WEBVTT

00:00.000 --> 00:14.880
Normally on a panel I would introduce all of the speakers. I think I would rather have

00:14.880 --> 00:21.520
you introduce yourselves and what your position and view is on standardisation and open

00:21.520 --> 00:28.320
source. In the shortest possible time you've got like one sentence or less, which is of

00:28.320 --> 00:34.400
course my standard of saying less than a paragraph. So let me pass that down to you. Hello everyone,

00:34.400 --> 00:39.120
so this is Philippe Molau from DG Connect, the policy officer in the cybersecurity policies unit.

00:39.120 --> 00:44.480
I'm working on the CRA standards and one of the reasons I wanted to join this panel with these

00:44.480 --> 00:50.720
panelists was to show you that even though the current standards that we're developing for

00:50.720 --> 00:55.440
European legislation, these harmonics standards, they now will have to be freely accessible

00:55.440 --> 01:01.680
or at least readable at the end of the process. We know that there's still issues during the standardisation

01:01.680 --> 01:07.280
development process and I wanted to try to give you as much as possible an idea of how it is that

01:07.280 --> 01:11.920
you can participate. Some of the things that we've done from European Commission side to try to make

01:11.920 --> 01:17.600
the voice of open source heard within that process which has been a complicated thing. But hopefully

01:17.600 --> 01:21.600
within the introduction of the panelists you'll see that there have been some way some people have managed

01:21.600 --> 01:26.000
to get a foothold and that will hopefully help you and give you some inspiration and some

01:26.000 --> 01:30.480
some shed some light on and how you can make sure that your voice is heard in this process.

01:30.480 --> 01:31.920
Thanks. Thank you.

01:31.920 --> 01:36.080
Could you help me? We have not met you yet today, sir.

01:36.080 --> 01:42.640
Hello, my name is Fukami. I work for the open SSF in Brussels and I'm primarily focused on the CRA

01:43.600 --> 01:53.760
and within the work in the foundation that I do we like or I'm not a standardisation expert.

01:54.720 --> 02:03.920
I would say so, but what my foundation does is that we produce tools to help

02:05.280 --> 02:12.560
to help managing and securing the supply chain and that also includes a lot of life best practices

02:12.560 --> 02:22.000
and yeah. Thank you. So my name is Lars. I work for a small startup.

02:22.000 --> 02:26.880
Stecker will no one will refer to it. But I'm also a member of the Apache Software Foundation.

02:26.880 --> 02:32.720
I'm O-Boss and in Germany the open source business alliance and we were in a webinar with

02:32.720 --> 02:37.120
Philip together a year or so ago and he said, well if you want to change anything related to

02:37.120 --> 02:42.160
this year, or be involved there, you need to be involved in this standardisation. So it took us about

02:42.160 --> 02:48.800
nine months to get in there, but we are now a member or I'm a member of the San Treaty the 13

02:48.800 --> 02:53.200
working group nine working on this standards and I'm also a member of the Ekme International

02:54.160 --> 03:00.400
Organisation on working on the Cycle and Dex specification and a member of this CRA expert group as

03:00.400 --> 03:04.720
well. Yeah. I'm not going to talk about my experiences standardisation. I think that's coming after the

03:05.040 --> 03:11.760
introduction. Hi folks. So I'm here because I'm interested in both trying to find

03:11.760 --> 03:17.200
pragmatic solutions to make this CRA standardisation process work and also have a longer term

03:17.200 --> 03:24.640
view and trying to fix things at a longer time frame, forced standardisation and open source in

03:24.640 --> 03:32.240
Europe and in general make sure that we are able to move towards harmonized compliance across

03:32.240 --> 03:38.960
the different countries so that if you comply with regulations in one place, it also works elsewhere.

03:41.200 --> 03:54.800
I'm a consultant and I have a number of clients, one of which is the open source initiative

03:54.960 --> 04:02.720
for whom I engage in international standards. For their, I'm a member of the Etsy, which is one of

04:02.720 --> 04:09.120
the two, the three European standards, but it's in the past I've also been a member of a number of

04:09.120 --> 04:16.560
other standards activities including video codex standards and I'm also a member of the UK

04:16.640 --> 04:24.000
British standards institutes IST-41 which is the mirror committee for ISO's document format standards.

04:25.200 --> 04:31.120
And I've also spent a decade helping to lead the open source initiative so I straddle the line

04:31.120 --> 04:39.760
between open standards and open source and may have views. So the first question that I'd like to

04:39.840 --> 04:49.120
address to the panel is the world of open standards is really quite old. There has been a

04:49.120 --> 04:56.000
form of standards process globally and in Europe for many decades. Do you believe that in an

04:56.000 --> 05:04.560
era where open source software forms 80% of the software that is serving the public that our

05:04.560 --> 05:16.800
standards process is fit for purpose? I'm happy to say no. I am happy to say no.

