The emerging standards war in cyberspace security
Download
1 / 36

The Emerging Standards War in CyberSpace Security - PowerPoint PPT Presentation


  • 192 Views
  • Uploaded on

The Emerging Standards War in CyberSpace Security. John W. Bagby College of Information Sciences & Technology The Pennsylvania State University . Standards ARE Important!. Standards Impact Nearly All Fields SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Emerging Standards War in CyberSpace Security' - ivanbritt


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The emerging standards war in cyberspace security l.jpg

The Emerging Standards War in CyberSpace Security

John W. Bagby

College of Information Sciences & Technology

The Pennsylvania State University


Standards are important l.jpg
Standards ARE Important!

  • Standards Impact Nearly All Fields

    • SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs

    • eCommerce & Internet largely dependant on Stds:

      • EX: html, http, 802.11, x.25 packet switching …

  • Stds Embody Considerable Innovation

    • SDA have Innovation Life Cycle Independent of Products/Services Compliant w/ Std

    • Std Innovation Occurs in Various Venues

      • Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. professional societies, indus. Consortia)


Why are standards important l.jpg
Why are Standards Important?

  • Stds Increasingly an Emerging Source of Policy

    • Lessig’s Code cited for IT trend:

      • Public policy imbedded in s/w. f/w. h/w & ICT stds

  • Do SDA Approximate Traditional Policymaking?

    • Do SDA decrease public’s consideration/deliberation?

    • Are SDA transparent?

    • Are stds’ downstream impact so embodied w/in code or technical compatibility details they are obscured from public review?

  • SDA Participants Use Non-Gov’t Venues

    • Forum Shopping may be Widespread

      • Classic “Race to the Bottom”


Why are standards important4 l.jpg
Why are Standards Important?

  • Stds are emerging from obscurity

  • More widely understood to impact most economic activity

  • Increasingly viewed less as technically objective matters; more as arbitrary choices from among near infinite alternatives

  • Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms


Sample of the standards research @ penn state s ist l.jpg
Sample of the Standards Research @ Penn State’s IST

  • Wireless Stds for Mobile Content & Apps

    • EX: Competition J2ME, BREW, WAP, Flash

    • Carleen Maitland & Ankur Tarnacha

  • Incentives for SDA Participation

    • Regulator Signaling participation

    • Celestine Chukumba & John Bagby

  • Policy Influences on SDA

    • John W. Bagby

  • Standards Curriculum Development

    • Targeted to: Info.Sci,& Tech., Engr, Bus., Communications

  • Web Services Standards

    • Sandeep Purao, John W. Bagby & Prasenjit Mitra

    • NET Inst. WP #05-18 & ssrn.com id=850524


Web services standards l.jpg
Web Services Standards

  • Content Analysis of Official SDO Archives documenting development of SOAP & WSADDR

    • SOAP-Simple Object Access Protocol

      • Enables web apps to operate on various OS (Win.Linux)

    • EX: Mtg (F2F & TeleConf) minutes, proposal drafts

      • Atlas.Ti, 90 Codes assigned to text fragments

    • Some Key SDOs for Web Services Stds

      • World Wide Web Consortium (W3C)

      • Also: IETF, OASIS, WS-I

    • Roles Identified for Various Players (a/k/a Avitars)

      • Advocate, Architect, Bystander, Critic, Facilitator, Guru, Procrastinator

  • DSN: Design, Sense-making, Negotiation


Apply dsn framework to sda l.jpg
Apply DSN Framework to SDA

  • Design, Sense-making, Negotiation

    • From:

      • Simon (1981),

      • Weick (1995),

      • Latour (1995)

    • Integrated by: Fomin, Keil, & Lyytinen 2003

  • Empirically validated by Mitra, Bagby & Purao





Standards research perspective l.jpg
Standards Research Perspective

  • Acquire depth in some SDA areas to understand the technologies & impacts

    • Design: DOT, SAE, NHTSA, ITS, building codes

    • ICT: IEEE, W3C, IETF, IEC, FCC, EIA

    • Financial: AICPA, FASB, SEC, IRS, PCAOB

    • Environmental: EPA, OSHA

  • Acquire & refine depth in the crosscutting areas

    • Assumes all SDAs share challenges & opportunities

    • Stds accreditation: ANSI, NIST

    • International SDO: BSi, ISO, DIN

    • Legal Issues: Due Process, Rulemaking, Antitrust, IP, case law, SDA process


Policy hypotheses of sda l.jpg
Policy Hypotheses of SDA

  • Quality of Standardization will Improve as SDA are Better Understood

  • Tools of Analysis from Public Policy & Political Economy Still Underutilized

  • SDA are collaborative processes

    • Infused with technical design

    • Largely by self-selected groups of interested constituents who assume standard roles/avitars

