 Thanks everybody for coming today I'm actually from Dublin, so I'm really delighted that the OS summit is hosted here So today I'm going to talk about the EU efforts to secure the open-source open-source software So I'm Kira Carey. I work in developer relations in Clydesmith and before that I was a software engineer for over 10 years So I kind of got into the software supply chain starting in Clydesmith It's an artifact repository, so it deals a lot with It has a lot of information about how your artifacts are built and signatures and metadata and all that kind of stuff I'm working in developer relations. I have to research and write about the software supply chain a lot And this brought me on to the topic of Supply chain software supply chain and software supply chain security When researching it, I keep on hearing about what the US is doing, their executive order, their work on S-bombs Stuff like that and as an EU citizen I want to know what the EU is doing to secure open-source software, so that's where I came from I want to know Yeah, what the EU is doing for open-source security, where the gaps are and what can be done to drive the EU to action So our agenda today, I'm going to start with open-source software supply chain, a definition on that I hope you haven't had too many definitions I'm probably going to show that same image So then I'm going to go on to why should the EU care about open-source security? the US's response and the EU's response and Then I'm going to talk about my hopes for the future on EU's policies on open-source software I'm going to finish with what we can do to influence the EU to take greater action on open-source security So the only direct funding of security for open-source was initiated by these two MEPs Anderson and Rita and in 2014 after the Heartbleed Critical vulnerability and open SSL So that's the only funding that has gone towards securing open-source software And that was started from a like political from a political point of view from these MEPs And so I think although the EU should care about open-source software We should try to influence it to care about open-source software with them and by contact and get political basically So this is the image. It's like probably seen at ten times on the stock So open-source is really positive with eight projects like Kubernetes, Debian, NGNX Innovation would be painfully slow Between 17 80 percent a code contains open-source software in their dependencies and a massive part securing your software supply chain requires securing open-source software and a lot of like critical infrastructure in the EU contains open-source obviously because wherever There's software this open-source so your software supply chain contains all the the steps involved in creating your Software and a big part of that is your third party dependencies, which are likely to be open-source the types of attacks you see on open-source tend to attack vulnerabilities existing in your open-source dependencies like Heartbleed or The one December log for shell and another way is by attacking any attacking in the mechanism for how you consume that open-source so by attacking like we usually consume it from a public repository like Pi PI npm that kind of thing by attacking that mechanism using typosquadding or dependency confusion you can attack the supply chain and the end result is similar to all cyber attacks you get access to Customers data or your own data or information that you don't want to let out So last year during the height of the pandemic there was a cyber attack on the Irish health care system Like doctors and nurses walked into hospitals and they're presented with like a blank screen and they had to go back to pen and paper Cancer patients had to stop treatment. It like it was over a hundred million in damage even though They didn't pay there on somewhere and they got the decryption keys back. I don't know what exactly what happened there, but The damage was done So why should the EU care about cyber attacks this attack on the our talk care system? It's not like an incident it to trend There was an attack like last month on a French hospital and Patients had to go elsewhere and other critical systems are being attacked by cyber criminals or state actors Pipelines governments water Have all been attacked and this has stepped up since the war in Ukraine So Russia has turned off ease main source of gas If they also launched a cyber attack on other sources of energy it'd be an absolute disaster so European citizens should be protected from attacks on systems that they rely on and Although the EU member states themselves bear the prime responsibility for countering attacks These threats can be better addressed at Coordinated response that at EU level Also, the EU is striving to be a leader in cyber security it is moved to It has moved to improve the cyber security in member states and it recently passed another directive in Parliament to improve the overall Security of member states niz to replaced niz one or niz Ursula van der Leyen the president of the European Commission during her state of the union address last year Said the EU should strive to become a leader in cyber security so she had her her 2022 state of the union address this year So she did mention digitalization, but there was a bit less about cyber security because they were pretty busy about Ukraine We're still up there Still relevant guys So why should the EU care about open source security in particular they care about cyber security But what about open source security? So open source