05:20.480 --> 05:26.640
And I think I mean this is a fairly I think everyone agrees that this is a there is

05:27.600 --> 05:33.520
it's not fit for purpose. I think we're on a panel on this Friday at open for a

05:33.520 --> 05:41.440
Europe was someone from the commission who also came forward very openly to say we're trying

05:41.440 --> 05:48.480
we understand we see the tension and the friction and you know help us help us help you or

05:48.480 --> 05:52.960
whatever this thing is. So I think like no is the you know there's like quite a clear

05:52.960 --> 05:58.160
understanding that like this doesn't work but you know again like what's hardest to make to

05:58.160 --> 06:07.600
figure how to fix it and work together to make it work. So what's friends? I would like to add to

06:07.600 --> 06:17.920
that and straight dive into the CRA issues there. So how to be nice to explain this that the CRA

06:18.880 --> 06:27.200
is within the NLF. New index at the framework. So this is safety it has a safety

06:29.440 --> 06:35.760
you know aspect or it comes from safety and when you look at software security it is like more my domain.

06:35.760 --> 06:41.840
I'm a software security professional. You see quickly that there is something that does not really match

06:42.480 --> 06:52.880
in terms of safety standards and security standards are actually fairly difficult fairly different

06:52.880 --> 07:00.560
spaces and also the way how you think about the needs for safety standards. It's a lot

07:00.560 --> 07:06.080
lot higher than it is for security standards in terms of having one particular way of how

07:06.320 --> 07:13.920
you are supposed to you know make something safe while in security space it's because it's

07:13.920 --> 07:22.880
software so it can be freaking everything. It is a lot more there's a lot more that you might not

07:22.880 --> 07:28.880
even like you know that you can't cover because it's also something that is way more fluid than

07:28.880 --> 07:34.640
then stuff that is in the safety space that is like usually something that developed already over

07:34.640 --> 07:41.920
like used decades and it is not the same in the surface security.

07:43.920 --> 07:49.600
So I focused on something different on our journey to actually get involved. I was like a random

07:49.600 --> 07:55.600
person from get up basically and I want to get involved in standardization and I mean I'm from Germany

07:55.600 --> 08:01.920
I did expect like a fax machine to be involved it wasn't but I had to send multiple physical

08:01.920 --> 08:07.520
letters of like invitation and signed by people before I got access to dean in Germany which is

08:07.520 --> 08:13.760
our national or to court standardization body or something and things where they decided that yes

08:13.760 --> 08:20.240
I'm fit for purpose to be sent to the European standardization process in sand and then over there

08:20.240 --> 08:24.240
I was overwhelmed with I don't know how many meetings do we have 12 meetings per week on this year

08:24.240 --> 08:29.600
A standard everything happens synchronously so I run my own business and I don't have time for that

08:29.600 --> 08:34.880
everything like everything happens in meetings you can't do anything asynchronously and that's I think

08:34.880 --> 08:40.240
doesn't fit very well to the to this ineffirm sick I can't even send a replacement

08:40.240 --> 08:45.120
like this is tied to me as a person and that that I think doesn't work very well I mean we're

08:45.120 --> 08:49.280
doing it now because we want to be involved somehow but I think this is something that should

08:49.280 --> 08:53.840
change because yeah what I'd like to do and I'm not even allowed to do that I'd like to share

08:53.840 --> 08:59.440
the drafts that we get now with like my community get feedback and then basically presented but

08:59.440 --> 09:05.520
I'm not even sure if I'm allowed to share any of the documents so I don't know yeah which is

09:05.520 --> 09:10.240
dumb I'm sorry but this is stupid I mean I'm part of a business association they sent me

09:10.240 --> 09:14.000
and I can't even talk to the rest of the association to give feedback so this is

09:15.680 --> 09:21.200
stupid and I hope it can change it into due course but why we why we have the system we're trying to

09:21.840 --> 09:29.120
work with what we have so I'll add on to that I mean those are those are all very practical

09:29.120 --> 09:36.160
things about participating in standards there is another problem as an open source practitioner

09:36.160 --> 09:42.880
which is the the European standard organizations that send send leg and Etsy all have intellectual

09:42.880 --> 09:50.880
property policies that allow the participants to insert patented techniques into the standard

09:50.960 --> 09:56.320
which they are then able to charge royalties on when the standard becomes part of the law

09:57.520 --> 10:03.520
and that means that far from what we as open source practitioners would think of as open

10:03.520 --> 10:09.120
the resulting standards are closed in every way they are they're closed in the sense that you can't

10:09.120 --> 10:14.960
have free access to the document without subscribing to a paywall and they're closed in the sense

