Cybersecurity & Tech Executive Branch Foreign Relations & International Law

Importance of Standards to National Security

Dan Geer, Paul Rosenzweig
Friday, February 3, 2023, 1:45 PM

The U.S. is neglecting technology standard setting. That’s a mistake.

Babylonian mathematics, shown in this Babylonian tablet, set standards for the Gregorian calendar. (A. Urcia, Yale Peabody Museum, https://tinyurl.com/3rxp5zyf; CC Zero, Public Domain Dedication, https://tinyurl.com/bdhjzcs)

Published by The Lawfare Institute
in Cooperation With
Brookings

Standards are many, and they have value. You know that. We’ll talk more about their definition and variety in just a moment, but we begin this discussion in an engineering frame of mind: problem statement first, solution second. The general problem statement for technological standards is how to avoid the power imbalance of a single source for essential goods and services; in other words, standards are a line of defense against concentration risk. Interoperability is the goal, and multiple suppliers is the proof. By contrast, an absence of standards devolves into a winner-take-all hegemony if the tech in question is massed or has network effects. Threading that needle is hard but essential. So, we want standards, full stop.  The problem is particularly acute where those standards affect national security operations—who writes  the standards matters.

At the same time, “nothing to excess” remains timeless wisdom—standards that are excessively rigid thwart innovation. Excessive rigidity is the source of much of what is negative that can be found in and around regulatory compliance and capture.

What do we mean by a standard? Following a standard, we turn to the dictionary to see that a standard is “something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality.” The heart of standardization is the process of setting up standards—sometimes naturally, other times arbitrarily or driven by policy and culture.

There are naturally occurring standards, such as when the market decides that what it wants is already in place. That is not to say that the market picks the best standard, just that it does the picking. There are many (many) examples of the market picking a standard that was neither optimal nor logical. None is written about more often than VHS versus Betamax: Betamax might well have been superior technically, but VHS had longer tape and it had numerous suppliers, which, together, sealed the deal. That’s one kind of standard: market chosen.

Another kind of standard may be an entirely arbitrary choice, valuable only because it is a standard. Driving on the left or the right is arbitrary, but quite important to standardize. And as several countries have shown, changing from one to the other is a hairball. 

Then there is clock time, which is perhaps the most ancient and, perhaps, illogical standard: 6,000-year-old Babylonian sexagesimal (base 60) mathematics is where 60 second minutes, 60 minute hours, and so forth, come from. We moderns added time zones, which as a standard make clock time unequal to sun time nearly everywhere.

Some standards flow from policy needs if only indirectly. The quality of plumbing has public health implications, and plumbing doesn’t really work if pipe diameters, threads, and the like don’t match. Hence, the hardware has to be standardized. Yes, every layer of pipe could do things differently if money were no object, but that is not how public health works.

Along the same lines, though global, are shipping containers. We standardized something that can fit on the back of a truck, on both ends of the journey, with a sea voyage in between: a model that went from zero in 1956 to over 90 percent of the way all global trade occurs today.

Some standards embody a centralized diktat with embedded value choices. One example of choosing a standard to both advance a technical goal and advance a value choice would be to standardize (by diktat) the interoperability of electronic health records (EHR) within the U.S. (which does not have a single-payer system where interoperability is a non-issue). Sadly, despite the U.S. government’s demand for, and generous subsidy of, the adoption of electronic health records, the diktat for adoption has not yet standardized EHRs sufficiently for interoperability, a clear failure.

The internet works because of standards; interoperability has always been front and center to its spread. This includes implicit standards such as the so-called end-to-end argument—the design constraint that the internet should not embed policy in low-level functions, which is perhaps beyond all else the most consequential reason why we have a free and open internet. It became a meta-standard without standard setting organization (SSO) codification, just some academic papers, a working standard much like if you want to have wilderness, you must forgo building roads. Has end-to-end held up well? Mostly. The challenge today is the virtualization of everything so that “end” is no longer as testable as “Where does this wire go?” And this idea/standard is absolutely reflective of small-l liberal Western values; namely, if it doesn’t need to be governed, then don’t govern it.

Naming, in the sense of the domain name system (DNS) and the operation thereof, has been a triumph of standardization. Yet the DNS is under great pressure today from actors who would use it for geopolitics—for example, Ukraine’s call to remove Russian name/address pairs from the global DNS over Russia’s invasion—much less the manipulations of the global namespace that make Chinese citizens see an altogether different internet. And where do those names come from? They pass through the Internet Corporation for Assigned Names and Numbers (ICANN), a non-governmental organization in California that embodies American values—Come One Come All—which dismays the Chinese Communist Party.

Another American value-embedding episode was the ultimate refusal of the Internet Engineering Task Force (IETF) to specify encryption methods in internet protocols that would have given governments unique, privileged access to the contents of otherwise encrypted communications. The IETF refused to embed those standards. Had the internet world had then a different IETF, one dominated by experts from authoritarian-leaning nations, a different set of values would have become an undodgeable part of the internet.

It is not just technical standards that work out to a value choice; essentially all non-technical standards have cultural impact. Consider how, the world over, civil air traffic control is conducted in English. Not just any English but “Aviation English.” That is arguably another arbitrary choice with great benefits: Your Bulgarian pilot can talk to your Kenyan air traffic controller and they understand each other well enough to land the plane safely, all due to an international standard from 1951. At the same time, it has to be acknowledged that an English requirement is a variety of cultural imperialism; one of the most functional parts of the modern world is rooted in English, and everybody who uses it agrees to that requirement. The Russian pilot, the Chinese pilot, or any other pilot has to have a degree of fluency in not just the language but American culture, Western culture whereas American pilots don’t have to have any such fluency in Russian, Chinese, or any other language much less culture. That well illustrates that the topic of standards goes beyond technical imperatives.

That is enough examples of standards and their types. The focus for this article is the interplay of standards and national security. Though they may be oblivious to it sometimes, the general civilian population has interests that national security interests also share, beginning with something we said at the outset: Standards are a line of defense against concentration risk, including monoculture risk. Market concentration affects each component of the national security risk equation: threat, vulnerability, and impact. As the internet ecosystem becomes more concentrated across a number of vectors, from users and incoming links to economic market share, the locus of cyber risk moves toward these major hubs and the magnitude of systemic cyber risk increases. Mitigating cyber risk requires diversity of systems, software, and firms; attention to market concentration in cyber insurance pricing; and a deliberate choice to avoid ubiquitous interconnection in critical systems. Enter standards, enabling diversification, multiplayer control, and the absence of technical autocracy.

There are many more national security interests in standards. Sometimes our standard-setting wounds are self-inflicted. As we write, under the guise of standard-setting, Apple is being cajoled to allow the sideloading of third-party applications on its iOS. But requiring all app stores to conform to the same type of security by mandating allowance of third-party applications will only increase national security risk by creating a monoculture security environment. Apple phones have a 50 percent market share in the U.S. Imagine, hypothetically, if that many devices were conscripted into a malicious botnet. That is why single collaboration and communications systems are disfavored in the world of cybersecurity. The costs of a single-point-of-failure monoculture may be greater than efficiency benefits. Sadly, it appears that the political pressure has succeeded and Apple plans to allow this insecurity in its next iOS.

Other risks come from inattention. Standards essential patents (SEPs) involve situations where complying with a standard implies the use of technology that is subject to a patent. A standard setting organization will require proposers of standards to disclose any SEPs during the standard’s development, noting that it is not necessarily the case that the patent holder is a member of the SSO. If, in the first case, the patent holder is a participant in the SSO, then the SSO will require that for the proposal to become a standard the patent holder declare its willingness to grant a “free, reasonable, and non-discriminatory” (FRAND) license to those who would use the standard containing the SEP (see page 36 of the ETSI Directives). This is consistent with Western values: Innovators are due a reasonable return on their investment through licensing the SEPs to implementers so long as the terms of such licenses are, as the term FRAND implies, fair, reasonable, and non-discriminatory. They cannot, in a phrase, create a standard that rewards their own monopoly. When a standard includes SEPs, then an implementer who claims standards compliance explicitly accepts the presence of SEPs in the standard being complied with and must license them.

SSOs are voluntary associations and necessarily include competitors. As one might thus expect, litigation happens. Innovators will naturally endeavor to enforce licensing of their SEPs that appear in standards. Implementers will endeavor to dispute the FRAND-liness of the licenses on offer. Some innovators will name patents as SEPs when they are not essential, a stratagem to inflate their licensing income. Some implementers will refuse the terms of the licenses, FRAND or not, and proceed without licensure. The precise balance here sometimes changes and is often in dispute. As all of this is in the context of global firms but individual country legal systems (and their reach), there is trouble, especially with respect to the U.S.’s most important competitor, China.

Critically for national security, given the voluntary nature of SSOs, they can be steered by their direct participants in proportion to those participants’ active participation. Most free-market companies will grudgingly send their employees to two- and three-day meetings, but state-controlled enterprises have a different equation for cost versus benefit. China is, of course, aggrieved of paying FRANDs to other countries’ enterprises and has, in mobile standards meetings, taken the position that standards either embody Chinese patents or Chinese firms will go their own way on 5G.

And bear in mind the scale of the SEP+FRAND: In 2022, a total of 56,000 new patents were declared to be SEPs. 5G alone is currently subject to approximately 40,000 declared granted patent families and 1,200 standards specification documents.