software supply chain tax are one of the avenues of attack for a cyber cyber attack And they're on the rise Aqua's security Argonne experts found that software supply chain attacks could buy more than 300 percent in 2021 compared to 2020. I saw another report by Sonotype Nexus which has said 600 percent, but I was scared because that was seemed a lot I wrote this 300 percent is scary anyway, so it's 600. It's too much for me So there was also an instant response report by Palo Alto instant responders Those are the guys you send in after you've had a cyber attack and you're like, ah, how do I get out of this? and they figure out where you're where you were where was the access point of attack and clean everything up and there are 2022 report they analyze over 600 incidents and over the last year and they found that vulnerabilities in software or the suspected initial access vector in 31 percent of cases second only to phishing so not all of those 31 percent were open source vulnerabilities, but the second most common vulnerability as a point of attack was log for shall so this was released in July and like log for shall was only in December, so that seems like a lot So we can all agree. It's a problem So again, why should the EU care about open source software? The EU is actually aware of threats from supply chain supply chain attacks The European Union Agency for Cyber Security in ESA. They're 2021 threat landscape report included cyber chain cyber supply chain attacks and They also conducted an in-depth study in 2021 analyzing 24 software supply chain attacks from around the world including solar winds and all those ones So the EU wants to be a leader in cyber security supply chain attacks are increasing So the EU need to address open source security as one of the main avenues into a supply chain attack So I'm going to be sort of being comparing like I'm only going to go over the US response lightly but is it even fair to compare the US and the EU and how they respond to Open source security Well, there's huge big differences, you know political structures We have we don't really have that executive branch that can just do things like the US can Member states are their own country. There's loads of different languages and the US federal government has control over more areas of Then the EU does like the military and health But I think it's kind of fair I think it's fair they've similar sizes values and Cyber threats to your critical infrastructure and they've similar threats to their critical infrastructure and their citizens and Also the EU and the US they have similar sticks and carrots They have like, you know a big amount of money for a funding and they also have fines available So Their responses can be quite similar Yeah, so let's compare them on their S-bombs vulnerabilities training and awareness So we'll start with the US so after the solar winds attack The US published this executive order to improve cyber security of software supply chain attacks in May of last year And it really signaled the importance of S-bombs that executive order was for me. I thought it was quite It with the team that wrote that really understood how software was built and how important open source was to software They and they didn't do what maybe other Organizations would do and say we have to take open source out of all our software systems and only use proprietary And commercial software. They understood that open source by being more transparent has the potential to be more secure than commercial software But there needs to be steps to make it more Transparent and secure to use So on S-bombs, they came up with the standardization the minimum elements of an S-bomb and there is a proposal which will for it for the any software sold to the US government to contain an S-bomb There's also been a lot of work on promoting the idea of S-bombs Oh, and did I explain S-bombs because there's software bill of materials So it's like an ingredient list for your product and a lot of that ingredient list will be open source software So it's about telling he's been holding this this alum Friedman from CISA he's been Riding about S-bombs talking to people about S-bombs and Being a real evangelist for the use of them on vulnerabilities and the US has like Existing infrastructure on dealing with vulnerabilities that is like more like more advanced more mature than these So they have the national vulnerability database. That's actually hosted by a US institution and they have like a vulnerability disclosure policy as well But last year they set up a new bug bounty program for a Department of Homeland and as well as Expecting an S-bomb with any software sold to the US They also expect the software to not have any vulnerabilities unless there is mitigating circumstances or reasons why you're not vulnerable on The training fund through this year. There was a bill to train Federal employees on software supply chain security, especially people Purchasing software because that's when you're buying software you have so much power in bringing new open source into your system so that's really important and Last week the National Security Agency partnered with other agencies To release a port a report entitled securing software supply chain for developers and I had some practical ways for developers to write secure code including when How to Bring dependencies into your code, but the place where the US was really Impressive was their awareness people at the highest levels were talking about Open source and open some security and funding the mundane