Jennifer Tridgell
Jennifer is an independent legal consultant and PhD Candidate (International Law x Computer Science) at the University of Cambridge as a World Ramsay Scholar. She researches global governance of open-source software. An experienced Australian public international lawyer, she has advised on a broad range of matters at the intersection of technology, human rights and policy, including for public and private sectors. She has worked as Senior Legal Advisor to the UN Special Rapporteur on Freedom of Religion or Belief, for leading international law firms and served on the International Law Association’s Global Board. Jennifer holds a LLM and BA/LLB (Hons.).
Sessões
Today, a timely and critical debate is emerging on Governments’ role in governing free and open-source software (FOSS) cybersecurity. Often, they have centred FOSS as a tool for ‘digital sovereignty,’ driving competition, innovation and interoperability. Budgets, policies and regulations are shifting, whether mainstreaming FOSS or institutional experimentation. China has embedded FOSS within its Five-Year Plan. The EU’s Cyber Resilience Act introduces the novel category of ‘FOSS stewards.’ Highlighting the successes of Germany’s Sovereign Tech Agency, advocates seek an EU-wide fund for FOSS maintenance.
The political, economic and social case for public investment in FOSS maintenance, including for cybersecurity reasons, is obvious. FOSS is ubiquitous and, unsurprisingly, the world’s most widespread and serious cybersecurity incidents have arisen from its vulnerabilities (e.g. Log4j, HeartBleed). Without action, a ‘tragedy of the digital commons’ persists.
Instead, what attracts more controversy are legal and policy regulations beyond fiscal support, where different restrictions and requirements are potentially imposed upon FOSS contributors. FOSS’ open and collaborative nature means that divergent domestic and regional approaches may risk its fragmentation and, thereby, even prove counterproductive for the pursuit of (perceived) sovereign interest.
Encouraging an evidence-based approach for policy development and digital diplomacy, this article undertakes a ‘big picture’ comparative analysis of FOSS cybersecurity policy and regulation from the EU, China and USA. Firstly, it charts motivating principles and rhetoric behind their embrace (or lack thereof) of FOSS cybersecurity, encompassing their respective approaches as rights and consumer protection driven, State controlled and market-based. Secondly, it compares key structures, features and tools of those major powers’ cybersecurity policies and regulations involving FOSS, to evaluate compatibility. Finally, it offers reflections, for the FOSS community and policymakers alike, on different avenues for building bridges between regulatory islands as they navigate these uncertain times.
This feasibility study reveals deep pockets of political will and momentum for the establishment of an EU Sovereign Tech Fund (EU-STF). It draws on conversations with two dozen policymakers, technologists, and advocates, as well as extensive economic and legal analysis.
Chronic under-investment in open source technologies creates systemic risks – exposing Europe to (amongst other things) cybersecurity threats, supply chain vulnerabilities, and strategic dependencies on non-European technology providers. In order to maintain, secure, and improve existing open source technologies to meet the EU’s public and industrial goals, it requires policymakers to understand the logics underpinning failures in investing in the maintenance of open source technologies as open digital infrastructure, in order to prioritise the use of public policy towards the unlocking of financial and nonfinancial resources that support the open source ecosystem.
The EU-STF is envisioned as a scaled-up, pan-European, and mission-driven initiative with a proposed budget of at least EUR €350 million over seven years to invest in maintenance, security, and improvement of key open source components, as well as help identify and map dependencies and invest in ecosystem strengthening activities. It is vital that the EU-STF embodies some key principles (many of which have made the German successful): pooled financing, low bureaucracy, political independence, flexible funding, community focus, strategic alignment, and transparency. Two active budgetary scenarios are worth considering for the EU-STF: (1) a standalone and centralised fund (e.g. a new funding body created by legislation and set aside via the MFF negotiations), and (2) a hybrid/shared management structure (such as leveraging established EU institutional frameworks like the EDIC that allow for pooled contributions of Member States alongside EU funding, and even industry co-financing).