EU lawmakers finalize cyber security rules that panicked open source devs

EU lawmakers finalize cyber security rules that panicked open source devs

December 4, 2023 at 01:08AM

The EU’s Cyber Resilience Act (CRA), which imposes cyber security requirements on hardware and software products, is poised for final approval. Open source software is exempt under new rules. Manufacturers have three years to comply or face fines. Meanwhile, critical vulnerabilities in various software were patched and a US federal judge blocked Montana’s TikTok ban, citing First Amendment rights. Nearly two million sets of employee data were leaked from Dollar Tree and Family Dollar.

**Meeting Takeaways:**

1. **Cyber Resilience Act for EU**:
– The EU Parliament and Council have agreed on the Cyber Resilience Act (CRA).
– It mandates cybersecurity requirements for all hardware and software products, with penalties for non-compliance.
– The CRA proposes a 24-hour period for disclosing actively exploited flaws and 5 years of security patch support.

2. **Exemptions and Adjustments**:
– Open source software developed or supplied non-commercially is exempt from CRA regulations.
– Concerns of the open source community have been addressed in the latest CRA draft, ensuring better stakeholder involvement and support for micro and small enterprises.

3. **Critical Vulnerabilities Reported**:
– Significant flaws have been identified in different software and technologies, with varying degrees of severity (CVSS scores of 9.8 and 9.1).
– Notable bugs have been patched in Google Chrome, OpenZFS, and Apple’s WebKit.

4. **TikTok Ban in Montana Overruled**:
– A US federal judge has blocked Montana’s ban on TikTok, citing First Amendment speech protections.
– The ban was challenged as targeting China more than being a consumer protection measure.

5. **Data Breach at Dollar Store Chains**:
– Dollar Tree and Family Dollar suffered a data breach via a third-party vendor, potentially exposing nearly 2 million sets of employee data.
– The breach occurred in August, but details are still not fully clarified, including the specific data that was accessed.

**Actions to Consider**:
– Hardware and software manufacturers need to align with the new CRA requirements within the 36-month timeframe.
– Open source maintainers can be advised that they are exempt from CRA if the software is non-commercial.
– IT teams should review and apply security patches for identified vulnerabilities in various products.
– Entities using TikTok in Montana can continue the status quo pending potential appeals.
– Dollar Tree, Family Dollar, and possibly other Zeroed-In Technologies clients may need to assess the breach’s impact and take precautionary measures.

Full Article