26 April 2022
Making Cybersecurity Standards More Accessible
Despite the immense amount of collaborative international effort that goes into developing robust and timely standards, there is a growing concern that this work is not being deployed as widely as it should. Notably, putting standards behind paywalls often negatively impacts the accessibility and outreach of the results to a wider audience which has a detrimental impact on both standards experts and system developers. This applies generally but cybersecurity issues are particularly critical and need to be addressed swiftly.
Hence, CyberSec4Europe has been investigating how the situation could be improved. Firstly, we carried out an analysis using assessment criteria developed through discussions in the project, on documentation from a number of the major standards development organisations (SDOs) currently developing projects addressing aspects which are cybersecurity related. The objective of this analysis is to allow cybersecurity researchers, policymakers and actors from the private sector in the EU to better understand the operation of these organisations and to facilitate the process of deciding which of them to collaborate or associate with. The intention is to encourage participation in such organisations and to speed up the development of cybersecurity standards.
More precisely, the assessment investigates eight standard organisations, selected to cover a wide range of governance models, based on a methodology that defines eight evaluation criteria – openness, impact, governance, maturity, stability, effectiveness and relevance, coherence and the development dimension.
Organisations with national representation following the UN model
CEN/CENELEC is a European standardisation organisation, operating within the framework of EU Regulation 1025/2012 that produces market-driven European standards (ENs) that serve the needs of business, industry, and other interested parties.
ISO/IEC JTC 1 is a joint technical committee working on information technology that is also a consensus-based, voluntary international standards group.
Organisations with member-based consortia with no national restrictions
ETSI is a European standards organisation, set up in 1988 by the European Conference of Postal and Telecommunications Administrations (CEPT) in response to proposals from the European Commission. It is also recognised as a regional standards body dealing with telecommunications, broadcasting and other electronic communications networks and services.
OASIS is a global, non-profit standards body founded in 1993 and now supported by organisations from around the world. The consortium behind OASIS works towards the development of open-source software and standards in very diverse ICT areas including cybersecurity, blockchain, cloud computing and IoT, among others.
HL7 (Health Level Seven International) was created in 1987 and has worked towards improving the electronic collection and exchange of healthcare data to improve the speed, quality, safety and cost of patient care.
National standardisation bodies
BSI (the Federal Office for Information Security) is a German federal agency responsible for the management of computer and communication security for the German government.
UNE is a private, non-profit organisation recognised by the Spanish public administration as the national standardisation body in Spain.
Common Criteria for Information Technology Security Evaluation (CC) is an international standard for computer security certification according to ISO/IEC 15408.
The analysis produced a set of key findings and recommendations on how to better integrate cybersecurity into the procedures of standardisation bodies, especially in the future European Cybersecurity Competence Centre.
Among the common findings, it was found that some organisations allow commenting on projects even if you are not a member, and many organisations have liaisons with other organisations, which is supposed to reduce duplication of work. In addition, not all organisations take into account the development dimension which is especially true for continental and national SDOs.
Finally, the main recommendation made to the European Union and Member States is that the results of the work of SDOs (standards, technical reports) should be made freely available to universities, independent cybersecurity researchers, SMEs, cybersecurity experts and other interested parties, as otherwise security research will be hindered. Putting standards behind paywalls often negatively impacts the accessiblity and outreach of the results to a wider audience. SDOs can follow a similar approach as “author’s copy” to make their resources available for free on the website of the authors or editors.
Welderufael Tesfay, GUF