The Need for TCCB

How bad is endpoint security out there?

Why do we need a new standard-setting and certification body, and related open target architecture, that achieves levels of trustworthiness that are radically beyond state-of-the-art, while increasing public safety and cyber-investigation capabilities?!

Revelations in the last decade, including the widespread availability of CIA hacking tools in the deep web, has made it clear that large corporate, financial and public institutions – and of course simple citizens – are much more exposed to scalable and targeted endpoint attacks by an ever-larger number of competitors, criminals, and abusive states, than previously thought.

What is often unreported – but well known in top boardrooms and governments – is the impressively low cost and high scalability of carrying out such attacks at scale by many private and public actors, and those that rent their capabilities, with very little chance of accountability or attribution. 

State tools like NSA Turbine and NSA FoxAcid, or their private equivalents like Hacking Team RCS, or NSO Group Pegasus are capable of the automated or semi-automated exploit and remote management of up to hundreds of thousands of exploited mobile devices.

Todays’ commercially available IT technologies – even those meant for the most societal critical use cases – are radically below the level of trustworthiness that is desired, remanded, or required by its users for sensitive or critical use case scenarios, as we have seen from the SolarWinds, Capital Pipeline and OPM hacks.

Current standards and certifications are not strong nor comprehensive enough to deliver such levels of trustworthiness. This produces enormous societal costs and risks of hampered economic and social progress, especially given their impact on our democratic institutions and on the future of artificial intelligence.

What is wrong with current standards and certifications?

Current IT security standards, standard-setting and certification processes like NIST, ISO, ETSI – even those of the highest levels of security, such as Common Criteria, FIPS, SOGIS, EU Top Secret, NATO Top Secret – have one or more of the following severe shortcomings:

  • do not certify any complete end-to-end computing experience, including endpoints and lifecycle, but just a sub-section of devices, server-side service stacks, processor components;

  • include only partially, if at all, certification of all critical hardware designs and their fabrication phase and, when they are included, the requirements are very inadequate and incomplete to resist advanced attackers;

  • are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user- or citizen-accountable, and subject to various undue state pressures;

  • make dubious crypto requirements, such as “national crypto standards”, such as inadequate elliptic cryptographic curves, that leave substantial doubts about the ability of certain national agencies (and potentially others) to bypass them;

  • certify endpoints that are embedded into, or critically connected to, other endpoints or systems that are not subject to the same certification processes;

  • have very slow and costly certification processes, due to various organizational inefficiencies and to the fact that they mostly certify large (and often new) proprietary target architectures, rather than an extension of certified and open ones.

Why do such certifications need to include an in-person legitimate lawful access mechanism? 

Because standards are not broken for incapability. Only one out of 16 million flights result in an accident. We are extremely good at security and safety engineering and at certification.

All IT and IT standards are broken, by design, at birth, because of the need of nations’ security agencies to hack systems to fulfill their legitimate and crucial missions.

How can we use the same governance model and socio-technical paradigms that we need to ensure ultra-high assurance levels to sufficiently mitigate the risk of abuse of mechanism to enable legitimate lawful access? In this long 2018 Position Paper for the Trustless Computing Certification Body, including a 1-pager abstract, we explain how.