Resilience reflection #12: Risking Internet resilience

Thursday 26 October 2023

Recognising the urgent need to respond to rapid societal and environmental change, resilience is one of the University of Twente’s spearheads. As an academic institution, we have a role to play in strengthening the resilience of the social, technological and environmental systems that support us. In this weekly series of the Resilience@UT programme and the 4TU Resilience Engineering Programme, UT researchers share their personal reflections on current events and trends that impact our daily lives, exploring their implications for resilience. The opinions expressed in this article are the author’s own. This week Roland van Rijswijk - Deij speculates on the looming consequences of the EU Cyber Resilience Act for open-source software development.

Risking Internet resilience with the best of intentions?

Lawmakers have finally woken up to the crucial importance of regulating the resilience of ICT systems to safeguard the functioning of society. In Europe the Cyber Resilience Act (CRA) sets out to regulate ICT systems and services such that vendors and operators of crucial services meet quality and security requirements. The well-known "CE" logo will thus be expanded to ICT systems and services, including their software. Let me start by saying: this is a good thing. For far too long we have assumed that "the Internet (as core ICT infrastructure) will just keep working" in the face of disaster. We can no longer afford this attitude; if the Internet fails, society is in serious trouble.

A Snag

There is, however, a snag: the Internet crucially depends on open-source software. This software is often maintained by non-profit organisations and even by talented individuals who freely give their time for the good of our society which is dependent on the Internet. Here, a tension arises: it is highly likely that their work will also be subject to the CRA. This would have serious consequences for open-source developers: they will need to drastically change their way of working to comply. This will lead to rising costs (e.g., for external audits) and a decrease in productivity (as developers spend time on compliance). Given the fragile funding situation of many open-source projects, this may be the proverbial straw that breaks the camel's back.

A Clash of values

At the core, for me, the tension between the proposed CRA and open-source development is ultimately a clash of values:

Open-source developers want to work for the good of society and want to make the fruits of their work available for free, relying on donations or support contracts to put food on the table.
The core of the Internet depends almost exclusively on open-source software. Furthermore, there is a strong consensus in the Internet community that there should ideally be multiple independent open-source implementations of protocols to be resilient to bugs in a single implementation.
Big tech (the Googles, Facebooks, Amazons, etc. of this world) enthusiastically adopts open-source software for their core services, and yet they spend very little money on the organisations that develop and maintain this software.
Society needs a resilient Internet and wants to ensure this through regulation. Understandably, this includes the open-source software that lies at the heart of the Internet.

Can we have our resilience cake and eat it too?

This leads me to wonder: if open-source organisations perish due to the cost of regulation, do we not run the risk of damaging the resilience of the Internet with the best of intentions? Should regulation require big tech to pay their fair share of open-source development? What does this mean for the independence that open-source organisations value? For me this is food for thought and poses fundamental questions about how we shape the Internet. Can we still have a free and open Internet - including the free spirit in which its core components are built and maintained - and have a resilient Internet at the same time?