They're starting with the executive order. I talked about and like Then it was also after log for shell. They brought in loads of stakeholders into the White House from Open source maintainers. They brought in consumers and of open source big tech companies and And they brought them all in and like talked about how can we improve the security of open source in particular? Then they held a hearing in the Senate where like really impressive people came More impressive than me came to talk about log for shell and how to prevent another open source Fundability in the future Generously the head of CISA talked about log for shell being the most serious vulnerability She's ever seen so they really brought the awareness to the highest levels of and this This is not nothing. It's sort of like US is soft power to influence change So what is the awareness done? Well, there's been lots of there's been announcements about Alpha Omega this week I think at this conference There's the open source software security mob is like mobilization plan There's real money behind these projects and it's funded by big techs. It's not actually funded by the US government, but it's They've made huge moves to improve open source security and actionable things that they're actually going to do with money behind it. There's also really Invigorated work in the area open SSF has like super active working groups talking about open source security and the amount of contributions from six store a project on open SSF to Make signing software. It's simpler So it's really activated individuals and organizations to solve this huge problem so before I talk about the EU's response so just Give you some background so the EU in the last years has like I had this big push for a digitalization and interoperability And they've talked about it in the state of the Union addresses the last few years one of the one of the big legislations around cybersecurity has been niz the network network information security something like that and That came in that was the first bit of legislation on cybersecurity. They came in 2016. So it's quite recent and Niz two has just gone to parliament likely to be published next year. It's a directive and The aim of it is to increase the minimal level of cybersecurity in member states so part of that is they've listed out they've the member states have to list out all the Private and public organizations that are Really important to your the member states critical systems and they've put obligations on those organizations or companies So there has been some criticism on this saying that there's There's too much of a differentiation between member states some member states have taken it really seriously and They've like listed out all their hospitals and all this kind of thing But others have barely listed any organization So there is a huge difference in how member states have reacted to this and that's because it's a directive You know, you have to still transpose that into the member states law But Niz two kind of tighten that a bit more than the original Niz. So we should see more alignment Over the next few years as it's gonna roll out there's been a lot of other legislation like we've all heard a GDP or and That's implemented Dora banking. It's just being published There's something on AI that's been published and since we published maybe next week is this cyber resilience act Which it should be for IOT's and That should be that should have something on supply chain security, but we'll wait wait for it to be seen Another thing is that the EU has updated its open source strategy in 2020 and as part of that it opened up an OSPO office in the EU's basically their IT department. So the OSPO office for the Commission and They're a real jam their whole point is to Their ultimate goal is to change the mentality of the EU Commission To change culture and embrace open source in terms of practices and tools Because people are sometimes afraid to use open source. They don't know if they're allowed. They write software that would be That would be other people could use but they don't really know the mechanisms for publishing it and thing so they've really Promoted the open source culture within the EU Commission And this is headed up by Miguel Diaz Blanco So now let's talk about the EU's response to securing open source software So with respect to cyber S-bombs the Cyber Resilience Act that I talked about which should be published soon We'll probably mention S-bombs. The Cyber Resilience Act is going to be about IOTs and like sort of hardware that's hard to update the software embedded systems that kind of thing and If you look at the feedback, I don't know what's actually going to be in it But they I've seen some content around it is about the software supply chain and that kind of thing and there's you can see Feedback from the public and that talks about S-bombs It talks about Salsa, which is a framework for securely building software So it'd be interesting to see what's in that on Vulnerabilities the Ospo office that I talked about they've created an inventory of all the open source students in the Commission and they've also developed a methodology for For for prioritizing your inventory which can be replicated They've surveyed maintainers of open source Software critical to the EU Commission like patchy Lebeck smell curl and ask them what they needed to secure their software and it's kind of what we've all heard It's we need more funding We need more contributions and they specifically asked for help with regard to security and