Webinar

The EU's Efforts to Secure Open Source Software

  • Oct 8 2022
  • 37 mins
  • Security, Open Source, Regulations

Things you’ll learn

  • EU cybersecurity regulations
  • Software supply chain risks
  • Incident response and mitigation strategies

Speakers

Ciara Carey
Ciara Carey
Sales EngineerCloudsmith

Summary

OSS is incredibly positive - without projects like Docker, Kubernetes, Debian, NGINX, Apache, or others, technological innovation would be painfully slow. Its innovation, ease of use, and zero cost meant that nearly every piece of software contains OSS. OSS is everywhere, including data centres, hospitals, e-commerce, phone networks, mobile devices, and power stations. Last year, the Whitehouse issued an Executive Order after the fallout of SolarWinds. This kickstarted the use of SBOMs, a flurry of new projects to protect the supply chain, and the rise of OpenSSF. - How has the EU responded to Critical Threats in OSS? - Are the threats to the EU different from the USA? - The EU is not 1 country but is made up of 27 countries- how does this affect change? - Let’s look at Ireland as an example country in EU and how it is affected by threats to the OSS supply chain and how the EU helps.

Transcript

  1. 00:00:00
    Ciara Carey
    So thanks everybody for coming today. Um, I'm actually from Dublin, so I'm really delighted that the OS summit is hosted here. So today I'm going to talk about the EU efforts to secure the open so open source software.
  2. 00:00:21
    Ciara Carey
    So I'm Ciara Carey. I work in developer relations at Cloudsmith. And before that I was a software engineer for over 10 years. So I kind of got into the software supply chain starting in CloudSmith. It's an artifact repository. So it deals a lot with, um, It has a lot of information about how your artifacts are built, and signatures, and metadata, and all that kind of stuff.
  3. 00:00:46
    Ciara Carey
    And working in developer relations, I have to research and write about the software supply chain a lot. And this brought me on to the topic of... Supply chain, um, software supply chain and software supply chain security. And when researching it, I keep on hearing about what the U. S. is doing, their executive order, their work on S bombs, stuff like that.
  4. 00:01:10
    Ciara Carey
    And as an EU citizen, I want to know what the EU is doing to secure open source software. So that's where I came from. I want to know, um, yeah, what the EU is doing for open source security, where the gaps are, and what can be done to drive the EU to action.
  5. 00:01:31
    Ciara Carey
    So our agenda today, I'm going to start with open source software supply chain, a definition on that, I hope you haven't had too many definitions. I'm probably going to show that same image. Um, so then I'm going to go on to why should the EU care about open source security. The U. S. 's response and the E.
  6. 00:01:52
    Ciara Carey
    U. 's response and then I'm going to talk about my hopes for the future on E. U. 's policies on open source software. I'm going to finish with what we can do to influence the E. U. to take, to take greater action on open source security. So the only, um, direct funding of security for open source was initiated by these two MEPs, Anderson and Rita.
  7. 00:02:20
    Ciara Carey
    And in 2014, after the Harp lead, um, critical vulnerability in OpenSSL. So that's the only funding that has gone towards securing open source software and that was started from a, like, political, from a political point of view, from these MEPs. And so I think, although the EU should care about open source software, um, we should try to influence it to care about open source software with, um, and by contact, I mean get political, basically.
  8. 00:02:54
    Ciara Carey
    So this is the image, it's like, probably seen it ten times on the stock. So, open source is really positive. Without projects like Kubernetes, Debian, Nginx, innovation would be painfully slow. Between 70 and 80 percent of code contains open source software in their dependencies. And a massive part of securing your software supply chain requires securing open source software.
  9. 00:03:23
    Ciara Carey
    And a lot of like critical infrastructure in the EU contains open source, obviously. Because wherever there's software, there's open source.
  10. 00:03:32
    Ciara Carey
    So, uh, your software supply chain contains all the Um, the steps involved in creating your software. And a big part of that is your third party dependencies, which are likely to be open source. The types of attacks you see on open source tend to, um, attack vulnerabilities existing in your open source dependencies, like, uh, Harplead, or, um, the, the one in December, Log4Shell.