10:15.120 --> 10:21.280
that to implement them you have to negotiate with patent holders for the necessary permissions

10:21.280 --> 10:27.920
even if you don't pay you have to negotiate for permission to implement them and so the reason

10:27.920 --> 10:33.840
that I would regard the system the due jury system that's the official one associated with the law

10:33.840 --> 10:40.320
does not fit for purpose is that in this room most of us are simply unable to implement standards

10:40.400 --> 10:45.920
we can't read them we can't implement them without negotiating with multilateral multinational

10:45.920 --> 10:54.560
corporations and now they are the pathway to the presumption of compliance with the law it means

10:54.560 --> 10:59.840
we can't obey the law either and so this this seems to me to be a fundamental problem

11:00.160 --> 11:04.160
so it's actually very

11:09.280 --> 11:13.680
yes I mean it's a deep experience to hear all of these problems again all in one place

11:14.480 --> 11:20.240
but but so we've started this journey for the cyber resilient act and we now need to develop

11:20.240 --> 11:27.040
this legal harmonized standards and we need to kind of figure out the best way that we can use the

11:27.040 --> 11:32.240
existing structure to make sure that these standards are fit for purpose also for the open source

11:32.240 --> 11:37.760
community and the people who are going to use open source throughout the supply chain so maybe a couple

11:37.760 --> 11:43.280
of of points that that help to soften a little bit the observations that have been made it's not that

11:43.280 --> 11:48.240
the observations that have been made are not true it's that I think they don't necessarily give you

11:48.240 --> 11:54.880
the the full picture so one is that these harmonized standards they should always be product

11:55.840 --> 12:00.160
and so that makes it harder to encode standard essential patents I mean not to say that there

12:00.160 --> 12:04.320
aren't standard essential patents in certain European standards but not for the harmonized

12:04.320 --> 12:08.640
standards they shouldn't be and certainly for the CRA we will be paying attention to that and

12:08.640 --> 12:13.280
we will try to avoid standard essential patents wherever that's possible which in theory it's just

12:13.280 --> 12:18.160
a language game you just have to abstract away from a specific technology and talk about it in a

12:18.160 --> 12:23.520
different language and and here again I think we we we hope and and count on your expertise and

12:23.520 --> 12:27.840
everybody's expertise to say hang on why you're talking about this specific system that is patented

12:27.840 --> 12:31.440
when you can just be talking about it in a more abstract way so I hope that that one's an easy one

12:31.440 --> 12:36.480
to solve and that we can avoid that bitful in terms of of participation I mean it's certainly true

12:36.480 --> 12:42.720
that there's a lot of hurdles and it's a shame that you can't use your position as part of a business

12:42.720 --> 12:48.320
alliance to increase your reach and I would also love if you could do that but for instance it's

12:48.400 --> 12:54.560
and it might be true that the participation is in your own name I think there's no legal obstacle

12:54.560 --> 12:59.040
to you sharing the document within your company to other expertise that you have within your company

12:59.040 --> 13:05.360
because usually you are yeah you represent also a company and so it's not just you as the CEO

13:05.360 --> 13:09.280
of the company it's your company who is there and so you can share the document within your company

13:09.280 --> 13:15.760
and that's you TAP already a small small pool of a smaller pool of expertise that you can tap into

13:15.760 --> 13:19.280
and that's in general I think how most companies who participate in the process to it they have

13:19.280 --> 13:24.240
a standard office or whatever but then you know the the discussion can happen inside of the company again

13:24.240 --> 13:29.120
I'm I don't want to defend an old school industrial model but I think we need to be a little bit

13:29.120 --> 13:36.560
aware in a in a in a balanced way of what it can achieve so that we can make the most of it right now

13:36.560 --> 13:40.960
because right now we need to develop the standards and they're going to be under discussion and

13:40.960 --> 13:45.520
development over the next few months and this process has already started but the people who are here

13:46.000 --> 13:50.400
are some of the people who have actually managed to already get in and they will be able to participate

13:50.400 --> 13:55.040
and I really want to be able to point to them so that you can say few have suggestions for this work

13:55.440 --> 13:59.920
speak to them so that they can then come and put your things onto the table and that was really

13:59.920 --> 14:05.520
again one of the the public citation aspects that I wanted of this panel thanks

14:06.640 --> 14:14.480
I want to comment on that so you know to on a positive note since the CRA came along

14:15.600 --> 14:20.000
many people in the open source community who have followed last and said we ought to try and

14:20.000 --> 14:26.000
engage and and it has been profoundly frustrating for a lot of people trying to do that

14:27.120 --> 14:35.280
but nonetheless the eclipse foundation has joined in and consequently it has access to

