|
On 24 May, NIST published recommendations that are a key component of the U.S. cybersecurity ecosystem—known as vulnerability disclosure guidelines. NIST (National Institute of Standards and Technology) is an agency of the Department of Commerce whose mission includes “developing cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.”
The NIST publication is SP 800-216. Although directed at the U.S. Federal Government, the guidelines are applied to anyone having a touchpoint with a Federal government agency and are critically important for public cybersecurity. The broad sweep of the guidelines includes “receipt of information about potential security vulnerabilities in information systems owned or controlled by a government agency, as well as the dissemination of information about security vulnerability resolutions to government agencies and the public.” The recommendations also implement the Internet of Things Cybersecurity Improvement Act.
Unfortunately, the NIST Guidelines state that they should be used “in conjunction with” two standards of a private Swiss-based standards organization known as ISO that lies behind a paywall that costs $150 for “personal copies” for five years. NIST also cites an additional seven ISO-published standards as relevant to implementing the guidelines. The total bundle comes to $1592—paid in Swiss Francs. Without rational explanation, the price per page of the downloaded files varies between 7.08 and 1.37 Swiss Francs.
Somewhat incredulously, NIST also fronts as a sales mechanism by including the URL link for each standard directly to the ISO paywall sales server. (Amusingly, two of the referenced ISO publications are out of date.)
Why NIST is behaving in this fashion and effectively impeding U.S. cybersecurity has no rational explanation. There are numerous other global private and intergovernmental bodies hosting cybersecurity standards activities and publishing the standards openly without paywalls that are far better venues. Indeed, eliminating paywalls is the prevailing practice because cybersecurity standards need to reach as many people as possible, are perfected through open collaboration, evolve rapidly, and often have associated code that is downloaded on demand. Few organizations producing cybersecurity standards maintain paywalls today because it also significantly impedes the development of the standards and meaningful transparency. Placing cybersecurity vulnerability disclosure guidelines behind a paywall that demands more than 1500 dollars to view makes utterly no sense.
Furthermore, NIST’s behavior skirts the juridical and human rights norms in the U.S. that everyone should have effective public access to the law and that the work of public officials is not the proper subject of copyright. Those norms were underscored three years ago in a landmark decision of the U.S. Supreme Court in favor of Public.Resource.org. For years, NIST has been freely providing its own IPR and that of collaborating U.S. companies to ISO, to turn around and resell back to U.S. users for enormous fees to help support ISO’s expensive Geneva lifestyle and frequent quasi-holiday meetings at attractive locations around the world.
Whenever NIST has been questioned or criticized for this rather outrageous behavior, the customary answer, which strains credulity, is that it is “the ISO business model,” and they cannot change it. The reality of that model is that ISO is in the publications business, rather than standards-making, and they are incented to get de facto provisioning monopolies from public governmental bodies like NIST to garner their unjust revenue.
The conduct here begs for extensive scrutiny by responsible authorities, as well as industry and the public. It is a conduct clearly harmful to the interests of everyone except those availing themselves of paywall money generated by the free IPR provided by others and funded in part by U.S. taxpayers.
The behavior here is sufficiently egregious to qualify NIST as a Cyber Threat Actor pursuing an Advanced Persistent Threat with its own OASIS STIX profile and captured in a CACAO Security Playbook. For notification and mitigation purposes, SP 800-216 could be reported into the National Vulnerability Database with a CVSS Critical level designation and get a CVE. Best of all, because there are no paywalls in OASIS, the expressions can be freely downloaded!
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sordid history of ISO/IEC 29147
The original concept of structured reporting of cyber vulnerabilities into common well-known databases emerged from work at MITRE Corporation in the late 1990s. See https://www.cve.org/About/History
As noted in the published history, the ensemble of standards from MITRE, FIRST and other venues were brought into ITU-T in 2009 and published as a set of ITU-T X.1500 series standards known as the X.1520-X.1539 set for Vulnerability/state exchange. See https://www.itu.int/itu-t/recommendations/index.aspx?ser=X. The work in the ITU over several years was primarily undertaken by MITRE’s eminent computer security scientist, Robert Martin, who authored some of the original standards. The FIRST organisation’s CVSS SIG established a continuing liaison to contribute its CVSS standard. The U.S. national security communities via the State Department supported the work.
The resulting publications are all formal ITU-T standards and freely available, including associated structed XML code, at permanent URIs. The IPR was conveyed to the ITU. (I was the rapporteur for the entire group, Q4/17, over the entire period.) The ITU-T also hosted multiple global workshops on vulnerability reporting – including the leadership of China’s CNNVD which merges its own national vulnerability database with the U.S. NVD. See https://www.cert.org.cn/publish/english/index.html
To this day, the ITU-T X.1500 effort known as CYBEX (Cybersecurity Information Exchange) remains the most thorough and expansive global work undertaken for cybersecurity information exchange. The work engaged OASIS, the IETF Security Directorate, the CA/B Forum, the Trusted Computing Group, China’s MIIT, Japan’s NICT, and Korea’s ETRI. At the time, no other significant vulnerability reporting work existed, although GSMA began critically important work under its Security Group – which remains the principal venue for the mobile sector vulnerability reporting today.
In the U.S., the transfer of vulnerability reporting responsibilities to NIST after the ITU work was completed resulted in considerable insularity coupled with its almost exclusive use of ISO. Two eminent computer scientists from the U.S. CERT - Art Manion and Katie Moussouris - were enlisted to produce what was published as ISO/IEC 29147 in 2014. Much of it replicated and cited both the MITRE and ITU-T standards. Katie also led an effort to enlist the U.S. Department of Commerce NIST sister agency - NTIA - to insist that 29147 be made publicly available. ISO complied with the request - for a while. See https://threatpost.com/the-time-has-come-to-hack-the-planet/117419/ NTIA also instituted a public proceeding on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem. See https://ntia.gov/federal-register-notice/comments-stakeholder-engagement-cybersecurity-digital-ecosystem
Under the next U.S. administration, the NTIA effort was terminated. Mysteriously, 29147 disappeared from public availability on the ISO site and the price was increased. Indeed, in the EU, the standard appeared as “transpositions” with a superficial “EN” preface at twice the price.
Much of the ICT industry shifted its engagement to OASIS which created a technical committee for an excellent open and evolving vulnerability reporting standard known as CSAF, complete with code, that is freely available. See http://docs.oasis-open.org/csaf/csaf-cvrf/v1.2/csaf-cvrf-v1.2.html The U.S. national security community has now largely shunned paywall standards forums and established multiple key initiatives in OASIS, among others.
Meanwhile, both Art Manion and Katie Moussouris left the U.S. CERT. Art Manion is now Deputy Director of Analygence Labs. See https://analygence.com/ Katie Moussouris has become a well-known cybersecurity personality with her own firm, Luta Security, advancing its own standard and program generating bug reporting revenue. See https://en.wikipedia.org/wiki/Katie_Moussouris
For reasons that are not clear, this significant history, considerable global collaborative work, and publicly available standards are ignored by NIST and by the EU despite being obligated under its own organic law as well as “European Values” to consider their use.