether an arbitrary program satisfies a spec. It’s possible to make a program that provably satisfies just about* any spec.
It is however impractical given the current state of the tooling.
* There are some strange specs for which you can’t do this, because the spec requires you to compute something uncomputable. They never appear in a non academic context because it’s also impossible to make the program (or at least know that you make the program) in the first place.
Well they could define real test suites, and require that to be done regularly.
Like “EU-Version of Qualys” = EULYS (<= completely made up.) The admins have to test each 6 months and in the footer of the app, webshop, whatever there has to be a link back to the https :// eulys.eu / results /domain.tld so that everyone can see that you have an A+ since years or carry an F. each even year a penetration test. each odd year some fuzzing would also not hurt.
Even this minimal measures would stop a lot of fiscally grounded bitrot, and tech department had a better lever against management.
Also it could impose pressure on certain software vendors to make it possible to minimize the software size and package count. Like installing Windoze without everything unnecessary.
Also it could put pressure on the industry to open source binary blobs in drivers (or at least have reproducible builds) - because how should you otherwise prove the complete application.
If someone remembers the 1-floppy-installer of QNX from 20 years ago? Why is it today so much more bloated? Why is it so much hard work to unbloat a system - even linux ones like ubuntu?
You’re right. We can have minimum standards without making the perfect the event of the good.