  11. 00:04:02
    Ciara Carey
    And another way is by attacking, attacking the mechanism for how you consume that open source. So by attacking, like, we usually consume it from a public repository like PyPI, NPM, that kind of thing. By attacking that mechanism using type of squatting or dependency confusion, you can, um, attack the supply chain.
  12. 00:04:28
    Ciara Carey
    And the M result is similar to all cyber attacks. You get access to customers, data or your own data or information that you don't want to let out.
  13. 00:04:41
    Ciara Carey
    So last year, during the height of the pandemic, there was a cyber attack on the Irish health care system. Like doctors and nurses walked into hospitals and they were presented with like a blank screen and they had to go back to pen and paper. Cancer patients had to stop treatment. It like, it was over a hundred million in damage.
  14. 00:05:02
    Ciara Carey
    Even though they didn't pay the ransomware and they got the decryption keys back. I don't know exactly what happened there but, um, the damage was done. So why should the EU care about cyberattacks? This attack on the Irish healthcare system, it's not like an incident, it's a trend. There was an attack last month on a French hospital, and patients had to go elsewhere.
  15. 00:05:27
    Ciara Carey
    And other critical systems are being attacked by cybercriminals or state actors. Pipelines, governments, water, have all been attacked. And this has stepped up since the war in Ukraine. So Russia has turned off EU's main source of gas. If they also launched a cyber attack on other sources of energy, it'd be an absolute disaster.
  16. 00:05:51
    Ciara Carey
    So European citizens should be protected from attacks on systems that they rely on. And although the EU member states themselves bear the prime responsibility for countering attacks, these threats can be better addressed at coordinated response at EU level. Also, the EU is striving to be a leader in cyber security.
  17. 00:06:16
    Ciara Carey
    It has moved to, um, it has moved to improve the cyber security in member states and it recently passed another directive in parliament to improve the overall security of member states. NIS 2 replaced NIS 1, or NIS. And Ursula von der Leyen, the president of the European Commission, during her State of the Union address last year, Said the EU should strive to become a leader in cyber security.
  18. 00:06:41
    Ciara Carey
    So she had her, um, her 2022 State of the Union Address this year. So she did mention digitalization, but there was a bit less about cyber security, because they were pretty busy about Ukraine. We're still up there.
  19. 00:06:58
    Ciara Carey
    So why should the EU care about open source security in particular? They care about cyber security, but what about open source security? So, open source software supply chain attacks are one of the avenues of attack for a cyber, cyber attack. And they're on the rise. Aqua's security Argonite experts found that software supply chain attacks grew by more than 300 percent in 2021 compared to 2020.
  20. 00:07:26
    Ciara Carey
    I saw another report by... Um, sonotype nexus, which has said 600 percent but I was scared because that was seemed a lot. So I went, I wrote this 300 percent is scary anyway. So, but 600, it's too much for me. So there is also, um, an instant response report by Palo Alto instant responders. Those are the guys you send in after you've had a, a cyber attack and you're like, Ah, how do I get out of this?
  21. 00:07:53
    Ciara Carey
    And they, um, figure out where you're, Where you were. Where was the access point of attack and clean everything up? And there are 2022 reports. They analyzed over 600 incidents. And, um, over the last year, and they found that vulnerabilities in software or the suspected initial access factor in 31 percent of cases second only to fishing.
  22. 00:08:19
    Ciara Carey
    So not all of those 31 percent were. Open source vulnerabilities. But, um, the second, most common vulnerability as a point of attack was log4shell. So this was released in July and like um, log4shell was only in December. So, that seems like a lot. So, we can all agree it's a problem. So, again, why should the EU care about open source software?
  23. 00:08:47
    Ciara Carey
    The EU is actually aware of threats from supply chain, supply chain attacks. The European Union Agency for Cyber Security and ESA. Their 2021 threat landscape report included cyber chain, cyber supply chain attacks. And they also conducted an in depth study in 2021, analyzing 24 software supply chain attacks from around the world, including solar winds and all those ones.
  24. 00:09:16
    Ciara Carey
    So the EU wants to be a leader in cyber security, supply chain attacks are increasing. So the EU need to address open source security as one of the main avenues into a supply chain attack.
  25. 00:09:33
    Ciara Carey
    So I'm going to sort of be comparing, like I'm only going to go over the US response slightly. But is it even fair to compare the US and the EU and how they respond to, um, open source security? Well, there's huge big differences, you know, political structures, we have, we don't really have that executive branch that can just do things like the U.
  26. 00:09:54
    Ciara Carey
    S. can. And member states are their own country. There's loads of different languages. And the U. S. federal government has control over more areas of, of um, than the E does. Like the military and health. But I think it's kind of fair. I think it's fair. They have similar sizes, values, and cyber threats to your critical infrastructure.
  27. 00:10:20
    Ciara Carey
    And they have similar threats to their critical infrastructure and their citizens. And also the EU and the US, they have similar sticks and carrots. They have like, you know, a big bag of money for refunding. And they also have fines available. So, um, their responses can be quite similar.
  28. 00:10:39
    Ciara Carey
    Yeah, so, um, let's compare them on their S bombs, vulnerabilities, training and awareness. So we'll start with the U. S.
  29. 00:10:54
    Ciara Carey
    So after the SolarWinds attack, um, the, um, U. S., they, they published this executive order to improve cyber security of software supply chain attacks in May of last year. And it really signaled the importance of SBOMs. That executive order was, for me, I thought it was quite, um, it, with the team that wrote that really understood how software was built, and how important open source was to software.
  30. 00:11:21
    Ciara Carey
    They, and they didn't do what maybe other organizations would do and say, Oh, we have to, Take open source out of all our software systems and only use proprietary, um, and commercial software. They understood that open source, by being more transparent, has the potential to be more secure than commercial software.
  31. 00:11:45
    Ciara Carey
    But there needs to be steps to make it more, um, um, transparent and secure to use. So, on SBOMs, they came up with the standardization, the minimum elements of an SBOM. And there is a proposal which will, uh, for, for the, any software sold to the U. S. government to, um, contain a nest bomb. There's also been a lot of work on promoting the idea of SBOMs.
  32. 00:12:15
    Ciara Carey
    Oh, and did I explain SBOMs? Because they're Software Bill of Materials, so it's like an ingredient list for your product, and a lot of that ingredient list will be open source software. So it's about telling, he's been holding, this, this, um, Alan Friedman from CISA, he's been, um, writing about SBOMs, talking to people about SBOMs, and being a real evangelist.
  33. 00:12:39
    Ciara Carey
    For the use of them.
  34. 00:12:43
    Ciara Carey
    On vulnerabilities, um, the U. S. has, like, existing infrastructure on dealing with vulnerabilities that is, like, more, like, more advanced, more mature than the E's. So they have the National Vulnerability Database, that's actually hosted by a U. S. institution. And they have, like, a Vulnerability Disclosure Policy as well.
  35. 00:13:05
    Ciara Carey
    But last year they set up a new Bug Bounty Program. Um, for the Department of Homeland and as well as expecting an S bomb with any software sold to the U. S., they also expect the software to not have any vulnerabilities unless there's mitigating circumstances or, um, reasons why you're not vulnerable.
  36. 00:13:31
    Ciara Carey
    On the training front this year, there was a bill to train federal employees on software supply chain security, especially people purchasing software. Because that's, when you're buying software, you have so much power in bringing new open source into your system. So, um, that's really important. And last week, the National Security Agency partnered with other agencies to release a report, a report entitled Securing Software Supply Chain for Developers.
  37. 00:14:04
    Ciara Carey
    And I had some practical ways for developers to, um, write secure code, including when, um, how to bring dependencies into your code. But the place where the U. S. was really impressive was their awareness. People at the highest levels were talking about open source and open social security and funding the mundane.
  38. 00:14:31
    Ciara Carey
    They're starting with the executive order I talked about. And like, um, then it was also after Lockford Shell, they brought in loads of stakeholders into the White House from Open source maintainers, they brought in consumers and, um, of, of open source big tech companies and, um, and they brought them all in and like talked about how can we improve the security of open source in particular.