Which leads to a stretch question: Could one use a SEP to silently embed a security hole in a technology? Yes. Nobody has the time to analyze a standard to the depth and detail needed to determine that there are no security gremlins. Just recall Apache Log4j; lots of folks looked at the code over and everyone missed the hole.

Protocols are particularly subject to this fiddling. In cybersecurity, there is a widely used key establishment protocol, “Needham-Schroeder,” that was in use for many years before a hole was discovered. Standards, SEPs and otherwise, are filled with protocols. In fact, one might say that every standard is a protocol of some sort. Finding holes in protocols is difficult—a lot more difficult than building them in. It would be just as easy to slip one, maybe even easier, into a patent application that became a SEP. Patent examiners are not tasked with doing security analyses. “New, useful, and not obvious” includes neither safe nor secure. The onus is on the participants in the SSO.

But if the SSO comes to be dominated by authoritarian countries, you get the concentration risk we spoke of earlier. Consider China’s World Internet Conference (WIC), now in its eighth year. WIC is all about a “new order for global cyberspace” on the Chinese model. In short, it’s an SSO for authoritarian wannabes. There were 120 countries in attendance at this past one in 2022 as well as the CEOs of Tesla, Qualcomm, and IBM. For years, China has been fighting to take control of the International Telecommunications Union (ITU, part of the United Nations). China has, more or less, won the battle for standard setting for 5G and clearly plans to thoroughly embed their patents in 6G. It has yet to win the overt battle for formalized control of the network through the SSOs where its presence is constant and substantial. China has signaled that it intends to take them over or even create new ones if it has to.

What choices does the U.S. and its like-minded allies have? Fight, flight, or fall in line. The U.S. could really lean in and push SSOs toward Western, small-l liberal values in standards. We could abandon the internet to balkanization like having a Chinese 5G sub-world and a Western/American 5G world (think cargo shifting between Soviet and European railroad track gauges). We could just let it go and have Chinese rule sets in who can see what, who can do what, and so forth. If there are other choices, we don’t know what they are.

Thus far, we have chosen by not choosing. There is no defensible argument that we Americans, whether in the form of the U.S. government or in the form of American industry, have adequately and appropriately valued participation in international standards setting, be it the ITU, the International Standards Organization (ISO), and so forth. Both government and industry have largely valued SSOs as cost centers without significant benefit. Take hammering out standards for infrastructure security; the process slows market penetration and may well benefit those who are not your customers or clients. It is thus rational, if short-sighted, to see investing time and human effort in a good infrastructure security standard for a market not yet widely developed as an externality, a cost that someone else can be made to bear or, at least, something that can be ignored until some more convenient day. “Just in time” may be a good mantra for warehouse workers, but it was only at the last minute that the West kept a former Chinese government official from becoming the head of the ITU. Having standards that serve the ends of authoritarian regimes is the direct risk of failing to engage vigorously whether by government or industry; setting standards is the macro version of voting your values.

***

Takeaways:

  • First: the U.S. should hear, understand, and acknowledge that standards setting is a part of the great power competition in which we find ourselves.
  • Second: the U.S. should find the human resources needed to avoid SSO neglect, and though we don’t much like industrial policy in America, helping companies invest their best people in the SSO process is in the national interest.
  • Third: the U.S. should push forward research on formal certification of protocols and submit already standardized protocols to the improved processes with every advance. We should be prepared for surprises.
  • Fourth: the U.S. should work to institute conditions through standards that highlight free speech and association. Legislation will probably be required, perhaps preceded by codifying SEP/FRAND mechanisms in the Uniform Commercial Code (UCC).
  • Fifth: “He governs best who governs least” applies in the standards world as much as it did in Jefferson’s. The enemy of that idea is the authoritarian-driven mission creep in SSO work agendas.

We’ve hardly scratched the surface here. Time is irreversible; so, too, are lost opportunities to keep standards a force for goodness.


Dan Geer has a long history. Milestones: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on mobile computing (1993), convenor of the first academic conference on electronic commerce (1995), the “Risk Management Is Where the Money Is” speech that changed the focus of security (1998), the presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for “Cyberinsecurity: The Cost of Monopoly” (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-2019), author of “Economics & Strategies of Data Security” (2008), and author of “Cybersecurity & National Policy” (2010). Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2012). Lifetime Achievement Award, USENIX Association, (2011). Expert for NSA Science of Security award (2013-present). Cybersecurity Hall of Fame (2016) and ISSA Hall of Fame (2019). Six times entrepreneur. Five times before Congress, of which two were as lead witness. He is a Senior Fellow at In-Q-Tel.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare