 Since as you've noticed we don't give a lot of time for the panelists for our panels at the summit We're gonna get started right away I'm Oscar Nimlin Karlberg of openform Europe. I think most of you have seen me at some point so But today I will be the moderator of this great panel and like Paula said on a topic that I think a lot of people will Be interested in So in my speech this morning, I talked a lot about the intense policy work from the open source organizations across the world in the past year and a half, but Today we would like to have a panel and a conversation that goes beyond those Legislations where in some ways past that I'm exaggerating a bit because there are a lot of bits of Standardization implementation and I think we'll get to some of those points today But now really starting to look at the partnerships What can government bring to the open source ecosystem and what can the open source ecosystem bring to government when it comes to? Solving some of the very shared goals of increased cybersecurity and resilience So I really will push the panelists today to get to Suggestions and ideas for practical steps projects collaborations, etc. That we could be working on and we're joined and I feel like maybe this is a reason Because there was so much work last year, but we're really joined by an esteemed panel Policy makers and experts discussing this today. So we have you one le passar executive director of Anisa We have Lorena boys alone. So director for digital society trust and cyber security and did you connect? We have Omkar Arasaratnam. He's the general manager for the open source security foundation We have Eva black section chief for open source security at CISA the cyber security and infrastructure security agency I always get that one wrong And we have Fiona cracking bigger co-founder of the sovereign tech fund of the German government Well, let's get right into it. I think You should all grab a mic if you have one But I'll start with you you on How does an ESA says the current landscape of open source security? What are the major challenges? How do you see? Just open source in the context of cyber resilience from your point of view. Yeah, good question. How much time do you have? Of course part of the problem is the pervasiveness of the open source and 90% of development Software developers use open source components if you look at Companies users 80% of them say that they use open source because it brings down costs if you if we savvy the proprietary software At the same time when you look at the user side, of course the big issue is How do you help them making their risk assessments? When they use open source components? How do you calculate in the extra risk vis-a-vis the proprietary? Software for example, so because if you know if you look at I mean open source has strengths and weaknesses I'm you know, you know better than I do, but I mean if you look at recent examples like the live web Which is a piece of open source? You know tool very good one Used to code and decode images Lot of web browsers use it. I mean there are a lot of users It shows how difficult it is to kind of you know Put this in your own risk assessment to understand. Okay, what will you do? What is your plan B if something happens? But also the other part is how can governments we help the open source community to become better in helping their users And go with the flow so I think they're I know Lauren I will talk a lot about the CRA I see this as a game changer. It's also I think an opportunity for us to really start building the community that we need I acknowledge that as an agency We we've had of course contacts with the open source community and we use that their Expertise in some of the reports that we've built for example when we looked at how Member states can develop Coordinated vulnerability disclosure policies that we had a specific set which looked at the open source security in there is a Guideline that we try to and I don't want to make it Sounds that I'm just made it up. So I'm going to read out what the title is open source software and conformity assessment Which we hope we can publish quite soon, which is part of Our push of trying to help the open source community to align with the requirements of the CRA So that is something that we are really looking at so it's not only about what the threats are But it's also what are the practical steps that we as an agency? As an enabler of the member states to deal with the cyber security threats can do we savvy and Incorporation with the open source community And then Looking to you Fiona because you're right in the middle of government action in open source security So of course feel free to explain a little bit perhaps about the sovereign tech fund but If you could interlink that would just the current challenges that you work with in open source security And what are those implications for cyber security at large? Thank you. So there are obviously a bunch of things we could talk about But I want to set the stage a little bit and want to talk about three things maybe four if I can talk fast enough And along that I will also talk a bit about what the sovereign tech fund does so there Let's say three things The first of them is when we talk about open source We have to talk about open source infrastructure the sovereign tech fund has a mission to sustainably strengthen the open source ecosystem It does it by investing in open source infrastructure. So that is libraries Developer tools even program languages Standards and protocols and implementations. So these are the things that software developers need to even build software it's basically everything There's any imaginable kind of software development depends on these core Technologies, this is also where this 96% comes from this number comes from all these core and infrastructure technologies So this is used by everyone but not everyone contributes or Supports these kinds of technologies. They're actually often Maintain developed by very small organizations or teams Volunteers sometimes just one person or even worse no one And I just