Sunday, September 22, 2013

A Youthful Idiot's Take on the Common Criteria

I am only twenty-seven years old with a little more than five years of experience in Information Assurance. The collective wisdom, experiences, and vantage points of the giants of our field make what I have learned and done insignificant in comparison. Nevertheless, my passion for the art of computer security may likely be greater. With my inexperience comes youthful naivety and a drive to want to see the ideal be realized. I am regularly living the excitement of discovery that my seniors have come to know well beyond familiarity. I am the youthful idiot who wants to do what most others believe is impossible. It's this reckless optimism, the innocent taboo questions, the willingness to violate prior assumptions that makes me and those from my generation valuable to you as a community. What is the community doing to keep my generation interested and engaged? I fear the answer is quite disappointing.

The Common Criteria community at large is removing the notion of architectural assurance from security, and NIAP and its close partners particularly. They have reached the conclusion that their stakeholders benefit more from focused conformance testing than they do from an architectural review. In a practical sense, this amounts to asking evaluators to set firewall rules and check that packets are indeed blocked, rather than asking them to study and understand the internal data flow of the firewall to determine that the claimed functionality is actually sufficient to meet its objectives. While I cannot fault anyone for making their own value judgments, I cannot help but wonder if the Common Criteria community wouldn't be upset to see passionate young professionals take their enthusiasm elsewhere.

Very personally speaking, what inspires me to work for atsec is the shared belief in the importance of careful, deliberate, and holistic information assurance. When I first joined the company, I found that the Common Criteria echoed these values, and I grew to appreciate what it was and what it had set out to achieve. Of course, just like anyone involved in the certification process, I ran afoul of the deficiencies in the standard that the community hadn't ironed out yet, but I had believed that would all come in time. Wielded expertly, I saw that the Criteria could be used as a robust methodology for tracking down serious design flaws and for assuring and reassuring end users of the claims made by developers.

Over the last several years, I've seen the Common Criteria community diverge from the original goals I thought it strove for. First, I witnessed the destruction of its flexibility in meeting the varied assurance demands of the industry. The community rightfully recognized that consumers of certified products were not being served effectively by a coarse and vaguely specified leveled assurance methodology. However, with its enthusiasm to eradicate what didn't work, it failed to replace it with something that did, leaving the community in chaos. Without a path forward, government agencies, critical infrastructure, finance, and other industries with highly valued assets had no way of answering the questions posed by their stakeholders: Why should I trust these systems with our lives and livelihoods?

As I watched and participated in our progress—albeit distantly as an evaluator behind the scenes—the community began figuring out that tailoring assurance for specific technical classes of products was the most sensible solution, and though the birth of the protection profile was many years ago, it was reborn when we rediscovered its value as a community. However, the execution of these protection profiles has obliterated the Criteria's original goal of curating a comprehensive catalog of security mechanism descriptions that are comparable and compatible internationally. A vast majority of the profiles created since the CCRA shifted its weight make only superficial reference to the Criteria, and I am uncomfortable using them. If I were asked to evaluate them, I would be forced to fail them, because they are clearly not conformant to the Common Criteria. Authors have all but re-written Part 2 of the Common Criteria without providing any more of a rationale than the formalism is irritating. However irritating it is, formalism is a way of communicating effectively through time and across national borders. When authors capriciously change the formal language, evaluators are forced to ask, “What was the purpose of that change?” As Miguel Banon very wisely pointed out at the 14th ICCC in Orlando, despite our efforts to provide the world with achievable, repeatable, and testable criteria, we have accomplished precisely the opposite.

In my five years, I have witnessed the destruction of a great portion of what makes the Common Criteria extraordinary. From within atsec, I see the desperation that Sal, Helmut, Fiona, Staffan, and Gerald have to hold this community together. Their sharp criticism stems from the stewing frustration that bubbles up from our evaluators, our customers, and our fellow labs who I'm very certain are just as dedicated to information assurance as we are.

What I—and all the rest of your colleagues from my generation—cannot provide you with, is the capability, wisdom or knowledge from decades of experience. We cannot offer sage advice on entropy testing methodologies. We cannot provide guidance on how to set up a technical community with international members. We cannot connect the dots between old Orange Book certifications and new operating system evaluations. There are giants still among us willing to share that. What we do represent is the potential future of your community. We are sponges for knowledge eager to engage in the problems you have tackled before us. If you take information assurance out of the Common Criteria—the same source of passion that enthralled you when in our shoes—we will innovate elsewhere.

To drive home the point, the University of Texas, my alma mater, was recognized by the NSA/CSS as a “National Center of Academic Excellence in IA Eduction” a year or so after I graduated. The goal of the program, as stated on the NSA website, is “to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines.” Yet, how are these goals at all consistent with the dilution of information assurance in the industry that we have all witnessed? When held in stark comparison to these goals, I find it quite astonishing that NVLAP, the accreditation body for laboratories in the U.S., has removed its requirement for CC Part 3 assurance proficiency. While I'm just a guy who likes to fix broken things (and break fixed things), I'm afraid you might have to deal with the very real situation that maybe the next information security savant is somewhere out there feeling just as disenchanted and disappointed in the state of information assurance as I am.

From my humble office chair, I struggle to see how I can make a discernible difference. Traveling to the ICCC this year, I found myself out of place. There's so much reminiscing about the Orange Book, the Federal Criteria, ITSEC, and reports by some dude named Anderson. And yet, where are the Andersons of my generation? Where are the Schells? Where are the Kurths? What is our community doing to embrace my generation to foster new security geniuses other than scorching the Earth and leaving us the pleasure of reinventing from scratch?

By Jeremy Powell

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.