When standards bodies are the cyber threat

Believe it or not, some practices of the groups charged with producing security standards represent cyber threats in their own right. As government and industry increasingly collaborate to enhance cyber security, it is critical these practices be considered as part of the overall cyber security framework.

Quiz: Separate cyber security fact from fiction

Crafting security standards involves multiple steps. First, experts agree on specifications intended to enhance cyber security. Then those specifications are made available to a community of implementers and the specifications are updated as flaws are discovered and evolutions become necessary. Next a responsible secretariat registers specific implementer technical parameters or schemas which are created by the standard, and finally that secretariat makes this information discoverable and readily available to all implementers.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Believe it or not, some practices of the groups charged with producing security standards represent cyber threats in their own right. As government and industry increasingly collaborate to enhance cyber security, it is critical these practices be considered as part of the overall cyber security framework.

Quiz: Separate cyber security fact from fiction

Crafting security standards involves multiple steps. First, experts agree on specifications intended to enhance cyber security. Then those specifications are made available to a community of implementers and the specifications are updated as flaws are discovered and evolutions become necessary. Next a responsible secretariat registers specific implementer technical parameters or schemas which are created by the standard, and finally that secretariat makes this information discoverable and readily available to all implementers.

Standards body cyber threats arise from three sources. The first stems from the fact that cyber security bodies typically exist within larger organizations that need revenue. Those organizations can hijack a specification and the so called "registered parameter" availability processes and charge often substantial sums of money to even view a specification or parameters.

A second threat is that many bodies do not use readily available high trust (Extended Validation Certificate) Web platforms that ensure the integrity and security of the standard or registered parameters. The third threat is the failure of standards parameter registration authorities to implement sufficient identity proofing.

For years, standards organizations in the cyber security arena have been allowed to persist with revenue and provisioning practices that have a profound adverse effect on cyber security, as government authorities and user communities have looked the other way and tolerated the adverse consequences. This cannot continue if we are going to get serious about cyber security.

Standards bodies are part of the security food chain, and their practices must be part of an assessment process that holds them accountable. Those standards bodies that cannot meet today's needs and represent a threat should simply not be used as a deliberate decision by government and industry.

An example of how to "do it right" can be seen here. When you visit this site your browser URL box turns bright green telling you this site is using a high trust Extended Validation Certificate whose validity has been checked by the browser, and that you have a secure SSL path with that site. As you navigate to a standard of interest and download it, this trust and security is maintained.

Anything less than this level of availability, trust and security for implementers can no longer be accepted in the cyber security standards field. For most standards bodies, taking these steps is readily achievable. Unfortunately, some cyber security standards activities remain part of broader organizations that rely on the extracted revenue for those standards in order to maintain the non-security related objectives of those organizations, including the costs (frequently high) incurred by their secretariats and management staff. Reduction of cyber security threats is not an objective of these organizations.