    • Participants must have foresight & resources to engage in protracted, frustrating political processes

  • But … Must Understand Standards Taxonomies


Why standards may impact cybersecurity methods l.jpg
Why Standards May Impact CyberSecurity Methods

  • General Advantages of Standardization

    • Facilitates comparison, interoperability, competition

    • Attracts investment in compatible technologies, products & services

  • General Disadvantages of Standardization

    • Lock in old/obsolete technology

    • Resists favorable evolution or adaptation

    • Favors particular groups & disfavors particular groups

    • Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design


Defining standard terms l.jpg
Defining Standard Terms

  • SSA-Std Setting Activity

    • Presumes traditional de jure authority, minimal policy

  • SSO-Std Setting Organization

    • Presumes choices from among technicalities reflecting physical constraints produced from empirical findings that define domains

  • SDO-Std Development Organization

    • Presumes contributions from various players

  • SDA-Stds Development Activity

    • Presumes substantial design component & std anticipates (precedes) compliant objects of std

    • Develops Voluntary Consensus Std (VCS)


Traditional standards taxonomy origins l.jpg
Traditional Standards Taxonomy: Origins

  • de Jure

    • Emanate from authorized source (statute, regulation, caselaw, accredited SDO)

    • EX: FCC, EPA

  • de Facto

    • No direct endorsement by govt or SDO

    • Achieve critical mass in mkt

    • EX: OS (Windows), content interoperability (VHS)

  • Voluntary Consensus Standards

    • VCSB – NGO, consortia, private-sector venue

    • EX: most crucial Internet protocols


Traditional standards taxonomy origins16 l.jpg
Traditional Standards Taxonomy: Origins

  • de Jure

    • Best suited when de Facto or VCSB rigor unlikely

      • Policy risks: inadequate, ineffectual, inefficient

      • EX: determining acceptable risks, setting protection level, balancing risk, cost, tech availability

  • de Facto

    • Less multi-participant coordination & delay, natural result of competition, liberty, flexibility

  • Voluntary Consensus Standards

    • Enhances Liberty, OK if due process strong


Taxonomy autonomy specificity precision in implementation l.jpg
Taxonomy: Autonomy, Specificity, Precision in Implementation

  • Breadth of variance in compliance

  • Rules-based standards (precise & specific

    • Most ICT stds & HIPAA security rules

    • Results of FTC caselaw interpreting G/L/B privacy

  • Principles-based standards (middle-ground)

    • FTC privacy security rule

    • Expected result of SEC pressure on some acctg stds

  • Principles-only standards (vague & interpretable)

    • SEC’s G/L/B CyberSecurity stds Reg.SP


Taxonomy object of standardization l.jpg
Taxonomy: Object of Standardization

  • Technical/Interoperability vs. Behavioral/Professional

    • Major conundrum for CyberSecurity Stds

    • Likely to merge stds on ICT objects w/ magl processes

      • EX: security personnel must satisfy educational standards, credentialing, in practice must adhere to (potentially detailed and specified) stds prescribing their work methods & must satisfying professional/ethical conduct standards

      • Conformity assessment in most fields merge technical w/ behavioral certifications so more like professional/behavioral

  • Educational stds for admission, performance evaluation, graduation, certification often considered technical


Taxonomy object of standardization19 l.jpg
Taxonomy: Object of Standardization

  • Econ incentives for SDA participants

  • Behavioral/Professional: prisoner’s dilemma

    • Ward off regulation

    • Collective Insurance - every player incentive is to deviate from consensus std if perceived risk low

  • Technical/Interoperability: Coordination problem

    • Enhances compatibility

    • Strengthens network effects

    • Not (as) much incentive to deviate unilaterally

      • But strong incentive to Own Alt Std


Taxonomy object of standardization20 l.jpg
Taxonomy: Object of Standardization

  • Both Behavioral/Professional & Technical/ Interoperability Share Risk Mgt for failure

  • Source & situs of failure differs significantly

  • Legacy de jure

    • Regulatory mode, disciplinary professional bodies

    • Participants largely std to avert misconduct sanctions

    • Pro active in addressing profession's moral hazards

    • React quickly to operational risks once identified

      • Insider SDA participants can maintain (moral) authority over behavioral regulation


