Skip to content

Latest commit

 

History

History
334 lines (203 loc) · 12.3 KB

pts2023-nis2-cra-intro.md

File metadata and controls

334 lines (203 loc) · 12.3 KB

NIS2 + CRA

  • A short introduction to NIS2 and CRA
  • Current concerns
  • Ramifications
  • Suggested actions

What is NIS2?

Network and Information Security Directive II 2022/2555


Directive on measures for a high common level of cybersecurity across the Union

  • Directive – applies to EU member states; requires transposing into national law
  • Increase cybersecurity in general, across EU
  • Adopted on Nov 28, 2022
  • Must be implemented in national laws by Oct 17, 2024
  • Applies to many businesses (more later)
  • Many new & sensible security demands (security professionals are positive)

Claim: Does NOT apply directly to Open Source projects


Response: Meaningless claim – indirect consequences (more later)

NIS2 – What are the liabilities?

  • Fines up to € 10,000,000 or 2% of global revenue – whatever is higher
  • Management liability (fines, jail)

NIS2 – Who does it apply to?

Essential and important entities (Annex II)

  • …All Large and medium-sized companies in EU/EEA
  • …All Essential and important entities, no matter size
  • …Businesses not based, but offer services within EU

(est. 40,000 businesses in Germany alone)

NIS2 – What is demanded?

  • …All-hazards approach to risk assessment of all relevant IT systems and components
  • …Common policies on risk analysis, incident handling, crisis management & more
  • …Common practices for Business continuity, Supply-chain security, cryptography, access control policies, multi-factor auth, etc.
  • …Defined procedures for vulnerability handling, disclosure, incident notification, etc.
  • …Define basic cyber hygiene practices (e.g. secure by default)
  • …and more!

NIS2 – Supervision and audits?

  • Essential entities should expect surprise audits (ex ante com

NIS2 – Sectors covered by the directive

Networks & communication Energy
Banking & Financial Water supply
Healthcare Pharmaceuticals
Waste management Postal
Space Chemicals
Digital services, social media Food
Public administration & More…

(Full overview of entities)

NIS2 – References & Links

What is CRA?

  • Cyber Resiliency Act
  • Regulation – applies directly to EU/EEA members
  • About to be adopted, as of 2023-04
  • Additional security requirements to hardware and software products and components ("digital elements")
  • A "CE marking" of physical products, including it's software and it's Open Source dependencies
  • Distinguishes between "critical products" (Class I) and "products" (Class II) – (Ref: CRA Annex III)

CRA – Applies to…

Class I Class II
Identity management systems Operating systems
Network management systems PKI infrastructure
Network monitoring Firewalls, IDS
Update/patch management & Much more!

Source

CRA – Liability

  • Maximum fines of €15,000,000
  • …or 2.5% of annual turnover
  • …whichever is highest of the two.

CRA – Requirements

  • Any devices (hardware and software) must handle essential cybersecurity requirements
    • Unclear what these are at the moment – TBD
    • May include update- and notification components, supply-chain security
  • If law applies, it requires business to do risk analysis self-assessment, according to published guidelines
  • Law requires both risk assessment and documentation to show compliance
  • Failing to do this risks Significant Fines.
  • Open Source Software may or may not be part of this assessment
  • Risk-averse businesses are likely to assess their OSS dependencies anyway!


Est. 92-98% of applications use OSS in their stack (sources differ)


Approx. 21% of security incidents are supply-chain attacks.

CRA – Current concerns

  • Directive feedback periods are finished (Jan '23)
  • Very few actual open source communities offered feedback
  • Still some confusion on demarcation between "commercial" and "open source"

Assuming any direct ramifications are resolved.

Our main problems are likely to be with the INDIRECT ramifications.

CRA – Community ramifications 1/3

  • Multiples of 10,000's (!!) of businesses will take a hard look at their Open Source dependencies

  • Each will find they depend on 100's or 1000's of individual Open Source projects.

  • Each project is likely to be judged on responsiveness, sustainability, security risks and more.

