Security Watch
Standards Insecurity
Communications of the ACM, Volume 46,
Number 12 (2003)
Rebecca T.
Mercuri
Communications of the ACM
Vol. 46, No. 12 (December 2003), Pages 21-25
Standards can provide an important component in the computer security
environment but they should not be relied on blindly.
In the computer industry, standards play an important role by enforcing
security baselines and enabling compatibilities among products. In the early
days of computing, lacking common agreements, problems ensued with floating
point configurations, ASCII vs. EBCDIC encoding battles, and little vs. big
endian data mixups. Such issues, especially when they affect data integrity,can
pose a security risk. In the best of worlds, standards provide a neutral ground
where methodologies are established that advance the interests of manufacturers
as well as consumers, while providing assurances of safety and reliability.
At the opposite extreme, standards can be inappropriately employed to favor
some vendors' products over others, make competition costly, and encourage
mediocrity over innovation, all of which can have negative effects on security.
In this column, I consider the current standards environment and offer some
suggestions for its increased understanding and improvement.
A host of computer security standards currently exist, including those for
general use like the Common Criteria and its predecessor TCSEC/ITSEC, and
others specific to the Internet like SSL and PKCS. Standards documents range
from pamphlet-sized to tomes as hefty as the Manhattan phone book. Creation
of a standard can be done in an ad hoc manner, or it may followlengthy (and
even somewhat recursive) procedures using standardized guidelines applied
to the new standard's development. Standards groups can be governmental, non-profit,
volunteer, membership-based, corporate, or a combination of these types.
Organizations responsible for creating and maintaining information security
standards form a veritable alphabet soup (see the table here). Although ACM
does not include a chartered standards body, some of its membership overlaps
the 15,000 participants in the IEEE Standards Association, providing input
to the computer-related components of their portfolio of nearly 1,300 existing
or developing standards. As well, ACM members provide valuable contributions
to many of the other standards organizations mentioned here.
The standards industry, such that it is, receives a considerable amount
of money for the services provided. Manufacturers pay agencies various fees
for the testing, record-keeping, auditing, and certification processes performed
on their products. Although government standards can usually be freely obtained
via the Internet, many other standards are the copyrighted properties of their
parent organizations, and documentation must be purchased, some even while
still in draft mode. Manufacturers, inspectors, and systems specifiers may
find it necessary to buy directories from standards bodies in order to locate
certified components and the vendors who can supply them. Because of the
large number of products sold in the global marketplace, certification seems
like a reasonable way to ensure a certain level of quality control, but the
costs and time involved in obtaining it can lock out small companies with
good new ideas, while a status quo from established vendors may be allowed
to prevail.
------------------------------------------------------------------------
Even though a standard may have been created
through an open process,
this does not necessarily dictate that the certification process will be
transparent.
------------------------------------------------------------------------
As probably the classic archetype for standards overseers, Underwriter's
Laboratories, Inc. (UL) describes itself as "an independent, not-for-profit
product safety testing and certification organization" that has "held the
undisputed reputation as the leader in U.S. product safety and certification"
since its founding in 1894. UL has developed more than 800 safety standards,
some in conjunction with ANSI (the American National Standards Institute),
the U.S. Department of Defense, and other groups, over a broad range of application
areas (including telecommunications, robotics, and semiconductor fabrication).
In 2002, some 5,900 UL staff members conducted 106,942 evaluations and 555,222
manufacturing process compliance audit visits for over 17 billion products
made by over 66,703 manufacturers worldwide. The simple UL in a circle—the
UL Listing Mark—is its most common insignia, indicating "that samples of this
product met UL's safety requirements." Based on the preceding numbers, though,
it appears that only one in every 159,000 UL-marked products is actually tested
by UL itself.
When a product is granted certification under a particular standard, it
is common to issue a display mark to notify retailers and purchasers of this
fact. Gone are the days when such certification marks were as recognizable
as the UL Listing Mark and the Good Housekeeping Seal of Approval. Regardless,
obtaining some marks may be necessary in order to compete or even participate
in certain markets. On the bottom of my iMac keyboard, for example, are the
marks CE, FCC, VCCI, C Uus, TUV Rheinland, and a dark dot with a check inside.
A bit further over on my desk, the container holding my blank CD-R discs is
marked Certified Plus with the words compatibility, reliability, and usability
written around a + sign. Do any of these markings imply consumer warranties?
How does one find out? Somehow these insignia don't inspire the blissfully
naive sense of confidence in product safety and quality assurance that the
old UL mark in a circle once did.
As for the UL, it now issues approximately 20 different marks, including
that C Uus one underneath my keyboard, which is its Recognized Component Mark
for parts integrated into larger systems. The UL doesn't provide warranties,
but if you have experienced a problem (say your house burns down because of
a defective computer monitor), you can submit a Consumer Product Report Form.
If you mail the product to UL, it will reimburse your shipping expenses and
even return the item to you after conducting an investigation. The UL does
assist with notification about product recalls, but it is unclear how to
proceed if you hope to recover related damages, or if you believe the actual
UL certification process was somehow flawed.
Even though a standard may have been created through an open process, this
does not necessarily dictate that the certification process will be transparent.
Certifying authorities may develop proprietary sets of testing procedures,
which in turn may generate reports that are not intended to be released for
examination by the purchasers of the certified components. Manufacturers may
choose to protect their products under trade secrecy (in addition to or in
lieu of patents and copyrights), so the issuance of certification may not
reveal much more than an imprimatur of compliance. This is especially true
under the Common Criteria program, where the details pertaining to risks analysis
and mitigation may be buried within proprietary Protection Profile and Target
Of Evaluation documents. Of course, a purchaser may make the revelation of
these documents a requirement of procurement, but this might restrict competitive
bidding, especially if the majority of vendors have decided to shield the
composition of their products behind the certification process.
In the case where certification has various tiers, like the Common Criteria,
it is also important to understand exactly what components have been certified
and at which levels, in order to ascertain whether the intended product application
is appropriate. The sidebar "Understanding Standards" provides a set of questions
that can be useful in sorting through the hodgepodge with vendors and certification
authorities.
As an interesting twist, the mere existence of a standard does not grant
a manufacturer blanket permission to construct a product to those specifications
without running the risk of copyright or patent violations. MPEG is one (albeit
non-security) example where even independent implementation requires negotiation
with patent holders who have contributed technology to the standard. This
standard is owned by the International Organization for Standardization (the
same group that administers the quality management certification programs
known as the ISO 9000 family), and it requires that all the technology within
MPEG be licensable by its contributors on "fair and equal terms." MIT Media
Lab's Eric Scheirer has noted that although this type of policy rewards developers
who hold intellectual property rights, it also discriminates against small
companies and hobbyists who may be unable to afford the licensing fees. As
well, it is imaginable that a standard might be tainted by requiring the inclusion
of a particular component that could inadvertently pose a security risk.
A relatively new player in the standards field is OASIS, "a not-for-profit
global consortium that drives the development, convergence and adoption of
e-business standards." OASIS is composed of Individual, Contributing, and
Sponsoring members, who pay annual fees ranging from $250 to $13,500. Individual
members are allowed to participate fully in Technical Committees (the working
groups that formulate the standards), but are not eligible to vote. OASIS
maintains formal liaisons with many of the other major standards groups, some
of whom are also Sponsoring members, and has created a number of open standards
pertaining to XML and structured information frameworks, including the recently
adopted Security Assertion Markup Language (SAML). The OASIS open standards
policy allows OASIS specifications to be provided on a royalty-free basis
(downloadable at no cost), with all external intellectual property agreed
to be licensable (though not necessarily for free, as in the preceding MPEG
example). It should be noted that all OASIS standards contain a warranty disclaiming
any express or implied fitness of purpose and merchantability.
------------------------------------------------------------------------
Although the systems that provide regulatory
and certification controls may seem formidable,
ultimately their administration must be responsive to the marketplace,
or those standards products will not remain viable.
------------------------------------------------------------------------
Like OASIS, The World Wide Web Consortium (W3C) was created in the mid-1990s
as a membership organization. The cost of membership in this group is a bit
more pricey, with only two classes offered: Full at $57,500 and Affiliate
at $5,750 per year. The group's 380 members comprise a veritable Who's Who
of international Internet industries. The organization provides an informational
forum and produces "interoperable technologies" that include specifications,
guidelines, software, and tools. Active working groups include projects on
accessibility, device independence, quality assurance, and there are useful
FAQs on security and other Web-related topics hosted on the W3C Web site (see
www.w3.org).
One of the W3C's best-known initiatives is its Platform for Privacy Preference
Project (P3P, see www.w3.org/P3P/P3FAQ.html)
spearheaded by AT&T's Lorrie Cranor. P3P was developed as an industry
standard that "enables Web sites to express their privacy practices in a
standard format that can be retrieved automatically and interpreted easily
by user agents." Although well-intentioned, the project is illustrative of
the difficulties encountered in standards creation and deployment. At one
point, a major patent infringement claim resulted in some of the members
removing themselves from the W3C's Working Group. As well, there were P3P-related
concerns in the U.S. regarding whether privacy should be industry-driven
or regulated by legislation, and there was a dispute between the European
Union and the U.S. over transatlantic personal data flow via the P3P protocol.
Even though consensus was eventually developed, critics such as Attorney
Benjamin Wright have claimed that P3P punishes non-compliant Web sites by
blocking or impeding their cookies, and that the encoding of privacy policies
via P3P may not be sufficient to survive a liability challenge in court.
If a company, group, or individual feels that a standard is inappropriate,
there are various ways to make changes. One can work within the standards
framework to try to change or influence policies, but this may be difficult
(if not impossible) for smaller players. Another method is to create an alternative
market environment where the standard is not employed—the open source movement
has been rather successful in this regard. Or the standard can be augmented,
such as Wright did with his DSA code for P3P that attempts to disavow legal
liability for the policy, thus rendering it meaningless. This scheme, as one
might imagine, was met with considerable industry protest. There are also
legal and legislative routes that can be used to either constrain use or
require addenda to an existing standard.
Although the process for certification of a product under the auspices of
a standard is typically well defined, the decertification of a defective product
or standard is often lax. For example, few U.S. citizens realized that all
of the brand-new voting machines deployed in communities for the 2002 elections
were certified under the already-deemed-obsolete 1990 Federal Election Commission
(FEC) inspection guidelines. New standards are not necessarily even required
to comply with current industry practices. The 2002 FEC Voting System Standard
(VSS) contains blanket exemptions for Commercial Off-The-Shelf (COTS) products,
despite complaints from many computer experts who testified that this could
provide a serious security loophole. Recalls are the typical solution offered
when a product malfunctions, and although California's gubernatorial recall
was not motivated by defective voting machines (although the effort to postpone
it was), one can imagine a scenario where an entire election could be recalled
if equipment was subsequently deemed unreliable or if tampering was discovered.
This could create a sense of mistrust in the government or a feeling of disenfranchisement
among the electorate. It is no wonder certain vendors of electronic balloting
devices have encouraged the adoption of standards that allow them to remove
the ability to perform an independent recount that could potentially conflict
with results internally generated by their computer systems. Currently, the
legislative route (mentioned previously) is being used to circumvent some
of these problems by constructing state and federal bill wording that would
require the availability of voter-verified paper ballots that can be used
to provide independent election audits.
As with any other security process, standards must be assessed for their
appropriateness, in both technology and application, prior to as well as during
their use. Computer security standards should be understood as fluid, rather
than static, to best reflect the constantly changing environments in which
they are being deployed. Although the systems that provide regulatory and
certification controls may seem formidable, ultimately their administration
must be responsive to the marketplace, or those standards products will not
remain viable. Since insight on security matters can be derived from the discourse
provided by the standards development process, all levels of participation
are valuable and should continue to be encouraged and open. In these ways,
we can hope to "set the standard" for better standards, now and in the future.
Author
Rebecca Mercuri (Rebecca_Mercuri@ksg.harvard.edu) is a research fellow
in the John F. Kennedy School of Government at Harvard University.
Table: Computer security-related standards and certification organizations
Sidebar: Understanding standards
1. What is the overseeing body that controls the standard
and how is it managed?
2. Who were the members of the working group that created
the standard,
how were they selected, and what were
their interests?
3. Does the standard adequately reflect current industry
practices?
4. Which products or product families are subjected to
the standard?
5. How is the standards process applied to the products?
6. What is the meaning of certification under the standard?
7. How are later-discovered defects in the standard mitigated?
8. If the standard has changed, is it possible to differentiate
certified products?
9. What percentage of the products are actually examined
and what is done to ensure
uniformity among products that are
not examined?
10. How are defective products handled?
©2003 ACM 0002-0782/03/1200 $5.00
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise,
to republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery.
Copyright © 2003 ACM, Inc.