{"title":"Open or closing doors? The influence of ‘digital sovereignty’ in the EU's Cybersecurity Strategy on cybersecurity of open-source software","authors":"Jennifer Tridgell","doi":"10.1016/j.clsr.2024.106078","DOIUrl":null,"url":null,"abstract":"<div><div>‘Digital sovereignty’ is the geopolitical mantra of the moment. A key agent of that policy shift, the European Union (‘EU’) has increasingly embraced ‘digital sovereignty’ as both the ideological foundation and impetus for building its digital future in accordance with ‘European values and principles,’ often driven by and intersecting with cybersecurity concerns as articulated in its 2020 <em>Cybersecurity Strategy for the Digital Decade</em> (‘Strategy’). Yet it is impossible to consider cybersecurity without open-source software (‘OSS’). Increasingly, the EU, USA and other Governments have recognised that fact in the wake of HeartBleed and Log4j incidents. OSS’ decentralised governance and ubiquity, underpinning most software worldwide, may amplify vulnerabilities and adverse effects of cyberattacks, whilst its typically collaborative model of development and innovation often fosters valuable, open cybersecurity solutions.</div><div>In navigating that policy tightrope of OSS as a double-edged sword for cybersecurity, the EU has adopted ‘closed’ language of ‘digital sovereignty’ that is ostensibly contrary to the ‘open’ nature of OSS. That rhetorical duality is particularly pronounced since the EU described OSS as a tool for realising its ‘digital sovereignty,’ in addition to policy support for ‘a global, open, interoperable cyberspace’ alongside the pursuit of ‘digital sovereignty.’ While there is a epistemic gap in understanding the relationship between the EU's rhetoric of ‘digital sovereignty’ and reality, nascent studies indicate that it has a tangible effect on policy change in multiple digital spheres, generally furthering a degree of ‘control.’ However, that relationship within the OSS cybersecurity context has underexplored and poorly understood, although that policy is a priority for the EU and may bear significant implications for OSS globally.</div><div>Particularly analyzing the Cyber Resilience Act (‘CRA’) as key means for implementing the EU's Strategy and its first cybersecurity legislation that would comprehensively engage OSS if adopted by the Council, this article argues that the EU's desire to strengthening cybersecurity in OSS is generally welcome. Yet there is an ostensibly a disjunct between ‘digital sovereignty’ that underpins that legislation and OSS cybersecurity, with too much control of OSS potentially proving counterproductive for EU cybersecurity. This paper illustrates that (i) it is imperative for the EU to address OSS cybersecurity; (ii) yet the lens of digital sovereignty is ostensibly a rough fit for that approach, considering OSS’ philosophy and practice; and (iii) based on the CRA, EU's practice of translating ‘digital sovereignty’ into policy change is mixed, leaving uncertain ramifications for OSS cybersecurity in the EU and beyond. On the one hand, it moves towards more ‘control’ at least in determining definitional parameters and power dynamics with novel ‘stewardship’ positions for certain OSS entities. That said, the EU generally seeks to leverage OSS to further their regional embrace of OSS rather than to exclude others. Ultimately, the EU has a valuable leadership opportunity to drive forward solutions to OSS cybersecurity in collaboration with others whilst avoiding fragmentation, keeping doors open in recognising that global challenges demand global solutions. That is in its enlightened self-interest.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"56 ","pages":"Article 106078"},"PeriodicalIF":3.3000,"publicationDate":"2024-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924001444","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 0
Abstract
‘Digital sovereignty’ is the geopolitical mantra of the moment. A key agent of that policy shift, the European Union (‘EU’) has increasingly embraced ‘digital sovereignty’ as both the ideological foundation and impetus for building its digital future in accordance with ‘European values and principles,’ often driven by and intersecting with cybersecurity concerns as articulated in its 2020 Cybersecurity Strategy for the Digital Decade (‘Strategy’). Yet it is impossible to consider cybersecurity without open-source software (‘OSS’). Increasingly, the EU, USA and other Governments have recognised that fact in the wake of HeartBleed and Log4j incidents. OSS’ decentralised governance and ubiquity, underpinning most software worldwide, may amplify vulnerabilities and adverse effects of cyberattacks, whilst its typically collaborative model of development and innovation often fosters valuable, open cybersecurity solutions.
In navigating that policy tightrope of OSS as a double-edged sword for cybersecurity, the EU has adopted ‘closed’ language of ‘digital sovereignty’ that is ostensibly contrary to the ‘open’ nature of OSS. That rhetorical duality is particularly pronounced since the EU described OSS as a tool for realising its ‘digital sovereignty,’ in addition to policy support for ‘a global, open, interoperable cyberspace’ alongside the pursuit of ‘digital sovereignty.’ While there is a epistemic gap in understanding the relationship between the EU's rhetoric of ‘digital sovereignty’ and reality, nascent studies indicate that it has a tangible effect on policy change in multiple digital spheres, generally furthering a degree of ‘control.’ However, that relationship within the OSS cybersecurity context has underexplored and poorly understood, although that policy is a priority for the EU and may bear significant implications for OSS globally.
Particularly analyzing the Cyber Resilience Act (‘CRA’) as key means for implementing the EU's Strategy and its first cybersecurity legislation that would comprehensively engage OSS if adopted by the Council, this article argues that the EU's desire to strengthening cybersecurity in OSS is generally welcome. Yet there is an ostensibly a disjunct between ‘digital sovereignty’ that underpins that legislation and OSS cybersecurity, with too much control of OSS potentially proving counterproductive for EU cybersecurity. This paper illustrates that (i) it is imperative for the EU to address OSS cybersecurity; (ii) yet the lens of digital sovereignty is ostensibly a rough fit for that approach, considering OSS’ philosophy and practice; and (iii) based on the CRA, EU's practice of translating ‘digital sovereignty’ into policy change is mixed, leaving uncertain ramifications for OSS cybersecurity in the EU and beyond. On the one hand, it moves towards more ‘control’ at least in determining definitional parameters and power dynamics with novel ‘stewardship’ positions for certain OSS entities. That said, the EU generally seeks to leverage OSS to further their regional embrace of OSS rather than to exclude others. Ultimately, the EU has a valuable leadership opportunity to drive forward solutions to OSS cybersecurity in collaboration with others whilst avoiding fragmentation, keeping doors open in recognising that global challenges demand global solutions. That is in its enlightened self-interest.
期刊介绍:
CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.