Just over 20 years ago, the EU (European Union) founded ENISA, (the EU agency for Cybersecurity). Over the years, ENISA’s role has grown significantly, and at this time the EU seeks to revise ENISA’s mandate by updating the Cybersecurity Act. The Open Source Initiative (OSI) has provided feedback on what changes can be made to keep Europe safer and advance Open Source.
The revision of ENISA’s mandate is timely: as the world–and the Open Source community–face geopolitical uncertainty and increasingly frequent cyber attacks, in particular state-backed attacks, fostering stronger cybersecurity has never been more important.
ENISA’s work has historically involved providing vulnerability reporting, product certification (in particular for the cloud), documentation, resources, and advice for European governments, citizens and businesses. It also has a coordinating role in cross-border cybersecurity incidents.
Providing vital cybersecurity resources
In its feedback, the OSI commended ENISA on the resources it provides, in particular to businesses and citizens. We support the decision to publish all their work, including advice and reports under Open Content licenses, and particularly commend their IRTOOLS repository which lists hundreds of useful Open Source cybersecurity tools for citizens and businesses to deploy.
We are only ever as secure as the most vulnerable part of the stack, which is why it is so vital that we democratize access to cybersecurity, and help everyone, from individual citizens to small businesses, benefit from cybersecurity advice and solutions. We believe that Open Source is the greatest driver of this democratization, and we recommend that the EU ensure ENISA can continue and expand this vital activity.
Vulnerability reporting challenges
The OSI also commended ENISA for developing its European vulnerability reporting system. In times of geopolitical uncertainty, we accept that relying on a single organization to provide vulnerability reporting and classification globally is a risk, especially when that organization depends on funding from a single government.
However, OSI highlighted some concerns over the lack of alignment with the existing MITRE CVE system. It is vital now that vulnerability databases collaborate and work together, not in spite of geopolitical uncertainty, but because of it. Hence, we called on ENISA to work on aligning its database with the existing MITRE CVE database, and to collaborate closely with them in developing a federated vulnerability reporting solution. We believe this is the best way to ensure the resilience of such a vital piece of digital infrastructure.
Funding to secure key Open Source solutions
Finally, in line with our support of the EU Sovereign Tech Fund proposal, and to ensure that highly-used Open Source projects remain sustainable and secure, we called on the EU to give ENISA funding to support security audits, pentesting, and bug bounties for Open Source projects and components that are heavily used by European public authorities and companies.
The OSI will continue its efforts in Europe and around the world to support sustainability of Open Source projects globally. Like what we do? You can support our work by becoming a member.
Source: opensource.org