want to make it crystal clear that this is the the infrastructure that we are basing all modern society and infrastructure on and It's neither sustainable nor is it Very healthy or it's going to be a threat and dangerous for any kind of security concept. It doesn't work without securing those those core technologies and and The sovereign tech fund already invest heavily in these core technologies and there are ways to support it But there's a lot of work that still needs to be done one very for me very Yeah representative example is lock for Jay just quickly put your hands up who has heard of luck for Jay Right and so have all the companies and organizations that depend on look for Jay and all those organizations Whose admins probably had a very long weekend after look for Jay came and yet when we the sovereign tech fund currently Supports the developers behind lock for Jay and when we started talking to them until we supported them They didn't have a single full-time developer Let that sink in for a second Everyone knows that lock for Jay is really important and it's still everywhere But they didn't receive enough support to have a full-time developer So There's still a lot of work to be done for sure And we need more actors in the field and more people supporting that we depend on this infrastructure It's just a fact, but we have to think about how we can create support mechanisms that work for the people who maintain it I would be really quick about the second and third point then As you know, there's a lot happening in the regulation space And I just want to flag that any kind of regulation that affects open source developers Has to go hand-in-hand with a process design and after thought like it can't be an afterthought to think about how we support open source developers in complying with these regulations because open source developers they might have to comply with new regulations, but they To put it bluntly. They don't owe us anything. They are not our suppliers They often work on this in their free time So how do we ensure they get the resources and the tools necessary so we don't create a very hazardous environment for them to operate in and because we will eventually rely on their work Third Big news AI is changing a lot of things that we know of and also Or AI I like to call it automation and those AI powered tools. They are very effective Tools to be used by developers But I think we would be well advised at looking into how those tools Actually affect software development and the resulting that there are just lots of questions around accountability About the accuracy and the reliability of code that is generated There in the recent weeks we've seen a couple of articles in the security space around how it affects the security space tremendously and Even if the the changes aren't as big as we might be worried about there are going to be changes in how code is produced How it is documented how people submit bug reports and so on and so on and I think there's just lots of open questions that we should Explore to understand what is necessary from policy makers and people in decisive positions to take this into account Fourth thing fourth. Okay quickly. I Was just wonderful and they just keep it in mind for the following conversations Even if we had an infinite indefinite amount of money They're not enough people in the space and this is a security hazard as I said before these technologies They need to be maintained But there are some structural issues in this field that are really hard to wrap our heads around But I think it is a collective responsibility to think about how we can grow the space in a reasonable way and a healthy way Support the technologies and the community so they can have healthy growth in order to do all this work That's actually out there No, perfect. They teed up the entire conversation way better than I ever could have done. So thanks but I think from you on first intervention and Fiona your four points There is the obvious question that I think we just need to get to first Okay, open source makes up so much of our digital infrastructure. It is everywhere Can we trust it? Does it work? If we have these challenges, can we trust this is an acceptable situation I would strongly advice if you ever hear someone ask the question to reframe it or if this is a question in your mind because There's nothing inherently not trustworthy about open source on the contrary. I'd rather trust open source and then close source There's nothing not trustworthy about it. And secondly, you don't really have a choice It's the fact that we'll all have to use it. So it's like asking Should we trust water? That's because it's made it's the same kind of commonly shared resources But there are ways to make water trustworthy and as a public institution as public institutions and governments We have the possibility to make these shared resources trustworthy by filtering them by clean They're making them accessible and I think the same should apply for digital infrastructure and resources I'm happy to jump in and I think from a policymaking point of view because I've been doing a lot of Legislation as you know in the last four years I think it's very interesting to see because I've doing it for a while How there has been a real change from a policymaking point of view where in the past like open source was a little bit like of Even if very open and very free kind of dark from a security point of view, we're all oh my god, this is open source a Radical change to now Not only this is not something where you could see is trustable or not Is that basically is being promoted for cyber security reasons and we've we've done it quite recently Well, I must say a very very nice Experience I had recently is the covid certificate that is one of the huge successes of of of these commissions doing covid was all open source And and recently we had very interesting debates in the context of another negotiation Which is the you identity wallet the ideas where and it came during the legislative negotiation if we want this to be sure Let's make it open source Mandatory