Dec 15, 2006

In Malcom Gladwell’s book of the same name, “Tipping Point” is defined as “the magic moment when an idea, trend or social behaviour crosses a threshold, tips and spreads like wildfire.” It has also become a metaphor to describe the spread of a disease or the acceptance of a new technology.

This article is about connecting the dots between a number of recent events related to the Common Criteria (see sidebar), security and privacy, and the North American Security and Prosperity Partnership program. It’s also about the potential for government, industry and other stakeholders to collaborate to achieve common goals. Identity Manage­ment is seen as the thread that connects the dots and may lead to a “Tipping Point.”

Two Steps Forward and One Step Back for Security
The Information Technology (IT) security community has witnessed a series of events beginning with the spread of the Morris worm to the more virulent strains of viruses and worms that threaten zero-day attacks.

The Fear, Uncertainty and Doubt (FUD) caused by these cyber threats has contributed to the general awareness of the problem. However, none of these ­isolated events or obvious trends has resulted in a serious change in the way that we approach IT security.

The series of Government Accounting Office reports that gave failing grades to U.S. government organizations and similar Auditor-General Reports about Canadian government departments and agencies attest to the fact that governments haven’t yet experienced that “magic moment” that compels them to make substantive improvements in IT security. Similarly, the regulatory and compliance hammers that have been waving around for a number of years have done ­little to change the fundamental and evolutionary way which industry addresses IT security concerns.

Security issues in the IT community have evolved from the bottom up… from system administrator to the boardroom. However, there has been no “Tipping Point” yet in IT security for either government or industry in North America.

In September 2006, the U.S. government National Information Assurance Partnership (NIAP), the organization responsible for the U.S. Common Criteria scheme, announced that they no longer had the resources to evaluate all the products that could contribute to security of their IT infrastructure.

Their focus would be to serve the more traditional customers of the U.S. national defence, security and intelligence communities that had a demand for the higher ­assurance products.

This security community has been, and continues to be, focused on national security issues. However, the reliance on products that have this security “Good Housekeeping Seal of Approval” has now extended to the owners and operators of every critical infrastructure, and every business large and small that relies on the internet for its success. Moreover, the Common Criteria also includes special provisions to deal with many of the very specific requirements of the privacy community. It follows therefore, in America, that someone should have the mandate to ensure that there is a capability and capacity to evaluate these products.

 While the implications of the NIAP announcement are disturbing to many stakeholders on several levels, the reaction so far has come only from those vendors, and consumers who have been directly involved in the benefits of this program. However, the impact of these issues affects a much broader audience than that of the CC program. Thus, these issues should be examined in the context of national programs and the broader ­concerns of government, industry and ­private citize