  39. 00:15:00
    Ciara Carey
    Then they held a hearing in the Senate where, like, really impressive people came, more impressive than me, came to talk about, um, log4shell and how to prevent another open source vulnerability in the future. Generously, the head of CISA talked about Log4Child being the most serious vulnerability she's ever seen.
  40. 00:15:22
    Ciara Carey
    So they've really brought the awareness to the highest levels of, um, and this, this is not nothing. It's sort of like US's soft power to influence change.
  41. 00:15:37
    Ciara Carey
    So what has the awareness done? Well, there's been lots of, um, there's been announcements about Alpha Omega this week, I think, at this conference. Um, there's the Open Source Software Security Mobilization Plan. There's real money behind these projects. And it's funded by big techs. It's not actually funded by the U.
  42. 00:15:56
    Ciara Carey
    S. government. But it's um, they've made huge moves to improve open source security. actionable things that they're actually going to do with money behind it. There's also really, um, invigorated work in the area. OpenSSF has like super active working groups talking about open source security. And the amount of contributions from SIGstore, a project on OpenSSF to, um, make signing software simpler.
  43. 00:16:30
    Ciara Carey
    So it's really activated individuals and organizations to solve this huge problem.
  44. 00:16:38
    Ciara Carey
    So before I talk about the EU's response, we'll just, um, give you some background. So the EU in the last few years has, like, had this big push for digitalization and, um, interoperability. And they've talked about it in the State of the Union addresses the last few years. Um, one of the, one of the big legislations around cyber security has been NIS, the network, network, um, information security, something like that.
  45. 00:17:09
    Ciara Carey
    And, um, that came in, that was the first bit of legislation on cyber security. It came in 2016, so it's quite recent. And NIS 2 has just gone through Parliament, it's likely to be, um, published next year. It's a directive. And the aim of it is to increase the minimum level of cyber security in member states.
  46. 00:17:29
    Ciara Carey
    So part of that is they've, um, listed out, they've, the member states have to list out all the Private and public organizations that are, um, really important to your, the member states critical systems and they've put obligations on those, um, organizations or companies. So there has been, um, uh, some criticism on this saying that there's, there's too much of a differentiation between member states.
  47. 00:18:01
    Ciara Carey
    Some member states have taken it really seriously. And they've like listed out all their hospitals and all this kind of thing. But others have barely listed any organization. So there is a huge difference in how member states have reacted to this. And that's because it's a directive. You know, you have to still transpose that into the member states law.
  48. 00:18:25
    Ciara Carey
    But NIS 2 kind of tightened that a bit more than the original NIS. So we should see more alignment. Over the next few years as it's gonna roll out. There's been a lot of other legislation, like we've all heard of GDPR. And, um, that's implemented. DORA, banking, it's just been published. Um, there's something on AI that's been published.
  49. 00:18:53
    Ciara Carey
    Um, soon to be published, maybe next week, is the Cyber Resilience Act. Um, which should be for IOTs. And that should be, uh, that should have something on supply chain security, but we'll wait, wait for it to be seen. Another thing is that the EU has updated its open source strategy in 2020, and as part of that it opened up an OSPO office in the, um, the EU's basically their IT department.
  50. 00:19:22
    Ciara Carey
    So the OSPO office for the Commission. And they're a real gem. Their whole, um, point is to, um, , they're have there . Their ultimate goal is to change the mentality of the EU commission to change culture and embrace open source in terms of practices and tools because people are sometimes afraid to use open source.
  51. 00:19:46
    Ciara Carey
    They don't know if they're allowed. They're, they write software that would be, um. That would be, other people could use, but they don't really know the mechanisms for publishing it, and they, so they've really, um, promoted the open source culture within the EU Commission. And this is headed up by Miguel Diaz Blanco.
  52. 00:20:09
    Ciara Carey
    So now let's talk about the EU's response to securing open source software. So, with respect to cyber, um, SBOMs, the Cyber Resilience Act that I talked about, which should be published soon, will probably mention SBOMs. The Cyber Resilience Act is going to be about IOTs and like, sort of, uh, hardware that's hard to update the software, embedded systems, that kind of thing.