they wanted help from the cybersecurity agencies and member states cybersecurity agencies on vulnerabilities again the The directives news and this to that's recently gone to Parliament They have created a list of critical sectors in the EU both public and private There will be requirements The news to will require these organizations to report security incidents To member states and now there's a coordinated vulnerability disclosure process across the EU and as part of that They'll have a new European vulnerability database So news to should be rolled like next year. I think they think it'll be Gone through plenary and then it'll take another 20 months before it's in member states rule books Another thing that they've done on vulnerabilities is the book bounty program This started in 2014 by two MEPs Rita and Anderson after the Heartbleed vulnerability So initially it started out as like these two MEPs came to the Commission and they said I'm not gonna pass the budget unless you give money towards open-source security and they came up with like giving one million to Within the EU Commission itself, but that that would go through it go through open-source security And it started off as an inventory and it eventually became A book bounty program and hackathons and now the Ospo office actually runs both of them So I think this really illustrates how politics can really move open-source security funding and Like knowledge within the EU on training the European cybersecurity agency in ESA is And dedicated to achieving a high level of cybersecurity across Europe and Helps here prepare for a cybersecurity challenges of tomorrow. They hold training days and workshops But there's nothing specific to supply chain security And ESA had a 2021 report on supply chain attacks, but they only really touched on how to prevent them and they barely mentioned open-source as a Conjuator of the attacks on awareness After log for shell The US had all these stakeholder meetings held hearings in the standard. They have a S-bomb evangelist I don't see that kind of awareness within the EU Bringing in stakeholders and open-source security I couldn't find a hearing in the European Parliament Committee on on log for shell our open-source security And maybe that's because the two MEPs I talked about they haven't they didn't get elected again since 19 So maybe if they were here for log for shell, we'd be seeing more awareness within the EU So some of the good stuff in the EU on open-source security Their book bounty program has like found hundreds of bugs and fix them The the EU Commission's Ospo office is a real shining light for not just open-source security, but open-source culture in general and I think the news and is to a vulnerability disclosure infrastructure will shine a light on vulnerabilities that weren't even disclosed. I think a lot of them We don't even know where we are because people just pay the ransomware and then they move on They don't disclose it to their members. They don't disclose it to the government So nobody has like an accurate picture on cyber attacks the bad So open-source maintainers of critical systems are not funded directly to improve security It'd be great to see some funding maybe on I know public repositories now like PyPI and Ruby gems. They're foreseen some of their top contributors to have 2FA which is great for security, but actually Supporting that takes a lot of people power and money like if you're resetting 2FA You need people to actually look into that and reset it for people. It'd be great if we could like if the EU would fund security directly that way or even fund them by If a maintainer Does a security course that they would get money and training behind that There's lots of different ways to fund them directly, but it is difficult to kind of get money from the EU Another issue is that bug bounty program that I talked about that's really successful. So you're running since 2014 It's not a permanent program. So it could be dropped any minute the initial sponsors of the program the two MEPs They they're not elected again. So they're now they're looking for new sponsors. They're looking they're always looking for funding You know, it'd be great if they could just concentrate on the good work that they're doing instead of having to look for funding every every year sometimes sometimes around a three-year They have a three-year fund, but So permanency would be great So the OSPO office is only over the EU Commission So when they're doing an inventory of all the open source, it's only used in the Commission It's nothing to do with critical infrastructure and member states. It would be great to fund OSPO offices within member states or to Have Inesah the cyber security agency have some control over that and an inventory of all the open source would be Excellent, you know where to start, you know what you're using you can make decisions strategic decisions on that so another thing is S-bombs weren't mentioned by NIS and there's two directives and they haven't really been mentioned much in Ines's content It'd be great to see more training on S-bombs and maybe NIS 3 Will we'll mention it and maybe ask for critical systems to provide S-bombs when they're something like that or maybe they'll when you're purchasing software You'll require an S-bomb like the US government is looking to do but at the same time I suppose the tools are in generating and Analyzing S-bombs is quite young so I can understand why they don't want to put that in legislation yet There's also a lack of training materials and workshops