open source. So this this is something that for me is quite telling that The EU is saying if you really want your EU identity framework to be secure make it open source, of course With some caveats that I'm sure we will talk later it is very secure because of course and Said already by by you come because it's open because the whole community is taking the The updates etc. But of course We have also the issue that it's in every critical infrastructure today the code is very very accessible so and so Well, we need to to keep it even more trustable We need to make sure it's cyber secure and this is Exactly what we were trying to do with the several sealers act, but I'm sure we will talk about it later Yeah, I mean I also feel like Yeah, we will be inevitable to get to the cyber resilience act But I think there's also interesting to start now really looking because there's some interesting stuff in the act that perhaps didn't get it So much attention and from the open source community where there's a lot of interesting partnership opportunities built in But you want to hear the building on the great metaphor of water. How does an ESA? Deal with this water with the open source community ecosystem different stakeholders I Bet you've noticed that it's very different than calling a company or calling another government. How do you? Bring your operations together with open source ecosystem. How do what does it look like? Yeah, I Really like the reframing of the trust issue so that I think that was a great approach to this of course the The issue always when it comes let's take the example of look for Jay. It wasn't a long weekend. Actually, it was a long weeks Up until we understood where exactly this piece of software is are we done? Yeah, precisely so I think that that kind of Triggered the thinking and I think it was so also is was quite informative for the commission side And remember we had these conversations with the expert level. Okay. What does it mean? How do you validate the quality of the water? And the first answer to this is actually Part of the definition of open source that it's open so you need to be open about where you use it So the idea of the SPOM in the Sierra. I'm still going back to the Sierra before You allowed us to do that that is part of the solution of actually helping the users To understand better their risks We look at also very much from the risk perspective But we are not the one who are the risks risk owners We are not the one who will say trust this trust that don't trust it, you know You can't have this argument But you need to be you need to enable the risk owner to do this assessment And I think that was a great first step, but we should not stop there Because when I look at the other the big issue is that of course, you know When you have a closed piece of software or proprietary software, you always have Somebody who is responsible. So in case of crisis you have a contact point You know, you can ensure that there is an exchange of information between what they know what is happening and and the users In case of the open source, we haven't found the answer yet. Who's the contact point? Sometimes it exists sometimes it doesn't So we need to explore and I think that's where I come in and say well, listen guys I think we need to start building these networks of communities so that once Something happening We at least Have a conversation with somebody and it's not about Responsibility because normally when you say property So you say, ah, they are responsible. Everybody looks at their month mouth now, you know gold eggs come out Solutions patches, etc. It's not about that. It's about having a better understanding What can be done and what can't be done? And I think especially in the times of When you have a you know a cyber incident or a Vulnerability this kind of conversation Needs to take place in a trusted environment and you can't build trust overnight So you need to start doing it now so that the networks are ready when something happens And then it's staying here with the policy makers because you open the two doors here the CRA, but also the digital wallet I think you there are two interesting examples So Lorena from your perspective in the CRA EIDA slash digital wallet development It holds a lot of promise for forging stronger partnerships between open source organizations and the governments In what way what what can you you don't have to promise anything? But what what do you envision when you see like article 17 a and b in the CRA? Sorry, it's a bit detailed, but The one quoting now the articles are trying not to go to them I assume you all know what the CRA says about open source or not I have to you. I think level set Level set Because you basically help us Define what it says. I think that what the CRA says is And it was a very very interesting development When you see what was in the original proposal and what's in the final Proposal and I'll talk a bit about how we talk to each other because maybe we can improve What we tried to achieve we tried at the beginning when we were doing the legislation okay, well Can you keep your microphone a bit closer for our online audience, okay, thank you, sorry I'm always told to have it in the left hand because I moved too much my right hand Okay, so At beginning Okay, we it was clear for us that if it is monetized and we you need to cover it and then little by little do Legislative negotiation we realize that it was not as simple as that And you made us realize that and we are saying very thankful for that This is how we came with something which is fully tailor-made where only if you are a manufacturer Directly monetizing it, then you are basically covered by the by the core Requirements, but then we have this nice concept that I don't know if it came from you or from us But I like it this tour so it sounds so nice Where basically we make sure of to tackle one of the issues that have been already raised which is okay. What if you are in this foundation in these communities where you don't directly have the intention to monetize but in the Overall setting this is