Open or closing doors? The influence of ‘digital sovereignty’ in the EU's Cybersecurity Strategy on cybersecurity of open-source software

IF 3.3 3区 社会学 Q1 LAW
Jennifer Tridgell
{"title":"Open or closing doors? The influence of ‘digital sovereignty’ in the EU's Cybersecurity Strategy on cybersecurity of open-source software","authors":"Jennifer Tridgell","doi":"10.1016/j.clsr.2024.106078","DOIUrl":null,"url":null,"abstract":"<div><div>‘Digital sovereignty’ is the geopolitical mantra of the moment. A key agent of that policy shift, the European Union (‘EU’) has increasingly embraced ‘digital sovereignty’ as both the ideological foundation and impetus for building its digital future in accordance with ‘European values and principles,’ often driven by and intersecting with cybersecurity concerns as articulated in its 2020 <em>Cybersecurity Strategy for the Digital Decade</em> (‘Strategy’). Yet it is impossible to consider cybersecurity without open-source software (‘OSS’). Increasingly, the EU, USA and other Governments have recognised that fact in the wake of HeartBleed and Log4j incidents. OSS’ decentralised governance and ubiquity, underpinning most software worldwide, may amplify vulnerabilities and adverse effects of cyberattacks, whilst its typically collaborative model of development and innovation often fosters valuable, open cybersecurity solutions.</div><div>In navigating that policy tightrope of OSS as a double-edged sword for cybersecurity, the EU has adopted ‘closed’ language of ‘digital sovereignty’ that is ostensibly contrary to the ‘open’ nature of OSS. That rhetorical duality is particularly pronounced since the EU described OSS as a tool for realising its ‘digital sovereignty,’ in addition to policy support for ‘a global, open, interoperable cyberspace’ alongside the pursuit of ‘digital sovereignty.’ While there is a epistemic gap in understanding the relationship between the EU's rhetoric of ‘digital sovereignty’ and reality, nascent studies indicate that it has a tangible effect on policy change in multiple digital spheres, generally furthering a degree of ‘control.’ However, that relationship within the OSS cybersecurity context has underexplored and poorly understood, although that policy is a priority for the EU and may bear significant implications for OSS globally.</div><div>Particularly analyzing the Cyber Resilience Act (‘CRA’) as key means for implementing the EU's Strategy and its first cybersecurity legislation that would comprehensively engage OSS if adopted by the Council, this article argues that the EU's desire to strengthening cybersecurity in OSS is generally welcome. Yet there is an ostensibly a disjunct between ‘digital sovereignty’ that underpins that legislation and OSS cybersecurity, with too much control of OSS potentially proving counterproductive for EU cybersecurity. This paper illustrates that (i) it is imperative for the EU to address OSS cybersecurity; (ii) yet the lens of digital sovereignty is ostensibly a rough fit for that approach, considering OSS’ philosophy and practice; and (iii) based on the CRA, EU's practice of translating ‘digital sovereignty’ into policy change is mixed, leaving uncertain ramifications for OSS cybersecurity in the EU and beyond. On the one hand, it moves towards more ‘control’ at least in determining definitional parameters and power dynamics with novel ‘stewardship’ positions for certain OSS entities. That said, the EU generally seeks to leverage OSS to further their regional embrace of OSS rather than to exclude others. Ultimately, the EU has a valuable leadership opportunity to drive forward solutions to OSS cybersecurity in collaboration with others whilst avoiding fragmentation, keeping doors open in recognising that global challenges demand global solutions. That is in its enlightened self-interest.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106078"},"PeriodicalIF":3.3000,"publicationDate":"2024-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924001444","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 0