14:35.280 --> 14:41.920
sin as a process and if you are a part of a member company of eclipse they would be willing

14:42.720 --> 14:48.960
to assist you in representing the open source community at din and OSI is a member of Etsy

14:49.600 --> 14:56.000
and we have we're in the process of negotiating with Etsy that OSI is able to send any

14:56.000 --> 15:02.800
member of out one of our affiliate organizations such as Apache or Debian to go and participate in the

15:02.800 --> 15:11.840
CRA standardisation activity so we are looking for routes for access to overcome the inherent

15:11.840 --> 15:17.920
bus against access that the legacy system has got now that doesn't mean it's going to be either

15:17.920 --> 15:26.400
fun or easy or effective but at least it's possible and so if you're interested in doing any of

15:26.400 --> 15:32.960
those things do come and speak to me or the who's from eclipse here oh here come if you can

15:33.440 --> 15:44.880
come I mean like whatever whatever the like you know it's still does not we move the fact that a lot

15:44.880 --> 15:58.720
of people do like like seriously 12 meetings per week so for me personally it's just insane

15:59.680 --> 16:09.760
so it is not just because that it is like like too much meetings it is also again like the

16:11.760 --> 16:17.520
how much it needs to like you know and now everybody is there and what you can do as an individual

16:17.520 --> 16:22.880
whatever you are there is still very limited so and I find that very strange process

16:23.520 --> 16:32.320
but maybe to say so I think it's okay so the standardisation request for the cyber resilient

16:32.320 --> 16:38.080
fact is still under the process of adoption hopefully on Monday it will be adopted by the commission

16:38.080 --> 16:43.040
at that point it will be sent to the European standardisation organizations so that they can

16:43.040 --> 16:48.080
accept it or not they have a month to decide we hope me because this all of this has been discussed

16:48.080 --> 16:52.560
so long with the experts in cents and a lack and even with with the organizations also with

16:52.560 --> 16:58.000
XE that we hope that this standardisation request will get the acceptance and therefore the work

16:58.000 --> 17:03.040
can sort of that has already started can finally have you know the official request at the table

17:03.920 --> 17:10.480
but so as this process has slowly become more concrete in the beginning it was very much about

17:10.480 --> 17:15.120
say discussing what would be the right architecture for this exercise we're going to be developing

17:15.120 --> 17:19.680
standards for at least 25 different product categories we also want to kind of horizontal framework

17:19.680 --> 17:24.480
to ensure that sort of there's some coherence in all these different product specific standards and so

17:24.480 --> 17:30.960
what can this all look like from a high level and I think at till now it's been a lot of conversation

17:30.960 --> 17:36.560
but slowly the first documents are starting to appear and I think that's when this work can

17:36.560 --> 17:40.560
get more concrete and you don't necessarily have to be in all the meetings because you can now start

17:40.560 --> 17:44.800
to see the drafts and that's partly why it's so important that there is an entry point because

17:44.800 --> 17:48.560
the people who have the entry point they can see the documents circulating and they can see the

17:48.560 --> 17:53.440
documents in the document area and they don't need to be in all the meetings I hope in order to

17:53.440 --> 17:57.680
be able to see the documents and to be able to provide written comments so again I think that has

17:57.680 --> 18:02.720
been a little bit that experience whilst was true has been the nature of this early stage

18:02.720 --> 18:08.160
which you've started and so going forward I think is going to all become much more concrete

18:08.240 --> 18:11.600
and it's going to be scary for different reasons because then there's a document and you're like

18:11.600 --> 18:16.000
ah this language I don't agree with what can I do but that's going to be an important moment as well

18:16.000 --> 18:25.440
a very concrete in a different way okay so oh so don't go anywhere so this is the boundary

18:25.440 --> 18:32.080
between the panel and the fishbow so the fishbow session is like a panel but it's a panel that you can

18:32.080 --> 18:38.480
be on so if you would like to join the conversation if you would like to come down and stand

18:38.480 --> 18:44.880
outside this box and somebody who is inside this box will then leave it and let you into the box

18:44.880 --> 18:50.240
so that you can participate in the conversation and we're not the we're doing this because

18:50.240 --> 18:56.240
none of you know how to ask a question for goodness sake this is instead of questions okay so

18:56.240 --> 19:02.000
you get the opportunity to come down here and give your short talk and possibly to

19:02.000 --> 19:07.520
ask a question okay so so no need to put it in the form of a question so what I'm going to

19:07.520 --> 19:12.240
do now is I'm going to carry on the conversation and then if you do want to participate you

19:12.240 --> 19:16.960
don't have to raise a hand you just have to politely form a line to to come into the box

19:16.960 --> 19:22.480
down in this area by the door okay and we'll do that until either it gets out of control or we

19:22.480 --> 19:25.760
run out of time