monetized and and my people say no don't give examples I give examples, but of course we looked a lot to the car manufacturing environment, which is This eclipse one one very nice example where there you have a tailor-made System and then you have the Voluntary Attestation program About which I find this is a very nice way of dealing with okay Helping manufacturers that are introducing components to Fulfill their due diligence. So it's something which is good for everybody. It would even be very nice that They pay for it. So that's because they benefit And also I think we did something which is very nice as well Which is making sure that there's something that is brought back to the community so that if You are using open source components and you find and you fix a vulnerability. Please share it then With the community. So I think it's it's a beautiful system now talking more about how we will implement it and all that I Would like first to talk about this first phase the fact that It was during the legislative process that suddenly we start to Receive plenty of messages. We had to engage with you all Sometimes In a way that was Not so easy to understand each other because we were not talking the same language. We are policymakers And you are not even if you have become really a Very experts in this. I wonder if for the next iteration of a legislative act if we need to continue in that way a more structure way To organize yourself would not be good where somehow you unite all your different Communities within the open source community You somehow get a bit of training on how to talk to policymakers, which is a thing in itself And I mean that's what everybody does. It's just that we are not so used to talk to you now Now we became so that's something that we thought at the time if we hadn't made this engagement Even before the proposal if I would try with that public consultation with our overall usual thing Maybe next time we can organize it better So this is and we are fully open to discuss how to do it in terms of the implementation You know that now we will come with guidance So we will certainly involve the community in in preparing the guidance and we will come with of course the delegated act on the Program where of course we will need to involve you as well So we will need to discuss on how but certainly you you you will be involved For you to know in terms of support because you were discussing you as well You know on support to How now are you going to implement all these? Apart from the guidance that we will of course issue and that will certainly cover open source For you to know that we have launched calls. So for proposals It's around 30 million if I not My memory is correct. They are open right now. So hurry up if you want them. I think the deadline is in March It's for implementation is to facility implementation And we have a clause that is giving preference to open source. So go for it And I think I would also encourage everyone to take a look at that because there's a lot of opportunity for innovation around the tools that could be Taylor made for not just open source communities, but SMEs as a rule What will work for open source communities will most likely be quite good for SMEs as well but here I'm going off-piste a little bit because I Building on your answer here. I'd like to bring Ava in because you are now a government official But you are very much an open-sorcer in terms of background. So in response to Lorena's reflections here about you know How would you organize the open-source community you yourself? How would you do it? But like what do you need now when you're on the other side in terms of responses and So for those who don't know me I've been a developer of open-source software contributor maintainer project founder and lead All of those things over the past 25 years and only joined the public service six months ago So still finding my footing as it were Yeah And also Quickly learning the constraints Yes, yes, I'll be fine. I'll be fine. It's just it's a firehose of a new information and and a joy So your question I think was two parts Yeah, what that will mostly like How how can what information do you need as a government official now? Yeah, and how when you're with your experience from the open-source ecosystem, do you think that could be organized in order to be provided Okay, so The panel has already talked about trust and risk If you're drinking water out of a stream, it's probably responsible to make sure it's been purified for example, right? There are Corollaries for open-source if you're just grabbing a package off the internet You probably should do some diligence to know where it's coming from. What's in it? Has it been peer reviewed? Other attributes that you might care about before running it in production or putting it in a car and Espon is a step in the right direction. I think it is essential both for closed-source proprietary software or Commercial software that includes a large amount of open-source and for open-source projects, but an S-bomb in my opinion This is an ongoing debate everywhere It's essential but insufficient It gives us necessary information that empowers consumers, but it is not a complete picture today To build an S-bomb for a large complex software package In many cases the S-bomb is larger than the software package I Think there are or can be Other approaches that provide the degree of supply chain transparency both in proprietary and open-source That would empower consumers empower defense teams when there is the next log for shell because Vulnerabilities happen. We had a big one in Docker and run C just a few days ago. It's it's also pretty bad and Knowing if a container runtime is in your product is not necessarily obvious so having some artifacts Dependency resolution in a compact machine readable way I think this is the kind of technology that would help all of us that an S-bomb is a step towards but not yet there And that would help build trust. I think there are other techniques such as Taking the knowledge that open-source communities have long had in how to work in the