Security standards can be cyber threat

Believe it or not, some practices of the groups charged with producing security standards represent cyber threats in their own right. As government and industry increasingly collaborate to enhance cyber security, it is critical these practices be considered as part of the overall cyber security framework.

Crafting security standards involves multiple steps. First, experts agree on specifications intended to enhance cyber security. Then those specifications are made available to a community of implementers and the specifications are updated as flaws are discovered and evolutions become necessary. Next a responsible secretariat registers specific implementer technical parameters or schemas which are created by the standard, and finally that secretariat makes this information discoverable and readily available to all implementers.

Standards body cyber threats arise from three sources. The first stems from the fact that cyber security bodies typically exist within larger organisations that need revenue. Those organisations can hijack a specification and the so called "registered parameter" availability processes and charge often substantial sums of money to even view a specification or parameters.

A second threat is that many bodies do not use readily available high trust (Extended Validation Certificate) web platforms that ensure the integrity and security of the standard or registered parameters. The third threat is the failure of standards parameter registration authorities to implement sufficient identity proofing.

For years, standards organisations in the cyber security arena have been allowed to persist with revenue and provisioning practices that have a profound adverse effect on cyber security, as government authorities and user communities have looked the other way and tolerated the adverse consequences. This cannot continue if we are going to get serious about cyber security.

Standards bodies are part of the security food chain, and their practices must be part of an assessment process that holds them accountable. Those standards bodies that cannot meet today's needs and represent a threat should simply not be used as a deliberate decision by government and industry.

An example of how to "do it right" can be seen here. When you visit this site your browser URL box turns bright green telling you this site is using a high trust Extended Validation Certificate whose validity has been checked by the browser, and that you have a secure SSL path with that site. As you navigate to a standard of interest and download it, this trust and security is maintained.

Anything less than this level of availability, trust and security for implementers can no longer be accepted in the cyber security standards field. For most standards bodies, taking these steps is readily achievable. Unfortunately, some cyber security standards activities remain part of broader organisations that rely on the extracted revenue for those standards in order to maintain the non-security related objectives of those organisations, including the costs (frequently high) incurred by their secretariats and management staff. Reduction of cyber security threats is not an objective of these organisations.

The third threat, the failure of standards parameter registration authorities to implement sufficient identity proofing, remains largely ignored by all of the standards bodies. The identity proofing and lifecycle management criteria for standards parameter and schema registrations are left to the predilections of secretariat staff, generally consisting of little more than an initial email for most secretariats. Because of the associated costs, however, nothing significant will happen until cyber security authorities require and specify enhanced identity management practices for registrations, which could be compensated through increased registration fees.

Government agencies today are pouring billions of dollars into improving cyber security. Standards are a critical component of achieving their objectives. However, the standards bodies themselves need to be part of a coherent cyber security ecosystem. The effectiveness of those government investments should in no case be diminished by standards organisations efforts to further their own interests and revenue models. Government agencies have a fiduciary duty to their citizens and industry, not to standards organisations. Standards bodies should not themselves be threats to cyber security.