Monday, September 2, 2013

Marketing the CC: It's all about Trust

Shall we call our new product "honey" or "bee vomit"?

When it comes to selling products, you need to choose your words wisely, or you might offend your customers and not sell anything at all. Still, just using some wording to hide your intentions most often only buys you some time until your customers realize that your 97% fat-free yoghurt was not so fat-free after all. (I'd rather go for a 100% fat free beer, just to be safe :-).

While starting to pack my stuff to leave for Orlando, I am wondering about some of the wordings we have been accustomed to, and I also wonder how much of a marketing event the upcoming ICCC is going to be, and for whom.


One of the key aspects of marketing the CC is that it is a brand. It’s not a product brand (such as those marketing their products use.) Instead it is a brand associated with the trust that others may place in the products sporting the logo. The Common Criteria logo is a registered trademark*, and its use is regulated, because it has value. The CC brand is all about trust.

But what is the value of the brand? A brand conveying trust must be recognised for trust: Criteria including credibility, who is supplying the trust, core values of the CCMC, the goals of the CCRA, openness and transparency, etc.

Even the name itself is a key part of the brand: "Common Criteria."* To what does the "common“ refer: The standards containing the criteria, the framework in which they are applied, or both?

Perhaps the "Common Criteria"* brand, as we have previously established it, used it and relied upon, is eroding.

Do we still have a common understanding about what assurance the certificates provide? Are the customers really prepared to trust a certificate, no matter where it comes from? With every cPP defining its own evaluation methodology, disregarding the Part 3 of the CC as the common assurance framework, can we really claim these this to be  either "common“ or "criteria“ at all, and still respect the common framework that has been built over the years?

For the upcoming ICCC panel discussion on "Marketing the CC," I am curious what the topics will be. I have myself some ideas for promoting the acceptance of the "New CC" (did you notice that there are no "New CC" standards? That's probably just another marketing gag.):

1. What are the goals of the CCRA?

The CCRA is the basis for conveying trust. The CCRA has been used for establishing trust supporting commercial trade as well as for helping establish some of the security assurance for those involved with government systems, or even a simply subsection of government organizations.

One of the goals of the CCRA is to support international trade and to support national vendors and developers in their goal to be successful globally. To support this goal it is important that national certificates are accepted by other governments and companies globally. In that scenario it's not helpful if the organization that is your national scheme has core competences including clandestinely break into systems; eaves-dropping on communications and disseminating disinformation. It makes sense to entrust those agencies with your national computer security, but it works really poorly in the international arena. Others just have a hard time to figure out if the schemes are honest or fooling them again.

Signed by many of the worlds key national security agencies, some nations have forgotten or sidelined that commercial goal and as the world changed have not promulgated that CC may be used outside of systems needing higher assurance than national security systems.

At least some of the certificate-issuing nations have built their scheme outside their intelligence community; for example, Turkey has chosen the national standards body to host its scheme. Although such a change is probably very hard for most nations. The U.S. originally envisaged this by founding the National Information Assurance Partnership (NIAP) with both the NSA and the NIST as two signatories of the CCRA. (although of course the current situation is that NIST's currrent involvement is restricted to support of the NSA led scheme by accrediting labs to the US 17025 equivalent.) As a major certificate issuing nation the U.S. could show commitment and leadership by having NIST come back into its original issuing role for the commercial sector.

My hope here is that the CCUF will break up the navel-gazing of government agencies for their own procurement, supposing that „if it's good for us, it's good for everybody else“. The CCUF should open the view into other markets, acknowledging that different markets have different assurance requirements, even for the same product type. "A good marketing organization listens to its customers. We hear you!", if you get my drift :-)

At least if providing assurance to others outside national security systems is no longer a goal of the CCRA then that change should be clearly communicated.

2. In whom do we place our trust?

My understanding is that the CCMC is responsible for managing the international agreement that is the CCRA.

Today, center stage in the CCMC is provided to partners from the "five eyes" club, their contractors and collaborating companies.

When thinking about about marketing, it makes me wonder if this is such a good idea. Clearly, it is expected of the hosting country to provide some focus on how the CC are used locally, but given the current propaganda about the "five eyes“ club members being involved in massive spying on their and other nation's citizens, I'd rather suggest a more open debate on how, given the associations, that issue might affect the CC brand. What effect does this have on end-users and consumer nations perceptions and on trust in the certificates issued?

3. Credibility:

The CCRA is first and foremost about the trust that the signatory isssuing nations have vested in the awarded certificates.

The CC & CEM are standards intended to be used by many nations, and provide at least part of the basis of trust for the CCRA. They are internationally agreed standards. When the CCDB was first established it was intended that the standards become international standards, and indeed they were submitted to ISO and fast tracked as ISO/IEC 15408 and ISO/IEC 18045. The CCDB is a closed community whose task was to bring together the various national criteria from various national agencies, ISO’s role was to be to foster open development allowing input from the commercial community and from IA experts around the globe. This happened and for a while the two communities worked together to keep the two sets of standards in line as the CC and CEM evolved. Of course as we can observe, the CCDB did not "let go" of the standards development (as was intended) and the current CCRA specifies equivalency to a particular version of the IS standards, and so ISO is "stuck in the doldrums" by staying in synch with currently unmaintained standards, and allowing for loopholes that allow signatory nations to bypass the CCRA by specifying the current ISO standards as national standards hence allowing them to produce national policy which is outside of the intention of the CCRA.

Of course this may not be so simple when governments, in order to save money, are specifying that COTS products be used in national security systems wherever possible. While that is, of course, a matter of national perogative the credibility issue that ensues is when the morphing of the CC paradigm, and the policies surrounding cPPs are seen to be a thinly disguised method of converting COTS (that draw requirements from the larger global market) to GOTS (that draw requirements from the government specifications).

4. Transparency:

Another mistake being made is that the "5 eyes club" seem to be subverting the CC brand by morphing the whole CC paradigm into a low-assurance one. The flexibility of picking appropriate assurance, that is the corner-stone of the CC is being removed. Unspoken, but visible through observation, are the close similarities between the current US approach and the UK’s CPA scheme. While that is a perfectly valid approach to address national assurance requirements, it’s a huge marketing mistake that undermines the CC brand.

You see, it‘s not CC at all (it is one perfectly valid corner use-case for CC), but it is being being sold to consumers as the "new CC." That is a huge marketing mistake and leads to issues of reduced credibility and opaqueness! By some definitions the tactic could even be defined as fraud or counterfeiting.

The forthcoming ICCC panel discussion on "Marketing the CC" is scheduled with U.S. panelists only, and the panel discussion about "Widening the use of CC for End users Worldwide" originally had just one European telecom supplier as the only panelist not too deeply entangled with the "five eyes" intelligence community. This supplier does not even have any CC-certified products . Now let's see whether the panel will include another developer who do pursue CC certification on this basis. Perhaps the brand would be much enhanced if the program committee put national politics to one side and reflected the diversity that is CC? Allowing Europeans, and Asians, and perhaps even developers that use the CC that are headquartered outside a CC signatory nation.

5.Don't change everything at once:

The CC standards have been a success story in the past not because of new features added every month, but because it distilled decades of experience with security evaluations into a commonly accepted framework. Back then, the CC actually marketed themselves.

As in every aging house, renovations are due every now and then. If you don't like your house anymore, it's even o.k. to build a new one. However, it's quite silly to burn down the old house first and only then start to think about how to build the new, especially when other people still lived in it.

Gerald Krummeck
atsec GmbH Laboratory Manager 

* "Common Criteria" and the associated logo is a registered trademark by the National Security Agency FEDERAL AGENCY UNITED STATES ATTN: AGC (IP&T) 9800 Savage Road, Suite 6542 Fort Meade MARYLAND 207556542f

1 comment:

  1. I find your comments insightful and on point.

    I'm glad to see that others share concerns with the "improvements" that affect the Common Criteria, and the impact of scheme-specific policies on mutual recognition.

    Thank you for sharing your thoughts. I hope atsec is able to make a difference at ICCC.


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.