  • Their meta-communities will be judged on Supply chain maturity and security, incident response procedures, tooling and infrastructure, and more.

  • Security issues are likely to become very visible, quickly showing which communities are high-risk.

  • Auditors and compliance officers are likely to function as demand-leaders for new requirements

  • Insurance companies will make decisions based on what they learn as they explore the new security and liability landscape

CRA – Community ramifications 2/3

  • On a technical side – increased demand for…
    • Tooling and support for dependency management (SBOM)
    • Tooling and support for risk and security assessment
    • Tooling for supporting documentation and risk assessment
  • On a training & documentation side – increased demand for…
    • Clarity around project sustainability, decision-making and contribution methods
    • Clarity around governance, adoption and forking
    • Clear guides on how to identify responsible parties, if any
    • Updated FAQ's, HOWTO's and README's
  • On a community & licensing side – increased demand for…
    • Clear guides on how to interact constructively with individual projects – "How to be a good Open Source citizen"
    • Clarity around liability regarding different licenses and their consequences
    • Clarity around governance and conflict resolution mechanisms

CRA – Meta-community ramifications 3/3

"Community of communities", e.g. "The Raku community"

  • This is likely to require extensive capacity-building
    • Start fundraising. This will cost money no matter what we do.
    • Identify long-running tasks that demand funded work/no-one is willing to do volunteer for
    • Explore alternatives for funding meta-community work like above, and/or developer work that is relevant for stakeholders.
    • Establish recommended developer funding channels (e.g. tidelift.com)

CRA – Links and resources

Possible consequences

What can we predict is likely to happen?

Business ramifications

  • NIS2/CRA compliance is a major upcoming cost center (some est. 21% increase in development cost).

    • Cost savings are likely to be a major focus
    • "What existing tooling can we use?"
  • Ways to reduce the cost of managing large dependency trees

    • Option 1: Use existing community infrastructure that helps them manage and improve the risk landscape
    • Option 2: Roll your own // in-house forks
    • Option 3: Reduce the number of communities to interact with

Community ramifications

  • Increased focus on security is likely to reveal more bugs and a greater pressure on volunteers
  • Community inaction may lead to active disengagement from users
  • Perceived lack of professionalism may lead to reputation hits
  • Lack of transparency around these processes will reduce trust in community and it's capabilities to manage the new reality
  • If businesses choose to re-implement their stack, they may choose software ecosystems that offer superior security tooling, responsiveness, etc.

Remedies

What can we do about this?

Remedy 1/5 – fact-finding

  • Set up a project with the task to research, enumerate and report on ongoing and current issues with software, infrastructure, policy, and governance that must be addressed by the Perl/Raku/CPAN community members, TPRF or other (possibly funded) dedicated organizations.

Remedy 2/5 – funding

  • Create avenues for support & funding, to offset existing risk of harassment, reduce likelihood of parallel work (waste). This includes offering well-published options for businesses who wish to fund cross-community efforts like this.

  • Create avenues for experts to receive funding for solving tasks related to identified issues.

  • Set up statistics gathering so we can get some real data on how many/who contacts TPRF, so this can be used as leads for further fund-raising.

Remedy 3/5 – guides

  • Establish, publish and manage clear and authoritative guides on how to stay informed on incidents, practice responsible disclosure, and other common security-related issues and tasks.

  • Offer guides, best practices and check-lists on how to set up and manage a well-run Perl/Raku/CPAN application software life-cycle.

Remedy 4/5 – liaisons

  • Set up and fund a dedicated security auditor & OSPO community liaison, that also can help resolve ongoing issues businesses may have.

Remedy 5/5 – culture

  • Lead, execute and promote efforts to establish and maintain a long-term healthy culture for security culture within our communities.
  • Establish a yearly security summit, based on the model of PTS and similar events.
  • Set up a Perl/Raku CVE Numbering Authority, like many other large projects have done.

Links and resources

Thank you!

Salve J. Nilsen (Oslo Perl Mongers)

Mastodon: @[email protected]

Twitter: @sjoshuan