Two recent events held on the history of cybersecurity standards brought together groups of people who were intimately involved with some of the most important network security standards work ever done. These included the X.509 digital certificate standards in ITU X.509 Dayand the standards of the Secure Digital Network System (SDNS) in the NSA Cryptographic History Symposium 2022.
The events included discussions not only about the successes of the standards but also about the failures. Three of the main reasons cited for failure were: 1) placing the standards behind paywalls that prevented access by the global user community, 2) the related lack of meaningful engagement with real knowledge user communities in the production and evolution of the offered standards, and 3) the lack of rapid vulnerability notification mechanisms for the standards themselves. Put simply, publishing cybersecurity standards through organizations that prevented free and immediate access was the kiss of death and a colossal waste of the resources spent to develop them. The organizations involved simply used the money for their own institutional gains and lifestyles while promoting them to gullible regulators and politicians as essential, all to the substantial detriment of cyber security.
During one of the events, participants were surprised to learn that a standards body had developed a derivative standard for a smart city data security and energy system, IEC 62351:2022, and it was charging 4450 Swiss francs for a single user copy. That’s US$4,450 for a single user to see the standards. Closer inspection shows that it consists of a package of 18 interrelated standards sold as critical for safe smart cities and energy infrastructure. Inexplicably, the price per page ranged from $6.43 to $0.81 per page, with an average of $2.43 per page. The price seemed to be aimed at maximizing revenue from the most popular security standards topics. When concern was raised about the matter, the electric industry representative admitted that they “don’t like it” and that it deters usage and cybersecurity in general, but that it is the “organization’s business model.”
Unfortunately, there are some similarly amazing cyber security bugs in progress. Perhaps the most incredulous is the European Union, which is attempting to improve cyber security among member countries essentially based on ISO payment standards. The three cybersecurity framework projects known as EUCS (EU Cloud Services Scheme), RCABCCS (Requirements for conformity assessment bodies that certify cloud services) and SESIP (Security assessment for secure IoT platforms) are based on ISO/IEC standards priced at CHF 3,268, CHF 1,454, and CHF 1,352, respectively. Those outside the small enclaves promoting these frameworks cannot even understand what is being proposed without paying huge prices for the standards on which they are based, raising major concerns about legal transparency given what the EU intends to do. that frames are mandatory.
In addition to the adverse effects on cybersecurity caused by “paywall standards”, there is academic discussion about what constitutes open or public standards. Clearly, charging any individual $4,450 to view smart city or power grid cybersecurity specs is not really open or public.
Additional questions arise about the legality of what amounts to anti-competitive industry collusion to provide a single private standards publishing organization with a de facto monopoly and whether it is lawful for regulators or industry organizations to cite such standards as obligations. Indeed, it has been argued that the practice violates due process, transparency, and basic human rights to access provisions essential to public safety.
Over the past three decades, most cybersecurity groups have understood these monumental cybersecurity mistakes and the importance of removing paywalls and opening up standards processes to real user scrutiny and participation. Significant credit is also due for the paradigm shift to Public.Resource.Org that has led change not only in the US but worldwide in the last 30 years. Only a few agencies now continue the paywall practice, to the detriment and waste of resources for those who continue to interact with them. It is time for the practice to stop and stop enabling it as “a business model”, which is so obviously antithetical to the goal of cybersecurity.