open Going back to my early day is working with Debian and the Linux kernel Peer review and the artifacts generated by doing peer review and performing it in the open everything from signed commits to sign off by reviewers all of those when Made visible to the consumer can help build trust But it's complicated and so there's work that can be done to make that easier to consume But could I ask in in terms of the US government looking at the open-source ecosystem? It seems like there was a point where just at least Europe asked for You can't say that the Commission didn't ask for input There was a public consultation. It was all there and there were as we heard at a workshop yesterday very few stakeholders organizations that raised open-source concerns Is it enough with the open-source ecosystem to simply have an open consultation or does the government need to change to some extent a Few comments on that. I do not intend this to be a criticism to my European counterparts but I have I have heard Since I was not part of any response to the initial request for input on the CRA I can't speak for myself, but I've heard from colleagues that the word open-source and even the word software wasn't mentioned in it In the earliest one again, I'm going by hearsay But it is it is concerning that there were only two responses about open-source. I agree. I don't know why the US government on CD published an RFI last year. We had a hundred and thirty responses give or take a hundred and fifteen About open-source security. So I I don't know why I'm gonna I'm fishing for an answer here. What are you building at CISA? What am I building at CISA? Stuff I Honestly, can I can I intervene at this point of two responses? I mean it's like And I think that was one of the pleas that Lorena made is that I mean the Commission cannot Go and build an open-source community which would then respond to the Commission's request for comments You need to build it So it's you know, I'm dealing with Tech and cybersecurity Daily I'm much more responses to the other side of the United you know the pond from the United States than I have from the European Community, so I mean and again, I think it's it's it's not on the Commission It's it's really on us in this room to ask why is that? I mean if I have a certification conference and there are 2,000 participant and 1,500 participants are Americans Why is that? So I think it's it's our own ability to To be proactive in these matters, okay Part of the fact is that a lot of these software development happen in the other side of the pond and I also see and Greatly, but it's not on Rena. I Also, I see and admire and have been learning from the amount of engagement from the public sector in Europe you have What about a hundred ospos now across the the Union think we have two in the US maybe maybe four It's less than ten that I'm aware of so like there is a great deal more engagement on the public sector side that I'm Observing and trying to take knowledge and bring it back into my organization and spread it across the civilian executive branch And and to clarify your question about what is this a building? Perhaps I should clarify what CISA does We work in the federal civilian executive branch, so no work on military secret none of that we are here to help secure Public sector infrastructure and government infrastructure on civilian side so We have published last September an open source roadmap for CISA's work This is effectively the public statement of what we're building for the next couple years among the various steps there is Piloting developing guidance on how to build federal ospos. We're trying to stand on up ourselves Thank you and trying to Evangelize and be a resource for other federal agencies that want to build an Ospo We're also trying to study the prevalence of open-source usage both directly and within commercial products Across federal civilian branch and in critical infrastructure sectors We don't have that data yet I know from having worked in the private sector for most of my career even most companies don't have a clear complete analysis of the open-source Composition of every product they've bought right This is breaking new ground for many of us as bombs are a step towards breaking that ground but and here I Think Omkar you're in a very good seat to also you've I can't think of anyone who has spoken to probably more companies and governments About exactly these questions in the last couple years How would you reflect on your different experiences? Let's say in different geographies How are governments engaging with open-source communities? But also how are open-source communities including the one that you're working with Engaging with governments and what is it looking like? It's a great question my first start by acknowledging Some truths that we can all agree on Open source is a public good It's not an American good. It's not a European good. It's not an Asian good. It's a public good full stop and The second truth is and I've only been doing this for 20 years. So if somebody knows differently, please tell me Security is hard. It is really hard to get right and I've worked on this both in large commercial entities many of whom are Present here as well as the open-source community and full stop. It doesn't matter how you do software development. It is incredibly difficult Policy-making is incredibly difficult. I'm a software engineer. I identify as a software engineer that's been doing security for a long time Your world is incredibly difficult as well. You have to navigate through Trade agreements that may have been set up a hundred years ago and try and find a path forward But I think this really comes down to two topics the what and the how the what we want to make things secure But let's get let's add another truth to this There are many organizations Billions some even in the trillion dollar range That are fully compliant and have been breached Right so even if we find the absolute perfect standard people will comply with it and the security property that we're seeking may not be there But if we put that aside that imperfection and Really regarded as a principle or goal That will eventually attain. I think the how is really important Within the open SSF we are trying to facilitate that discussion with open-source stakeholders with public sectors such as yourselves In fact, we're in the stages of planning a conference later this year in which we hope to bring together both policy makers as well as open-source contributors and the private sector Because being a public good the stewardship of open-source is really a combination of public sector private sector and most of all our community and by bringing those resources together and acting as facilitators that translate it's not going to be the individual developer and I'm particularly passionate about this I I'm I'm one of those weird guys that still writes code like some of my Christmas vacation was spent filing pull requests and when I think about this I'm like, what if there's a vulnerability in it? Well, somebody's gonna have to figure that out. We do have to figure that out but by bringing everybody together and having that dialogue and Helping to bridge between a policymaker that may not be a trained software engineer and a software engineer That certainly knows a little about policy I think we can ameliorate and find the middle ground to speak a little bit about some of the work that we've done with Ava's agency One of the interesting things we're working on is what does happen, so there's the run-see vulnerability Ava and I spoke about that because we were friends a couple of weeks ago. That's not scalable, right? And we need to figure out a way of doing that if I think you've got some work coming up that should help In terms of tabletop, etc Way to spill the beans Whoopsie But in general it's bringing everyone to the table, right? And I think it's very easy, especially when we're under the pressure of Really bad actors that are out there That there's a natural tendency to worry to enclose to kind of constrict and stay within if we can find the right forms In which to engage proactively Whether it's run-see whether it's log4j whether it's whatever's gonna come up next There's gonna be something that's gonna happen next we need to be prepared and ready and the more that we kind of tear down the I'll say the borders of self-interest in that pursuit. I think the better will be I also really applaud not just legislating stuff and I think both Fiona's work as well as Ava's work speak to this But working with the community like when we think about open-source development It's not like when my team was writing code at Google. It is completely distributed We can't just insert something into the software development life cycle and say aha secure and Some of the creative ways that we're doing that with our partners is by looking at things like software repositories Where's the software being held? through software like Open SSF scorecard that helps as Johan was saying earlier. Well, how do I know the software that I'm consuming is secure? Open SSF security scorecard provides a report card that allows you to see that It may not be Objectively secure, but it allows you as taking that dependency to understand how you're going to manage the risk and here I feel like There's the thing that we're used to tee up like some of the discussion questions and where essentially out of time So I think we'll have to continue discussions after this, but So if he as my organization, we're in a peculiar position because we work with policy of open technologies so Trust me. Sometimes it's hard to get a hold of the right people in the open-source community to get the input We know this as well But there is this classic metaphor of open-source. It's the cathedral and the bazaar and We really feel like this applies to the political and policy discussions of Open-source related questions as well and here There is a cathedral like element of the Commission and the way the EU multi-stakeholderism system works and there is an undeniable bazaar quality of how open-source is being developed created and talked about and discussed in political circles and The question here is perhaps What could we do immediately now? Because the goals of security we share to just bring the bazaar and cathedral closer to each other because They are there building auspose. We heard There are call for proposals to build tools and just to end starting with you on car randomly What can you think of that we could do starting almost now just to build this cat bridge the cathedral and bazaar? Let's presume good intent and I know as a Technologist it sounds really odd for me not to come up with a technical solution But I think to credit especially a point that Eva had made earlier The open-source community is about trust. It's about safety It's about the public good so starting with an assumption of good intent. I know the CRA was created with good intent I know our communities operate with good intent and while to get back to my Bifurcation of what versus how while the how might seem quite foreign I think trying to find that middle ground where we can have these discussions and continue to evolve both the maturity with how Security is applied to open source as well as how Governments support and understand open source. I think is the best first step that we can take Fiona It's a bit complicated maybe Let me elaborate really quickly Do not forget What how this field is comprised? We're talking about open source developers. They don't get paid Eight hours a day for the 12 hours a day they spend beside their other job to fix critical security issues so I think we have to I Think there are some quick fixes and there are things that we can do now I would love to see next year more maintainers in the room maintainers on the stage including maintainers and they're Including their reality in our considerations But there's a systemic issue so open source developers We are often talking about them or open source people maintainers of it was some homogenous mass But it's not there are huge organizations super well organized There are like large organization with hundreds of people. There