NordVPN Promotion

Home / Blogs

Monumental Cybersecurity Blunders

Two recent celebrated cybersecurity standards history events brought together sets of people who were intimately involved with some of the most significant network security standards work ever undertaken. These included the X.509 digital certificate standards at ITU X.509 Day, and the Secure Digital Network System (SDNS) standards at the NSA Cryptologic History Symposium 2022.

The events included discussions not only of the successes of the standards but also the failures. Three of the noted principal reasons for failure were: 1) placing the standards behind paywalls that prevented access by the global user community, 2) the related lack of meaningful engagement with actual knowledgeable user communities in producing and evolving the proffered standards, and 3) the lack of rapid vulnerability reporting mechanisms for the standards themselves. To put it simply, publishing the cybersecurity standards through organizations that prevented immediate, free access was the kiss of death and a colossal waste of resources expended to develop them. The organizations involved simply used the money for their own institutional profit and lifestyles while marketing them to gullible regulators and politicians as essential—all to the substantial detriment of cybersecurity.

During one of the events, participants were stunned to learn that a standards body had developed a derivative standard for a power system and smart city data security—IEC 62351:2022—and was charging 4450 Swiss Francs for a single user copy. That’s 4,450 US dollars for a single user to see the standards. A closer inspection shows it consists of a bundle of 18 interrelated standards sold as critical for secure smart cities and power infrastructure. Inexplicably, the price per page varied between $6.43 and $0.81 per page, with the average being $2.43 per page. The pricing seemed aimed at maximizing revenue from the more popular security standards subjects. When concern was raised about the matter, the power industry representative admitted that they “don’t like it” and that it deters use and cybersecurity in general—but that it is the “organization’s business model.”

Unfortunately, there are some astounding similar cybersecurity blunders in progress. Perhaps the most incredulous is the European Union which is attempting to enhance cybersecurity among member countries by relying essentially entirely upon ISO paywall standards. The three draft cybersecurity frameworks known as EUCS (EU Cloud Services Scheme), RCABCCS (Requirements for Conformity Assessment Bodies Certifying Cloud Services) and SESIP (Security Evaluation for Secure IoT Platforms) rely on ISO/IEC standards priced at 3268, 1454, and 1352 Swiss Francs, respectively. Those outside the small enclaves advancing these frameworks are unable to even understand what is being proposed without paying enormous prices for the standards on which they are based—additionally raising significant legal transparency concerns given that the EU intends to make the frameworks mandatory.

In addition to the adverse effects on cybersecurity caused by “paywall standards” is an academic discussion of what constitutes open or public standards. Plainly, charging any individual $4,450 to see smart city or powergrid cybersecurity specifications is not really open nor public.

Additional questions arise over the legality of what amounts to industry anticompetitive collusion to provide a single private standards publishing organization with a defacto monopoly and whether it is lawful for regulatory bodies or industry organizations to be citing such standards as obligations. Indeed, the practice has been argued as an abridgment of due process, transparency and basic human rights to have access to provisions essential for public safety and security.

Over the past three decades, most cybersecurity groups have understood these monumental cybersecurity blunders and importance of eliminating paywalls and opening up the standards processes to scrutiny and engagement by actual users. Significant credit for the paradigm shift is also owed to Public.Resource.Org which has led the change not only in the U.S. but globally over the past 30 years. Only a few bodies now continue the paywall practice—to the detriment and waste of resources of those who continue to engage with them. It is long past due for the practice to stop and stop enabling it as “a business model”—that is so obviously antithetical to the cybersecurity objective.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under

Comments

Is there not someone who moderates posts? Ardan Michael Blum  –  May 24, 2022 1:38 AM

Does anyone check articles here? Just amazed at the statements being made, such as “(...) adverse effects on cybersecurity caused by ‘paywall standards’ is an academic discussion of what constitutes open or public standards. Plainly, charging any individual $4,450 to see smart city or powergrid cybersecurity specifications is not really open nor public. (...)”.

Yes Anthony Rutkowski  –  May 24, 2022 3:50 AM

Follow the links. Look up the purchase prices for the cited standards included by reference for each on the ISO/IEC site. Add the amounts and convert to US dollars. The amounts are publicly available. This practice for a dwindling number of organisations has been criticized for many decades and the subject of substantial litigation. Follow the Public.Resource.Org link for some of that history and extensive advocacy which has been broadly supported.

Thank you Ardan Michael Blum  –  May 24, 2022 1:47 PM

I will look at this and apologies to you for the manner in which I expressed myself. (A little over the top).

Best regards,

AM

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion