1 / 36

The Emerging Standards War in CyberSpace Security

The Emerging Standards War in CyberSpace Security. John W. Bagby College of Information Sciences & Technology The Pennsylvania State University . Standards ARE Important!. Standards Impact Nearly All Fields SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs

ivanbritt
Download Presentation

The Emerging Standards War in CyberSpace Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Emerging Standards War in CyberSpace Security John W. Bagby College of Information Sciences & Technology The Pennsylvania State University

  2. Standards ARE Important! • Standards Impact Nearly All Fields • SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs • eCommerce & Internet largely dependant on Stds: • EX: html, http, 802.11, x.25 packet switching … • Stds Embody Considerable Innovation • SDA have Innovation Life Cycle Independent of Products/Services Compliant w/ Std • Std Innovation Occurs in Various Venues • Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. professional societies, indus. Consortia)

  3. Why are Standards Important? • Stds Increasingly an Emerging Source of Policy • Lessig’s Code cited for IT trend: • Public policy imbedded in s/w. f/w. h/w & ICT stds • Do SDA Approximate Traditional Policymaking? • Do SDA decrease public’s consideration/deliberation? • Are SDA transparent? • Are stds’ downstream impact so embodied w/in code or technical compatibility details they are obscured from public review? • SDA Participants Use Non-Gov’t Venues • Forum Shopping may be Widespread • Classic “Race to the Bottom”

  4. Why are Standards Important? • Stds are emerging from obscurity • More widely understood to impact most economic activity • Increasingly viewed less as technically objective matters; more as arbitrary choices from among near infinite alternatives • Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms

  5. Sample of the Standards Research @ Penn State’s IST • Wireless Stds for Mobile Content & Apps • EX: Competition J2ME, BREW, WAP, Flash • Carleen Maitland & Ankur Tarnacha • Incentives for SDA Participation • Regulator Signaling participation • Celestine Chukumba & John Bagby • Policy Influences on SDA • John W. Bagby • Standards Curriculum Development • Targeted to: Info.Sci,& Tech., Engr, Bus., Communications • Web Services Standards • Sandeep Purao, John W. Bagby & Prasenjit Mitra • NET Inst. WP #05-18 & ssrn.com id=850524

  6. Web Services Standards • Content Analysis of Official SDO Archives documenting development of SOAP & WSADDR • SOAP-Simple Object Access Protocol • Enables web apps to operate on various OS (Win.Linux) • EX: Mtg (F2F & TeleConf) minutes, proposal drafts • Atlas.Ti, 90 Codes assigned to text fragments • Some Key SDOs for Web Services Stds • World Wide Web Consortium (W3C) • Also: IETF, OASIS, WS-I • Roles Identified for Various Players (a/k/a Avitars) • Advocate, Architect, Bystander, Critic, Facilitator, Guru, Procrastinator • DSN: Design, Sense-making, Negotiation

  7. Apply DSN Framework to SDA • Design, Sense-making, Negotiation • From: • Simon (1981), • Weick (1995), • Latour (1995) • Integrated by: Fomin, Keil, & Lyytinen 2003 • Empirically validated by Mitra, Bagby & Purao

  8. Observed Roles

  9. SOAP Standardization Process

  10. Content analysis software • Atlas ti

  11. Standards Research Perspective • Acquire depth in some SDA areas to understand the technologies & impacts • Design: DOT, SAE, NHTSA, ITS, building codes • ICT: IEEE, W3C, IETF, IEC, FCC, EIA • Financial: AICPA, FASB, SEC, IRS, PCAOB • Environmental: EPA, OSHA • Acquire & refine depth in the crosscutting areas • Assumes all SDAs share challenges & opportunities • Stds accreditation: ANSI, NIST • International SDO: BSi, ISO, DIN • Legal Issues: Due Process, Rulemaking, Antitrust, IP, case law, SDA process

