Blog

Cybersecurity Standards Practices as Cyber Threats

November 13, 2019

One of the most embarrassing and pernicious realities in the world of cybersecurity is the stark reality that some industry cybersecurity standards practices are themselves cyber threats. How so?

Most industry and intergovernmental standards bodies serve as means for assembling the constantly evolving collective knowledge of participant experts and package the resulting specifications and best practices as freely available online documents to a vast, diverse universe of users. In many cases, these materials have the force and effect of law through governmental bodies who reference them as compulsory requirements for an array of cybersecurity products and services provided to end-users.

Unfortunately, a few remaining outlier standards organizations attempt to exploit the cybersecurity marketplace by significantly restricting availability of their standards and charging incredulous prices for access to documents that deter use. This behavior is often coupled with lobbying co-opted government authorities to reference the specifications as mandatory requirements — flying in the face of longstanding juridical norms. In some cases where such references have created artificial demand, the prices reach an astronomical seven dollars per page for a single user to simply look at specifications that are often trivial and useless, yet mandated by some governmental authority or certification group. The result is that the cybersecurity standards practices themselves become cyber threats because the needed specifications are not available to end-users who cannot or will not pay seven dollars per page for a standard.

The most extreme of these bodies is the Geneva-based, private International Organization for Standardization (ISO) which together with its regional and national partners, manages to continue the practice of enticing participants to contribute their cybersecurity intellectual property for free — which is then resold by the organization’s secretariats at vicarious prices reflecting whatever the cybersecurity market will bear. That some of the participants are also government employees who are contributing government IPR, and then effectively serving as marketing arms for secretariats selling the pricey products, makes the practice all the more unacceptable.

In a recent proposal to the European Union on cybersecurity normative standards, the entire bundle of proposed ISO/IEC specifications amounts to $ 5000 per individual user license. Additionally, that amount is potentially recurrent every five years – the asserted maintenance period for the standards. For the proposed bundle of 31 documents, the per-page price varies wildly between 0.68 and 6.77 Swiss Francs with the average 2.63 Francs ($ 2.65) per page as downloadable PDF files. The 6.77 Swiss Franc ($ 6.81) per page amount is for the ISO/IEC 30111 standard on how to process and resolve potential vulnerability information in a product or online services. And, these 31 standards only include the explicitly mandated specifications themselves. Secondary normative references requiring still further ISO/IEC standards can significantly add to the cost.

The Institute of Electrical and Electronics Engineers (IEEE) engages in similar behavior, and even leverages its association with engineering profession members. Its price per page varies between $0.56 to $3.48 for common cybersecurity standards.

Over the years, most standards bodies who once sold their cybersecurity standards have ceased the practice — realizing that meaningful standards making in the ICT sector effectively require freely available standards to as many people and entities as quickly as possible. Where public safety or security are factors, or where the specification is referenced as a regulatory requirement, freely available standards are essential, and the converse inexcusable.

Several years ago, the American Bar Association advanced an initiative on public ownership of the law and adopted a resolution calling for public availability to standards which are the subject of regulatory enactments. However, the ISO/IEC national body in the U.S., ANSI, mounted a fierce lobbying effort asserting their right to pursue a business model of whatever the market will bear and to do otherwise will put them out of business — without ever providing supporting financial data.

Today, as cybersecurity becomes ever more critical, government authorities worldwide need to seriously question arguments of the few remaining standards bodies who seek the largesse of a cybersecurity regulatory imprimatur, while maintaining a business model which is a clear detriment to end-users. Attempting to extract revenues from a cybersecurity standards marketplace is clearly very different from standards developed for a closed manufacturing community of physical “widgets.” Today, there are many other cybersecurity standards bodies for governmental authorities to choose from who do have acceptable business models.

So in sum, while charging whatever the market will bear for cybersecurity specifications may be ill-considered as a private standards organization business practice, it is ultimately its choice. However, they should not be seeking a helping hand from regulatory authorities to prop up a broken business model at the expense of diminished cybersecurity.