are small intermediate organizations and foundations who represent people They're small teams. They're volunteers. They're stressed out one person teams who are working on this thing On their weekend some of them like, you know as a hobby some of them because they have to because there's literally no one else doing it So who do we expect them to submit a long response if they are not organized yet? So there are some systemic issues in the field that I think we have to acknowledge and realize and come up with support mechanisms in any direction for participating in policy discussions for supporting their work financing them issuing the Communities with resources they need that cater to the diversity of actors that we have in the field Maybe we need a fellowship for people for maintainers to do policy work for you to learn this stuff because it's hard It's difficult But we cannot it's not like a fossil we can turn on and off like there are some There even then just like this There are not a lot of people and like the amount of people and the diversity of people definitely has Diminished for the last couple years, especially via covert So who do we expect to be able and ready to contribute and read this entire thing? Just so full circle I think there are some systemic issues that we have to acknowledge and realize and then we have to build up and hone this Community and ecosystem and see it as a whole in order to get something out Eva last words that quick fix and you're allowed to say a long-term fix as well I think there's a lot of opportunity for Governments to work to support this ecosystem. It is different than business to all the previous comments It is a largely volunteer driven and corporate driven and hopefully now also public sector driven Collaboration on software, but we need to work towards building more Measurements in how we trust the software. We're consuming and enabling people to also make those assessments. I think the Long-term solutions are harder when we need them also in the short term You want Yeah, I wish I would have taken my pen to write all these good ideas down actually I There are a few things that I've heard that I very much agree on I think the one is actually I don't agree with your Example of the cathedral and bazaar because it's kind of I think it's more about, you know, you have a like a Scripture-based very monotheistic religion and on the other hand you have very free and open and a bit more that stuff I think we need to acknowledge the heterogeneity of this community and I think you know, you were right I mean, it's it's not that there is a single Very diverse open-source community. There are different roles in the open-source community There are different drivers in the open-source community, and I think that also needs to be acknowledged And if you build up something As a partner, let's say for for policy makers for policy implementers Probably it's not going to be one. It's gonna be several layers And I think that's also something that we need to acknowledge we need to accept as Public bodies that it's it is going to be also in the future very heterogeneous very dynamic very quickly changing community and Not so much wish that we could shape it in a way that it's easier for us to to have a negotiation with I think that's also something that we need to learn how to do that and in this vein I think there is also a lot we can do as As as public bodies in order to translate and interpret The stuff that we already have So that it would be useful for the open-source community and understandable applicable And there actually I would I'm looking very much at the very good work that The CISA analyst has been doing over the past 10 years in developing kind of not strict standards, but more like frameworks that you can use And I think that's something that we you know we as as as Europe can I think Draw some lessons and I know that we have an ongoing cyber dialogue with with the US and I hope that in this framework we can also find new approaches in our continent The last words of the panel I'm very optimistic Because it is true and I have to acknowledge that there are parts of the commission is a big thing I will not call it a cathedral, but it's a big entity And there are parts of the commission that work very closely with the open-source community our colleagues from Digi Digit I mean in the in the commission we we even have a an open-source program office. So There is really This culture in certain parts of the house now In my part little part of the house It is true that we have had a tendency often to engage with those with whom or To whom Will regulate and it is true that before the CRA was even thought of I mean who on it was thinking of regulating software at all And then suddenly we dirt and say, okay, we are going to do it We are going to make sure that we roll a software as well and then suddenly you discover plenty of communities You are not used to engage with so the my positive part is that now we have discovered you Basically we had to We have learned that basically We at the beginning didn't even know how to talk now I think that Honestly on your side, maybe you've learned that you maybe need to be organized differently You need to reach what you call the cathedral, but also on our side that Maybe we don't need to talk to you only for the purposes of how we are going to regulate you But that there's a lot of talk An engagement that needs to be done to ensure security completely outside legislation and I think that the Implementation phase now gives us this chance because we will not have the choice. We would we will need to organize ourselves On that I must say It's good. I'm sitting next to you and I didn't have lunch with him that We will do it together because you were comparing me to CISA But I don't compare myself to CISA and maybe DHS but not We are not an agency. So for this phase of more direct engagement, we will need to do it together with with an ISA I have to say I share this optimism as well. So thank you very much all panelists looking forward to continuing this discussion this afternoon