Two recent celebrated cybersecurity standards history events brought together sets of people who were intimately involved with some of the most significant network security standards work ever undertaken. These included the X.509 digital certificate standards at ITU X.509 Day, and the Secure Digital Network System (SDNS) standards at the NSA Cryptologic History Symposium 2022.

The events included discussions not only of the successes of the standards but also the failures. Three of the noted principal reasons for failure were: 1) placing the standards behind paywalls that prevented access by the global user community, 2) the related lack of meaningful engagement with actual knowledgeable user communities in producing and evolving the proffered standards, and 3) the lack of rapid vulnerability reporting mechanisms for the standards themselves. To put it simply, publishing the cybersecurity standards through organizations that prevented immediate, free access was the kiss of death and a colossal waste of resources expended to develop them. The organizations involved simply used the money for their own institutional profit and lifestyles while marketing them to gullible regulators and politicians as essential—all to the substantial detriment of cybersecurity.

During one of the events, participants were stunned to learn that a standards body had developed a derivative standard for a power system and smart city data security—IEC 62351:2022—and was charging 4450 Swiss Francs for a single user copy. That’s 4,450 US dollars for a single user to see the standards. A closer inspection shows it consists of a bundle of 18 interrelated standards sold as critical for secure smart cities and power infrastructure. Inexplicably, the price per page varied between $6.43 and $0.81 per page, with the average being $2.43 per page. The pricing seemed aimed at maximizing revenue from the more popular security standards subjects. When concern was raised about the matter, the power industry representative admitted that they “don’t like it” and that it deters use and cybersecurity in general—but that it is the “organization’s business model.”

Unfortunately, there are some astounding similar cybersecurity blunders in progress. Perhaps the most incredulous is the European Union which is attempting to enhance cybersecurity among member countries by relying essentially entirely upon ISO paywall standards. The three draft cybersecurity frameworks known as EUCS (EU Cloud Services Scheme), RCABCCS (Requirements for Conformity Assessment Bodies Certifying Cloud Services) and SESIP (Security Evaluation for Secure IoT Platforms) rely on ISO/IEC standards priced at 3268, 1454, and 1352 Swiss Francs, respectively. Those outside the small enclaves advancing these frameworks are unable to even understand what is being proposed without paying enormous prices for the standards on which they are based—additionally raising significant legal transparency concerns given that the EU intends to make the frameworks mandatory.

In addition to the adverse effects on cybersecurity caused by “paywall standards” is an academic discussion of what constitutes open or public standards. Plainly, charging any individual $4,450 to see smart city or powergrid cybersecurity specifications is not really open nor public.

Additional questions arise over the legality of what amounts to industry anticompetitive collusion to provide a single private standards publishing organization with a defacto monopoly and whether it is lawful for regulatory bodies or industry organizations to be citing such standards as obligations. Indeed, the practice has been argued as an abridgment of due process, transparency and basic human rights to have access to provisions essential for public safety and security.

Over the past three decades, most cybersecurity groups have understood these monumental cybersecurity blunders and importance of eliminating paywalls and opening up the standards processes to scrutiny and engagement by actual users. Significant credit for the paradigm shift is also owed to Public.Resource.Org which has led the change not only in the U.S. but globally over the past 30 years. Only a few bodies now continue the paywall practice—to the detriment and waste of resources of those who continue to engage with them. It is long past due for the practice to stop and stop enabling it as “a business model”—that is so obviously antithetical to the cybersecurity objective.