he Netherlands, the U.K., and the U.S. The CCv.1 is intended to replace the various national and regional criteria that have wreaked havoc for software and hardware developers operating in the international market.
Testing CCv.1
The current version of the CCv.1, which was issued in February, is now subject to extensive international review and testing prior to acceptance. If all the various parties concerned manage to get together and establish a set of common criteria for IT security, the outcome could be beneficial for all. Users could make meaningful comparisons among security evaluations from different countries. Vendors would have only one evaluation procedure to impl
ement, and it would cost less for them to extend security approval from one country to another. And IT managers could be more confident than they are today that their systems are secure enough for international usage.
However, as with so many government initiatives that are not written into law, it's possible that the CCv.1 will never become anything more than a great idea.
A Common Document
The four-volume document on the CCv.1 is the result of extensive international efforts to align the source criteria from Canada (Canadian Trusted Computer Product Evaluation Criteria, or CTCPEC), Europe (Information Technology Security Evaluation Criteria, or ITSEC), and the U.S. (Trusted Computer System Evaluation Criteria and Federal Criteria, or TCSEC). The concept behind the CCv.1 divides the IT security sector into functionality requirements, or
protection profiles
(see the sidebar "The Common Criteria, Version 1"), and assurance requirements that are aimed at providing
evalu
ation assurance levels
, which are levels of trust that a user can put in a product.
Sead Muftic, president of Computer Security Technologies (COST) in Kista, Sweden, says, "These [evaluation] processes are very complicated and therefore may not be easily verified for efficiency, correctness, functionality, and appropriateness to specific implementations." However, he adds that as more countries join the CCv.1 consortium and more issues are covered, the more mature the document becomes.
John Pescatore, who works at Trusted Information Systems (Glenwood, MD), a computer-security and networking company, has done some work on interpreting the difference between the U.S. series of standards and the CCv.1. He emphasizes the current voluntary status of the CCv.1 and explains that "countries, agencies, and companies can decide to enforce adherence to the Common Criteria, but they are not laws or regulations."
Will Costs Rise?
One major concern for companies with high security req
uirements is whether certification of products will increase costs. Although CCv.1 backers play down these concerns, arguing that additional evaluation will soon pay for itself by boosting international sales, it's likely that costs will be tacked onto the prices that consumers pay.
Another vendor concern is how certification will be accomplished. Pescatore explains that, as with other security certifications in the U.S., the National Security Agency (NSA) will play a large role in validating the test methodology by contracting with external testing agencies. "It's a very expensive process," he adds, "and it's not clear what the value to vendors is -- unless governments or companies start mandating the use of [certified] products."
In the European Union (EU), it's not yet clear who will certify products. Industry observers anticipate that EU countries will certify using ITSEC criteria under current schemes until a new set of criteria is fully developed. They also believe that major changes due to happ
en to the CCv.1 will take place according to how North America certifies its products.
Who Watches Whom?
Another problem with the CCv.1 certification scheme is the old question of who polices the police. According to Ed Alexander, systems analyst with the Virginia-based Integrated Management Services, Inc. (IMSI), "Security clearances on individuals in an organization are about all you can rely on. Corporate reputation and relevant experience in the areas of security and protection are the only criteria that you can check." Furthermore, he doubts the feasibility of implementing the CCv.1 internationally. "Imposing standards, guidelines, and policies in a country with no legal precedent is akin to asking a rowdy biker gang to routinely bathe," he explains. "It's impossible to see to fruition because it requires the voluntary cooperation of all parties involved."
Several scenarios could lead to an in-ternationally accepted evaluation scheme for IT security. International standards b
odies, such as the ISO, might eventually decide to publish the CCv.1 as a standard and hope everyone will follow it. Another approach may be to pass EU legislation, making compliance legally mandatory and fining and persecuting those who flout the law. But such an approach is usually met with resistance and can end up costing a lot of money -- and time spent in endless debates. Showing the benefits and hoping that the parties involved will accept the plan may be the best solution.
However, such efforts have shown considerable flaws in comparable situations. The very few international agreements that have flourished for any significant length of time are those that have been based on hitting the hoped-for participants where it hurts -- in the wallet.
In either case, it's not only standards bodies and governments that must cooperatively push the standard across international borders. It's also the corporate users who must ask for an internationally consistent security certificate.
Where to Find
Computer Security Technologies (COST)
Kista, Sweden
Phone: +46 8 632 0540
Fax: +46 8 471 7722
E-mail:
sead@cost.se
Internet:
http://www.cost.se
Same Security for All?