  53. 00:20:37
    Ciara Carey
    And, um, if you look at the feedback, I don't know what's actually going to be in it, but they, I've seen some content around it is about the software supply chain and that kind of thing, and there's, you can see, um, feedback from the public, and that talks about, uh, SBOMs, it talks about SALSA, which is a framework for securely building software.
  54. 00:20:59
    Ciara Carey
    So it'll be interesting to see what's in that.
  55. 00:21:06
    Ciara Carey
    On vulnerabilities, the OSPO office that I talked about, they've created an inventory of all the open source used within the commission. And they've also developed a methodology for, um, for, for prioritizing your inventory, which can be replicated. They've surveyed maintainers of open source, um, software critical to the EU commission, like Apache, um, LibXML.
  56. 00:21:32
    Ciara Carey
    and asked them what they needed to secure their software. And it's kind of what we've all heard. It's, um, we need more funding, we need more contributions. And they specifically asked for help with regard to security and they wanted help from, um, the cyber security, um, agencies and member states, cyber security agencies.
  57. 00:21:55
    Ciara Carey
    On vulnerabilities again, the, um, the directives, NIS and NIS2, that's recently gone to Parliament, they have created a list of critical sectors in the EU, both public and private, and there will be requirements, um, the NIS2 will require these organisations to report security incidents to member states, and now there's a coordinated vulnerability disclosure process across the EU.
  58. 00:22:21
    Ciara Carey
    And as part of that, they'll have a new European Vulnerability Database. So NIS2 should be rolled, like, next year. I think they think it'll be, um, gone through plenary. And then it'll take another 20 months before it's in, um, member states rulebooks.
  59. 00:22:42
    Ciara Carey
    Another thing that they've done on vulnerabilities is, um, the Bug Bounty Program. This started in 2014, by two MEPs, Rita and Anderson, after the Heartbleed vulnerability. So initially it started out as like, um, these two MEPs came to the commission, and they said, um, I'm not going to pass the budget unless you give money towards open source security.
  60. 00:23:09
    Ciara Carey
    And they came up with like, giving one million to, um, Um, within the E commission itself, but that that would go through, go through open source security. And it started off as an inventory and eventually became, um, bug bounty program and hackathons. And now the Ospo office actually runs both of them. So I think this really illustrates how politics can really move open source security funding and, uh, like knowledge within the EU.
  61. 00:23:45
    Ciara Carey
    On training, the European Cyber Security Agency, ENISA, is dedicated to achieving a high level of cyber security across Europe and helps Europe prepare for cyber security challenges of tomorrow. They hold training days and workshops, but there's nothing specific to supply chain security. Nisa had a 2021 report on supply chain attacks, but they only really touched on how to prevent them, and they barely mentioned open source as, um, a conduit of the attacks.
  62. 00:24:21
    Ciara Carey
    On awareness, after log4shell, , the US had all these stakeholder meetings, held hearings in the Senate. They have a sbam evangelist. Um, I don't see that kind of awareness within the eu, uh, bringing in stakeholders and open source security. I couldn't find a hearing in the European Parlin committee on, on log for Shell or open source security.
  63. 00:24:49
    Ciara Carey
    And maybe that's because the two meps I talked about. They haven't, they didn't get elected again since 19. So maybe if they were here for love for shall, we'd be seeing more awareness within the EU.
  64. 00:25:04
    Ciara Carey
    So some of the good stuff in the EU on open source security. Um, their bug bounty program has like found hundreds of bugs and fixed them, I hope. Um, the, the EU Commission's OSPO office is a real shining light for, um, not just open source security, but open source culture in general. And I think the news in this too, uh, vulnerability disclosure infrastructure will, uh, shine a light on vulnerabilities that weren't even disclosed.
  65. 00:25:34
    Ciara Carey
    I think a lot of, um, uh, we don't even know where we are because people just pay the ransomware and then, um, they move on. They don't disclose it to their member state. They don't disclose it to the government. So nobody has, like, an accurate picture on, um, cyber attacks. The bad, um, So, open source maintainers of critical systems are not funded directly to improve security.
  66. 00:26:02
    Ciara Carey
    It would be great to see some funding maybe on, um, I know public repositories now, like PyPI and RubyGems, they're forcing some of their top contributors to have, um, uh, 2FA, which is great for security, but actually, um, Supporting that takes a lot of people power and money, like if you're resetting 2FA, you need people to actually look into that and reset it for people.
  67. 00:26:28
    Ciara Carey
    It'd be great if we could, like, if the EU would fund security directly that way, or even, um, fund them by, If a maintainer does an open, does a security course, that they would get money and training behind that. There's lots of different ways to fund them directly, but it is difficult to kind of get money from the EU.
  68. 00:26:51
    Ciara Carey
    Another issue is that Bug Bounty program that I talked about that's really successful. It's been running since 2014. It's not a permanent program, so it could be dropped any minute. The initial sponsors of the program, the two MEPs, they, um, they're not elected again. So they're now, they're looking for new sponsors.
  69. 00:27:08
    Ciara Carey
    They're looking, they're always looking for funding. You know, it would be great if they could just concentrate on the good work that they're doing instead of having to look for funding every, every year. Sometimes, sometimes they're on a three year, um, they have a three year fund, but so permanency would be great.
  70. 00:27:27
    Ciara Carey
    So the OSPO office is only over the EU Commission. So when they're doing an inventory of all the open source, it's only used in the commission. It's nothing to do with critical infrastructure and member states. It would be great to, um, Uh, fund OSPRO offices within member states or to, um, have Anissa, the cybersecurity agency, have some control over that and an inventory of all the open source would be, um, excellent.
  71. 00:27:55
    Ciara Carey
    You know where to start, you know what you're using, you can make decisions, strategic decisions on that. So another thing is S bombs weren't mentioned by news and there's two directives and they haven't really been mentioned much in. It'd be great to see more training on S bombs, and maybe NIS3 will, will mention it and maybe ask for critical systems to provide S bombs when they're, something like that, or maybe they'll, when you're purchasing software, you'll require an S bomb like the US government is looking to do.
  72. 00:28:34
    Ciara Carey
    But at the same time, I suppose the tools around generating and analyzing S bombs is quite young. So, um, I can understand why they don't want to put that in legislation yet. There's also a lack of training materials and workshops from Anisha. It would, um, be great if they could train maintainers, if they could train, um, software developers working in critical systems, if they could.
  73. 00:29:00
    Ciara Carey
    train procurement officers. Um, so all those things would be great. And, um, so open source security needs to be talked more about in EISA and on committees and MEPs. That awareness that the US is bringing, I'd love to see that in the EU as well.
  74. 00:29:21
    Ciara Carey
    So, what's next for the EU and open source security? Well, um, For Anissa, actually they have, um, advertisements for their security advisory board. They're looking for people to be on their board. And that's ending, like, the end of this month, September, the end of, 30th of September. So if anybody here is like, uh, open source security expert, it'd be great to have that, that knowledge on the cyber security agency in Europe and like really help them understand the problem and invest in it.
  75. 00:30:01
    Ciara Carey
    Um, I'd love for there to be funding available. I know the EU is talking about. How it wants digitalization and interoperability, but that all has to be based on a secure system. And a lot of software is based on open source. And for, And for, um, Oh, sugar. Oh, sugar. Sorry.
  76. 00:30:36
    Ciara Carey
    It's okay. This happens.
  77. 00:30:42
    Ciara Carey
    Yes. I think I've talked about all that. So what can I do next? I've actually preferred this because I didn't realise I couldn't have my speaker notes. So that was just a fake, fake out, I did that on purpose. So, uh, what can I do next, um, in the, to invest in open source security? So what I was talking about there, I need, I need people to apply, apply to the board for Anissa.
  78. 00:31:08
    Ciara Carey
    And also I want people to ask their MEPs, what are they doing to secure open source software in critical systems? Like I was saying, the only direct funding towards security of open source software has been this Bug Bounty program. Those two MEPs are gone. There hasn't been any MEPs. Asking for funding in the same way since they left.