Taxonomy object of standardization21 l.jpg
Taxonomy: Object of Standardization

  • VCS processes largely enable technical/ interoperability

    • Coordinate collective activity to build new markets

    • Develop network, participants produce (or adapt) compliant products/services

    • Anticipatory Stds (substantial design component) before compliant production or service capacity investment or deployment

    • Risk Mgt differs: timing, pervasiveness

      • Initial inaction risks, poor quality shared by many participants

        • Failure to develop new mkt

        • Failure to achievie critical mass

      • Risk of interoperability failure impacts whole design

    • Late stage Risks maintain network's market

      • Flaws derived from a collective (cumbersome) design

  • BUT, generally not moral hazard or technical design failure attributable to an individual participant like objective of professional/behavioral


Taxonomy object of standardization22 l.jpg
Taxonomy: Object of Standardization

  • OMB simply exempts professional conduct/ethical

  • OMB Cir.A-119 Definition of “Technical Std”

    • Common and repeated use of rules, conditions, guidelines or characteristics for products or related processes and production methods, and related management systems practices.

    • The definition of terms; classification of components; delineation of procedures; specification of dimensions, materials, performance, designs, or operations; measurement of quality and quantity in describing materials, processes, products, systems, services, or practices; test methods and sampling procedures; or descriptions of fit and measurements of size or strength

    • Note some emphasis on Design over Performance


Taxonomy object of std nist s users purposes l.jpg

NIST’s Standards.gov basic list

basic standard

terminology standards

test and measurement standards

product standards

process standards

service standards

interface standards

data standards

international Standards

NIST’s Standards.gov ancillary list

Company standards

Harmonized standards

Industry standards

Government standards

Taxonomy: Object of Std NIST’s – Users & Purposes


Taxonomy stage of conformity in life cycle of std s object l.jpg
Taxonomy: Stage of Conformity in Life Cycle of Std’s Object

  • NIST’s Conception:

    • “manner in which [stds] specify requirements”

      • Design stds define product characteristics or mfg

      • Performance stds describe product’s function

  • OMB’s Conception

    • Performance Std states requirements in terms of required results, criteria for verifying compliance, avoids specifying methods for achieving required results

      • Defines functional requirements for the item, operational requirements, and/or interface & interchangeability characteristics

    • Design or prescriptive std specifies design requirements (e.g., materials used, how requirement achieved, how fabricated or constructed

  • Means vs. Ends Test

  • THE Major Reg Reform Objective early-’80s


Antitrust ip aspects of essential facilities l.jpg
Antitrust/IP Aspects of Essential Facilities Object

  • Bottleneck Monopoly

    • Access restricted to cartel members

    • IP erects entry barriers

  • Related to Public Goods & Natural Monopolies

  • May Create Antitrust Duty to Deal or Compulsory IP Licensing

  • Standard may constitute an Essential Facility


Ip antitrust aspects of standards l.jpg
IP-Antitrust Aspects of Standards Object

  • Customers can benefit unless standardization leads to price fixing, stifling innovation, or block competition

  • Antitrust Issues if Standards Impose Barrier to Entry or Substantially Lessen Competition, IP owner monopolizes related markets

  • Antitrust Issues:

    • Dominant system excludes interoperability

    • Tying imposed

    • Bullying of suppliers or customers

    • Proprietary IP underlies stds can erect barrier to entry


Allied tube conduit corp v indian head 486 u s 492 1988 l.jpg
Allied Tube & Conduit Corp. v. Indian Head, 486 U.S. 492 (1988)

  • Facts

    • Allied Tube produced steel conduit threatened by PVC

    • Indian Head produced innovative PVC conduit

    • NFPA was private consortium including representatives from industry, labor, academia, insurers, medicine, firefighters, & govt

    • Allied Tube orchestrated votes to excluded PVC from 1981 Building Code by packing NFPA annual meeting with new members only serving to vote against PVC


Allied tube conduit corp v indian head 486 u s 492 198828 l.jpg
Allied Tube & Conduit Corp. v. Indian Head, 486 U.S. 492 (1988)

  • Issue

    • What limits Petitions Cl. immunity for private SDOs & their participants in influencing the SDA political process

  • Holding

    • Sham exception qualifies antitrust or tort immunity exposing private SDA activity to antitrust liability

    • Antitrust Violations: collusion, restraint of trade

  • Reasoning

    • where the collective political activity “is a mere sham to cover up what is actually nothing more than an attempt to interfere directly with . . . business relationships

    • Cannot bias SDA by stacking a private SDO with parties biased to restrict competition


The patent holdup problem l.jpg
The Patent Holdup Problem (1988)

  • SDA participants hold IP rights that may become components in stds

    • EX: copyrights in data compilations or language describing std; trade secrets in data or unique methods, patents (processes)