from Inesha It would be great if they could train maintainers if they can train Software developers working in critical systems if they could train procurement officers so all those things would be great and So open-source security needs to be talked to more about Inesah and on committees and MEPs That awareness that the US is bringing I'd love to see that in the EU as well So what's next for the EU and open-source security? well for Inesah actually they have advertisements for their security advisory board They're looking for people to be on their board and that's ending like the end of this month September the end of the 30th of September So if anybody here it's like as open-source security expert It'd be great to have that that knowledge on the cyber security agency in Europe and like really Help them understand the problem and invest in it I'd love for there to be funding available. I know the EU is talking about How it wants digitalization and interoperability but that all has to be based on a secure system and a lot of software is based on open-source and for and for Oh sugar. Oh sugar. Sorry. It's okay This happens. I think I've talked So what can I do next I've actually prefer this because I didn't realize I couldn't have my speaker notes So that was just a fake fake out I did that on purpose. So what can I do next? In the to invest in open-source security. So what I was talking about there I need I need people to apply apply to the board for Inesah and also I want people to ask their MEPs What are they doing to secure open-source software in critical systems? Like I was saying the only direct funding Towards security of open-source software has been this bug bounty program. Those two MEPs is gone are gone There hasn't been any MEPs Asking for funding in the same way since they left So we need politicians to understand that problem like during this talk I contacted MEPs They got back to me. They don't I'm not like an important person MEPs do Do want to do the right thing and if we're not talking to them as an individual or as a community Well, then they're probably gonna fill that knowledge either with no knowledge or with like consultants idea of what they should do so I'd look for the open-source community to work to it together to lobby the EU to invest in Open-source in order to protect critical infrastructure like other special-interest groups petition their MEPs for attention and funding The open-source community should do the same So there's actually I found out today. There's this program called digital compass The EU is defining and asking for feedback for digital ambitions for 2030 Let's make sure that our thoughts are heard to So Ursula van der Leyen talked about how the EU should strive to become a leader in cyber security Policies and funding an open-source in general and our critical systems specifically Are important to the growth success and security of the EU? So that's me all done Any questions? Does anyone have any questions? Yeah Yeah So I've seen a lot of like interaction between the US and the EU recently on digital matters They have like the EU has opened an office in San Francisco. I think it's mostly still at regulation But you know if they're not busy Maybe they could they could talk about Open source could be part of that because a lot of like open SSF It be has been working with the US government It'd be great if the EU also works with them on that mobilization plan Because all the work that they're going to be doing to improve security for open source in the US will benefit the EU But there's been other talks of communication with them the US and the EU are working on improving Digital infrastructure in Africa or something. I thought I heard that recently So there seems to be a few things happening lining up So I'd love to see them working together. It would be an absolute It would be so terrible if they came up with their own standard for S-bombs. So it's stuff like that would be would be amazing Any other questions So I think over a software supply chain security in general I think it's how We just don't know what software we're using and like if you don't know what you're using you're really, you know Setting yourself up for failure So that's why I think S-bombs are so important because if you know where you are You can make a strategy to incrementally improve But if you don't know where you are then you're just like a sitting duck Yeah, there's there's some member states that are like more advanced than others like Germany has an Ospo some cities have Ospo's It's mostly in departments that have an Ospo so There is Ospo's in and in a member states, but they don't seem to be like at the high, you know, like they're not like Like Irish government doesn't have an Ospo at that high level it seems to be like in Stuck in departments or maybe they're not even They don't even call themselves an Ospo. That's that there is a There is a talk today about Ospo's in Europe. I was like, oh, I wish I didn't have to know any more information I've already written my talk, but um, yeah, they were saying that's where I heard that a lot of Cities have Ospo's. I think the city of Amsterdam has one open source is quite good in in quite mature in in some countries like France Finland Estonia And it'd be great to bring that up, too And I know that digital compass there will be funding going directly to member states it wants it passes and It'd be great if part of that could be used to fund train and like for travel for events to do with Ospo's I'd love that Yeah, yeah, so that's it. Thank you