Abstract

‘Digital sovereignty’ is the geopolitical mantra of the moment. A key agent of that policy shift, the European Union (‘EU’) has increasingly embraced ‘digital sovereignty’ as both the ideological foundation and impetus for building its digital future in accordance with ‘European values and principles,’ often driven by and intersecting with cybersecurity concerns as articulated in its 2020 Cybersecurity Strategy for the Digital Decade (‘Strategy’). Yet it is impossible to consider cybersecurity without open-source software (‘OSS’). Increasingly, the EU, USA and other Governments have recognised that fact in the wake of HeartBleed and Log4j incidents. OSS’ decentralised governance and ubiquity, underpinning most software worldwide, may amplify vulnerabilities and adverse effects of cyberattacks, whilst its typically collaborative model of development and innovation often fosters valuable, open cybersecurity solutions.
In navigating that policy tightrope of OSS as a double-edged sword for cybersecurity, the EU has adopted ‘closed’ language of ‘digital sovereignty’ that is ostensibly contrary to the ‘open’ nature of OSS. That rhetorical duality is particularly pronounced since the EU described OSS as a tool for realising its ‘digital sovereignty,’ in addition to policy support for ‘a global, open, interoperable cyberspace’ alongside the pursuit of ‘digital sovereignty.’ While there is a epistemic gap in understanding the relationship between the EU's rhetoric of ‘digital sovereignty’ and reality, nascent studies indicate that it has a tangible effect on policy change in multiple digital spheres, generally furthering a degree of ‘control.’ However, that relationship within the OSS cybersecurity context has underexplored and poorly understood, although that policy is a priority for the EU and may bear significant implications for OSS globally.
Particularly analyzing the Cyber Resilience Act (‘CRA’) as key means for implementing the EU's Strategy and its first cybersecurity legislation that would comprehensively engage OSS if adopted by the Council, this article argues that the EU's desire to strengthening cybersecurity in OSS is generally welcome. Yet there is an ostensibly a disjunct between ‘digital sovereignty’ that underpins that legislation and OSS cybersecurity, with too much control of OSS potentially proving counterproductive for EU cybersecurity. This paper illustrates that (i) it is imperative for the EU to address OSS cybersecurity; (ii) yet the lens of digital sovereignty is ostensibly a rough fit for that approach, considering OSS’ philosophy and practice; and (iii) based on the CRA, EU's practice of translating ‘digital sovereignty’ into policy change is mixed, leaving uncertain ramifications for OSS cybersecurity in the EU and beyond. On the one hand, it moves towards more ‘control’ at least in determining definitional parameters and power dynamics with novel ‘stewardship’ positions for certain OSS entities. That said, the EU generally seeks to leverage OSS to further their regional embrace of OSS rather than to exclude others. Ultimately, the EU has a valuable leadership opportunity to drive forward solutions to OSS cybersecurity in collaboration with others whilst avoiding fragmentation, keeping doors open in recognising that global challenges demand global solutions. That is in its enlightened self-interest.
开门还是关门?欧盟网络安全战略中的 "数字主权 "对开源软件网络安全的影响
数字主权 "是当下的地缘政治口号。作为这一政策转变的主要推动者,欧洲联盟(简称 "欧盟")越来越多地将 "数字主权 "作为按照 "欧洲价值观和原则 "建设数字未来的思想基础和动力,其 "2020 数字十年网络安全战略"(简称 "战略")中所阐述的网络安全问题往往是这一政策转变的驱动力和交叉点。然而,要考虑网络安全问题,就不能不考虑开放源码软件("OSS")。在发生 HeartBleed 和 Log4j 事件后,欧盟、美国和其他国家的政府越来越认识到这一事实。开放源码软件的分散管理和无处不在的特性是全球大多数软件的基础,这可能会扩大网络攻击的漏洞和负面影响,而其典型的合作开发和创新模式往往会促进有价值的开放式网络安全解决方案。欧盟在追求 "数字主权 "的同时,还对 "全球、开放、可互操作的网络空间 "提供政策支持,因此欧盟将开放源码软件描述为实现其 "数字主权 "的工具,这种修辞上的双重性尤为明显。虽然在理解欧盟的 "数字主权 "言论与现实之间的关系方面还存在认识上的差距,但初步研究表明,它对多个数字领域的政策变化产生了切实的影响,总体上促进了一定程度的 "控制"。本文特别分析了《网络弹性法案》(Cyber Resilience Act,简称'CRA'),该法案是实施欧盟战略的关键手段,也是欧盟首部全面涉及开放源码软件的网络安全立法(如果获得理事会通过),本文认为,欧盟加强开放源码软件网络安全的愿望受到普遍欢迎。然而,作为该立法基础的 "数字主权 "与开放源码软件网络安全之间存在表面上的脱节,对开放源码软件的过多控制可能会对欧盟网络安全产生反作用。本文说明:(i) 欧盟必须解决开放源码软件的网络安全问题;(ii) 然而,考虑到开放源码软件的理念和实践,数字主权的视角表面上与这一方法大致吻合;(iii) 基于 CRA,欧盟将 "数字主权 "转化为政策变革的实践喜忧参半,给欧盟内外的开放源码软件网络安全带来了不确定的影响。一方面,至少在确定定义参数和权力动态方面,欧盟对某些开放源码软件实体采取了新的 "管理 "立场,从而实现了更多的 "控制"。尽管如此,欧盟一般会寻求利用开放源码软件来推动其地区对开放源码软件的拥护,而不是排斥其他国家。归根结底,欧盟拥有宝贵的领导机会,与其他国家合作推动开放源码软件网络安全解决方案,同时避免各自为政,保持开放,认识到全球挑战需要全球解决方案。这符合欧盟开明的自身利益。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
5.60
自引率
10.30%
发文量
81
审稿时长
67 days
期刊介绍: CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信