Europe’s cyber security strategy must be clear about open source
Europe’s cyber security policy has an open source problem. Compared to the US, the UK and Europe have been playing catch-up on national security strategy for resiliency of open source software supply chains against malicious actors. Open source powers our critical software infrastructure, and can be used as a threat against it – Microsoft recently found vulnerable open source components being exploited to hack energy grids in India. In 2021, the Log4shell vulnerability – the largest spread security vulnerability in recent history – laid bare the risks of unmanaged software supply chains.
Because this is a global concern, governments are acting. Last year, the UK government issued a Proposal for Legislation to ‘Improve the UK’s Cyber Resilience,’ highlighting the immense impact even small security risks in the supply chain can have. Meanwhile, Germany issued the Information Security Act 2.0 (IT-SiG), and more recently, the European Union (EU) has proposed its Cyber Resilience Act (we’ll come back to that).
To put into perspective why this is a big deal, open source comprises between 80% and 90% of code in all modern applications. At least a quarter of identified hacks originating from the application layer can be attributed to a vulnerability in an open source component used to build it. Unfortunately, many commercial consumers of open source are not managing their software supply chain in any centralised fashion. Of the open source components being downloaded that are known to be vulnerable, 96% of the time, there’s been a better, non-vulnerable version available.
Even Log4j, the component that made applications vulnerable to Log4shell, was subject to similar behaviour. The average consumption of the vulnerable versions of Log4j stood at 38% for all of 2022. That means 38% of the time, someone is downloading and building into their software a version containing the most widely publicised and exploited vulnerability we’ve ever seen.
The problem stems from lack of incentive for corporations to act. Open source is a powerful tool that enables our modern economy, but not managing it leaves software development teams open to technical debt and bad security risk.