  • SDA non-disclosure until after lock-in

    • Ambush others w/ submarine patents

  • SDO rules may “request” ex ante disclosure


In re dell computer corp 121 f t c 616 1995 l.jpg
In re Dell Computer Corp., 121 F.T.C. 616 (1995) (1988)

  • Dell participated in the Video Electronics Standards Association (VESA) to develop VL video bus

  • Dell misrepresented in IP certification it held no IP in the VL-bus std

  • Dell sent out demand letters for recognition of ‘481 patent after wide adoption of VL-bus

  • FTC alleged unfair & deceptive trade practices

  • Consent decree bars Dell from enforcing IP in Stds


In re unocal ftc 9305 2003 l.jpg
In re Unocal (1988), FTC #9305 (2003)

  • Unocal misrepresented to CA’s (CARB)

    • Unocal contributed (equations and data) for reformulated gasoline std (RFG)

  • Unocal aggressively pursued patent infringement after std adoption & refineries spent $ millions to comply

    • Won royalty judgments for up to $.0575 per gal.

    • Held up FTC approval of Chevron’s takeover

    • Now must dedicate all RFG patents to public


In re rambus inc f t c docket no 9302 02 06 l.jpg
In re Rambus Inc. (1988), F.T.C. Docket No. 9302 (’02-’06)

FACTS:

http://www.ftc.gov/os/adjpro/d9302/index.htm

  • SDO venue=JEDEC Rambus attended ‘91 – ‘95

    • Joint Electron Device Engineering Counsel

    • JC-42.3 Subcommittee on RAM Devices - DRAM protocols

  • Rambus designs, develops, licenses chip-connection tech

    • Avowed strategy – gain high royalties on RDRAM designs, establish RDRAM as de factoindustry standard

  • 1992, Rambus broke ‘898 patent app into 10 divisional apps

    • 1.06: 50 RAM related patent apps (cite ‘898 prior art) in 1990s

    • at least 33 apps still pending, more “minors” likely (apps<18 mos)

  • IP rights disclosures Ltd & misleading violating JEDEC’s IP disclosure duty


In re rambus inc f t c docket no 9302 02 0633 l.jpg
In re Rambus Inc. (1988), F.T.C. Docket No. 9302 (’02-’06)

  • Active infringe settlements w/ major DRAM Mfgrs

    • Hynix, Samsung, Hitachi, Infineon, Micron

  • FTC appealing adverse ALJ ruling of charges:

    • Unfair methods of competition violate FTC Act §5

    • Rambus obtained monopoly power

    • Monopolizing synchronous DRAM mkt

    • Pattern of anticompetitive & exclusionary acts

    • Unreasonably restrains trade

  • Electronic Data Discovery (EDD) impact

    • Spoliation of electronic documents Rambus lost attorney-client privilege


Due process constraints on sda processes l.jpg
Due Process Constraints on SDA Processes (1988)

  • ANSI “Essential” Due Process Requirements

    (1) openness (2) lack of dominance (3) balance (4) notification (5) consideration (6) consensus (7) appeals (8) written procedures

  • OMB Circular No. A-119

    • openness, (ii) balance of interest, (iii) due process, (vi) an appeals process, (v) consensus

  • Standards Development Organization Advancement Act (SDOAA)

    Notice of particular SDA to affected parties; Opportunity to participate in SDA; Balancing interests to avoid SDA domination by any single group; Ready access to proposals and final standards; Consideration of all views and objections; Substantial agreement on all material points before reaching final standards; Right to express positions in SDA; Right to consideration of positions by SDO; Right to appeal adverse SDO decisions


Strategic aspects of sda l.jpg
Strategic Aspects of SDA (1988)

  • US Patent Law Provisions:

    • 18 Mo Patent App Confidentiality

    • US’s 1st to Invent further obscures

    • One Year Grace before Filing

    • Strong infringement remedies (But, recent eBAY inj)

  • US Patent Law Provides Cover

    • Obscures participant’s IP raising hold-up risks

    • Raises ex ante IP search costs; who pays?

    • Provisional Pat Apps attenuate costs

  • Enforceable SDO IP disclosure rules are key


Recommended public policies l.jpg
Recommended Public Policies (1988)

  • Stronger requirements for disclosure of R&D, patents held & patent apps relating to the std

    • May require uniform Federal requirements

  • Require RAND licensing terms for SDA participant’s IP rights

  • Limits SDO participant’s control retained over tech developed in SDA

  • RAND (3G royalty rate is 125%)


ad