  12. Policy Hypotheses of SDA • Quality of Standardization will Improve as SDA are Better Understood • Tools of Analysis from Public Policy & Political Economy Still Underutilized • SDA are collaborative processes • Infused with technical design • Largely by self-selected groups of interested constituents who assume standard roles/avitars • Participants must have foresight & resources to engage in protracted, frustrating political processes • But … Must Understand Standards Taxonomies

  13. Why Standards May Impact CyberSecurity Methods • General Advantages of Standardization • Facilitates comparison, interoperability, competition • Attracts investment in compatible technologies, products & services • General Disadvantages of Standardization • Lock in old/obsolete technology • Resists favorable evolution or adaptation • Favors particular groups & disfavors particular groups • Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design

  14. Defining Standard Terms • SSA-Std Setting Activity • Presumes traditional de jure authority, minimal policy • SSO-Std Setting Organization • Presumes choices from among technicalities reflecting physical constraints produced from empirical findings that define domains • SDO-Std Development Organization • Presumes contributions from various players • SDA-Stds Development Activity • Presumes substantial design component & std anticipates (precedes) compliant objects of std • Develops Voluntary Consensus Std (VCS)

  15. Traditional Standards Taxonomy: Origins • de Jure • Emanate from authorized source (statute, regulation, caselaw, accredited SDO) • EX: FCC, EPA • de Facto • No direct endorsement by govt or SDO • Achieve critical mass in mkt • EX: OS (Windows), content interoperability (VHS) • Voluntary Consensus Standards • VCSB – NGO, consortia, private-sector venue • EX: most crucial Internet protocols

  16. Traditional Standards Taxonomy: Origins • de Jure • Best suited when de Facto or VCSB rigor unlikely • Policy risks: inadequate, ineffectual, inefficient • EX: determining acceptable risks, setting protection level, balancing risk, cost, tech availability • de Facto • Less multi-participant coordination & delay, natural result of competition, liberty, flexibility • Voluntary Consensus Standards • Enhances Liberty, OK if due process strong

  17. Taxonomy: Autonomy, Specificity, Precision in Implementation • Breadth of variance in compliance • Rules-based standards (precise & specific • Most ICT stds & HIPAA security rules • Results of FTC caselaw interpreting G/L/B privacy • Principles-based standards (middle-ground) • FTC privacy security rule • Expected result of SEC pressure on some acctg stds • Principles-only standards (vague & interpretable) • SEC’s G/L/B CyberSecurity stds Reg.SP

  18. Taxonomy: Object of Standardization • Technical/Interoperability vs. Behavioral/Professional • Major conundrum for CyberSecurity Stds • Likely to merge stds on ICT objects w/ magl processes • EX: security personnel must satisfy educational standards, credentialing, in practice must adhere to (potentially detailed and specified) stds prescribing their work methods & must satisfying professional/ethical conduct standards • Conformity assessment in most fields merge technical w/ behavioral certifications so more like professional/behavioral • Educational stds for admission, performance evaluation, graduation, certification often considered technical

  19. Taxonomy: Object of Standardization • Econ incentives for SDA participants • Behavioral/Professional: prisoner’s dilemma • Ward off regulation • Collective Insurance - every player incentive is to deviate from consensus std if perceived risk low • Technical/Interoperability: Coordination problem • Enhances compatibility • Strengthens network effects • Not (as) much incentive to deviate unilaterally • But strong incentive to Own Alt Std

  20. Taxonomy: Object of Standardization • Both Behavioral/Professional & Technical/ Interoperability Share Risk Mgt for failure • Source & situs of failure differs significantly • Legacy de jure • Regulatory mode, disciplinary professional bodies • Participants largely std to avert misconduct sanctions • Pro active in addressing profession's moral hazards • React quickly to operational risks once identified • Insider SDA participants can maintain (moral) authority over behavioral regulation

  21. Taxonomy: Object of Standardization • VCS processes largely enable technical/ interoperability • Coordinate collective activity to build new markets • Develop network, participants produce (or adapt) compliant products/services • Anticipatory Stds (substantial design component) before compliant production or service capacity investment or deployment • Risk Mgt differs: timing, pervasiveness • Initial inaction risks, poor quality shared by many participants • Failure to develop new mkt • Failure to achievie critical mass • Risk of interoperability failure impacts whole design • Late stage Risks maintain network's market • Flaws derived from a collective (cumbersome) design • BUT, generally not moral hazard or technical design failure attributable to an individual participant like objective of professional/behavioral

  22. Taxonomy: Object of Standardization • OMB simply exempts professional conduct/ethical • OMB Cir.A-119 Definition of “Technical Std” • Common and repeated use of rules, conditions, guidelines or characteristics for products or related processes and production methods, and related management systems practices. • The definition of terms; classification of components; delineation of procedures; specification of dimensions, materials, performance, designs, or operations; measurement of quality and quantity in describing materials, processes, products, systems, services, or practices; test methods and sampling procedures; or descriptions of fit and measurements of size or strength • Note some emphasis on Design over Performance

  23. NIST’s Standards.gov basic list basic standard terminology standards test and measurement standards product standards process standards service standards interface standards data standards international Standards NIST’s Standards.gov ancillary list Company standards Harmonized standards Industry standards Government standards Taxonomy: Object of Std NIST’s – Users & Purposes

  24. Taxonomy: Stage of Conformity in Life Cycle of Std’s Object • NIST’s Conception: • “manner in which [stds] specify requirements” • Design stds define product characteristics or mfg • Performance stds describe product’s function • OMB’s Conception • Performance Std states requirements in terms of required results, criteria for verifying compliance, avoids specifying methods for achieving required results • Defines functional requirements for the item, operational requirements, and/or interface & interchangeability characteristics • Design or prescriptive std specifies design requirements (e.g., materials used, how requirement achieved, how fabricated or constructed • Means vs. Ends Test • THE Major Reg Reform Objective early-’80s

  25. Antitrust/IP Aspects of Essential Facilities • Bottleneck Monopoly • Access restricted to cartel members • IP erects entry barriers • Related to Public Goods & Natural Monopolies • May Create Antitrust Duty to Deal or Compulsory IP Licensing • Standard may constitute an Essential Facility

  26. IP-Antitrust Aspects of Standards • Customers can benefit unless standardization leads to price fixing, stifling innovation, or block competition • Antitrust Issues if Standards Impose Barrier to Entry or Substantially Lessen Competition, IP owner monopolizes related markets • Antitrust Issues: • Dominant system excludes interoperability • Tying imposed • Bullying of suppliers or customers • Proprietary IP underlies stds can erect barrier to entry

  27. Allied Tube & Conduit Corp. v. Indian Head, 486 U.S. 492 (1988) • Facts • Allied Tube produced steel conduit threatened by PVC • Indian Head produced innovative PVC conduit • NFPA was private consortium including representatives from industry, labor, academia, insurers, medicine, firefighters, & govt • Allied Tube orchestrated votes to excluded PVC from 1981 Building Code by packing NFPA annual meeting with new members only serving to vote against PVC

  28. Allied Tube & Conduit Corp. v. Indian Head, 486 U.S. 492 (1988) • Issue • What limits Petitions Cl. immunity for private SDOs & their participants in influencing the SDA political process • Holding • Sham exception qualifies antitrust or tort immunity exposing private SDA activity to antitrust liability • Antitrust Violations: collusion, restraint of trade • Reasoning • where the collective political activity “is a mere sham to cover up what is actually nothing more than an attempt to interfere directly with . . . business relationships • Cannot bias SDA by stacking a private SDO with parties biased to restrict competition

  29. The Patent Holdup Problem • SDA participants hold IP rights that may become components in stds • EX: copyrights in data compilations or language describing std; trade secrets in data or unique methods, patents (processes) • SDA non-disclosure until after lock-in • Ambush others w/ submarine patents • SDO rules may “request” ex ante disclosure

  30. In re Dell Computer Corp., 121 F.T.C. 616 (1995) • Dell participated in the Video Electronics Standards Association (VESA) to develop VL video bus • Dell misrepresented in IP certification it held no IP in the VL-bus std • Dell sent out demand letters for recognition of ‘481 patent after wide adoption of VL-bus • FTC alleged unfair & deceptive trade practices • Consent decree bars Dell from enforcing IP in Stds

  31. In re Unocal, FTC #9305 (2003) • Unocal misrepresented to CA’s (CARB) • Unocal contributed (equations and data) for reformulated gasoline std (RFG) • Unocal aggressively pursued patent infringement after std adoption & refineries spent $ millions to comply • Won royalty judgments for up to $.0575 per gal. • Held up FTC approval of Chevron’s takeover • Now must dedicate all RFG patents to public

  32. In re Rambus Inc., F.T.C. Docket No. 9302 (’02-’06) FACTS: http://www.ftc.gov/os/adjpro/d9302/index.htm • SDO venue=JEDEC Rambus attended ‘91 – ‘95 • Joint Electron Device Engineering Counsel • JC-42.3 Subcommittee on RAM Devices - DRAM protocols • Rambus designs, develops, licenses chip-connection tech • Avowed strategy – gain high royalties on RDRAM designs, establish RDRAM as de factoindustry standard • 1992, Rambus broke ‘898 patent app into 10 divisional apps • 1.06: 50 RAM related patent apps (cite ‘898 prior art) in 1990s • at least 33 apps still pending, more “minors” likely (apps<18 mos) • IP rights disclosures Ltd & misleading violating JEDEC’s IP disclosure duty

  33. In re Rambus Inc., F.T.C. Docket No. 9302 (’02-’06) • Active infringe settlements w/ major DRAM Mfgrs • Hynix, Samsung, Hitachi, Infineon, Micron • FTC appealing adverse ALJ ruling of charges: • Unfair methods of competition violate FTC Act §5 • Rambus obtained monopoly power • Monopolizing synchronous DRAM mkt • Pattern of anticompetitive & exclusionary acts • Unreasonably restrains trade • Electronic Data Discovery (EDD) impact • Spoliation of electronic documents Rambus lost attorney-client privilege

  34. Due Process Constraints on SDA Processes • ANSI “Essential” Due Process Requirements (1) openness (2) lack of dominance (3) balance (4) notification (5) consideration (6) consensus (7) appeals (8) written procedures • OMB Circular No. A-119 • openness, (ii) balance of interest, (iii) due process, (vi) an appeals process, (v) consensus • Standards Development Organization Advancement Act (SDOAA) Notice of particular SDA to affected parties; Opportunity to participate in SDA; Balancing interests to avoid SDA domination by any single group; Ready access to proposals and final standards; Consideration of all views and objections; Substantial agreement on all material points before reaching final standards; Right to express positions in SDA; Right to consideration of positions by SDO; Right to appeal adverse SDO decisions

  35. Strategic Aspects of SDA • US Patent Law Provisions: • 18 Mo Patent App Confidentiality • US’s 1st to Invent further obscures • One Year Grace before Filing • Strong infringement remedies (But, recent eBAY inj) • US Patent Law Provides Cover • Obscures participant’s IP raising hold-up risks • Raises ex ante IP search costs; who pays? • Provisional Pat Apps attenuate costs • Enforceable SDO IP disclosure rules are key

  36. Recommended Public Policies • Stronger requirements for disclosure of R&D, patents held & patent apps relating to the std • May require uniform Federal requirements • Require RAND licensing terms for SDA participant’s IP rights • Limits SDO participant’s control retained over tech developed in SDA • RAND (3G royalty rate is 125%)

More Related