  79. 00:31:33
    Ciara Carey
    So we need politicians to understand that problem. Like, during this talk, I, I contacted MEPs. They got back to me. They don't, I'm not like an important person. MEPs do... Do you want to do the right thing? And if we're not talking to them as an individual or as a community, well then they're probably going to fill that knowledge either with no knowledge or with like consultants idea of what they should do.
  80. 00:31:58
    Ciara Carey
    So, um, I'd love for the open source community to work to it together to lobby the EU to invest in open source in order to protect critical infrastructure. Like other special interest groups petition their MEPs for attention and funding. And the open source community should do the same. So, um, there's actually, I found out today, there's this program called Digital Compass.
  81. 00:32:22
    Ciara Carey
    Um, the EU is defining and asking for feedback for its digital ambitions for, for 2030. Um, let's make sure that our thoughts are heard too. So Ursula von der Leyen talked about how the EU should strive to become a leader in cyber security. Policies and funding and open source in general and our critical systems specifically are important to the growth, success and security of the EU.
  82. 00:32:49
    Ciara Carey
    So, that's me all done. Any questions?
  83. 00:33:03
    Ciara Carey
    Yeah. Does anyone have any questions? Yeah?
  84. 00:33:15
    Ciara Carey
    Yeah, so I've seen a lot of like interaction between the US and the EU recently on digital matters. They have like, the EU has opened an office in San Francisco, and I think it's mostly still regulation. But, you know, if they're not busy, maybe they could, they could talk about, um, Open source could be part of that because a lot of, um, like open SSF, it has been working with the U.
  85. 00:33:41
    Ciara Carey
    S. government. It'd be great if the EU also works with them on that mobilization plan. Because all the work that they're going to be doing to improve security for open source in the U. S. will benefit the EU. But there's been other, um, talks of communication with, um, the U. S. and the E. U. are working on improving, um, digital infrastructure in Africa or something like that.
  86. 00:34:04
    Ciara Carey
    I heard that recently. So there seems to be a few things happening, lining up. Um, so I, I'd love to see them working together. It would be an absolute, it would be so terrible if they came up with their own standard for S bombs. So, stuff like that would be, would be amazing. Any other questions?
  87. 00:34:28
    Ciara Carey
    Hey.
  88. 00:34:38
    Ciara Carey
    I travelled. Yeah, no, um, So, I think, oh, software supply chain security in general. Um, I think it's how, we just don't know what software we're using. And like, if you don't know what you're using, you're really, you know, setting yourself up for failure. So that's why I think SBOMs are so important. Because if you know where you are, you can make a strategy to incrementally improve.
  89. 00:35:08
    Ciara Carey
    But if you don't know where you are, then you're just like a sitting duck.
  90. 00:35:18
    Ciara Carey
    Hey.
  91. 00:35:30
    Ciara Carey
    Yeah, there's, there's some member states that are like, more advanced than others. Like, um, Germany has an OSPO. Some cities have OSPOs. Uh, it's mostly in departments that have an OSPO. So, um, there, there is OSPOs in, and in, uh, member states. But they don't seem to be, like, at the high, you know, like, they're not, like, like, the Irish government doesn't have an OSPO at that high level.
  92. 00:35:57
    Ciara Carey
    It seems to be, like, in, stuck in departments, or maybe they're not even, um, they don't even call themselves an OSPO. That's it, there is a... There was a talk today about OSPOs in Europe. I was like, oh, I wish I didn't have to know any more information. I've already written my talk. But, um, yeah, they were saying that's where I heard that a lot of, uh, cities have OSPOs.
  93. 00:36:20
    Ciara Carey
    I think the city of Amsterdam has one. Um, open source is, uh, quite good in, in, quite mature in, in some countries like France, Finland, Estonia. Um, and it'd be great to, Bring that up, too. And I know, um, that digital compass there will be funding going directly to member states it once it passes, and it'd be great if part of that could be used to fund train and like for travel for events to do with hospitals.
  94. 00:36:49
    Ciara Carey
    I'd love that. Yeah.
  95. 00:36:57
    Ciara Carey
    Yeah, so that's it.
  96. 00:37:01
    Ciara Carey
    Thank you.

Comments