Sixteen and a half years after I first proposed looking at the Underwriters Laboratories as a model for addressing security issues in Cyberspace, the idea has actually reached the White House's agenda; not as a talking point but as an action item.

While the vast majority of comments have been positive and supportive of the idea being implemented, there have been a handful of opinions on the other side. The frustrating part being that the arguments being made suggest the critics haven't read the entire paper. I hope to call out some of the misconceptions that are incorrectly positioning what my CyberUL paper was, to some extent, proposing.

First, a point that was probably buried over multiple sentences; is that, what the UL does is to "list" products that meet minimum requirements necessary to be "safe". You can't buy security off the shelf, plug it in, and be secure. When the UL rates safes, or lists alarm installers, all these items "play together" as part of a larger solution. It assumes that what UL does will be used by the Insurance industry to see that your bank has an alarm system, installed by professionals who are subject to a "field spot check", and that if the response time from the police is estimated at 20 minutes, your safe is rated to withstand attack for at least 30 minutes. Buying a toaster that won't set your house on fire is turn-key; buying security is far from it. UL recognizes this and approaches each problem with the most sensible solution.

Obviously, those arguing that "UL only certifies that products won't shock you, not that they're resilient to attack", haven't gotten to the part about alarms and safes. Those arguing that most problems aren't in product quality but in deployment/use haven't gotten to the professional certification part. Also, to some extent, your product letting me select a "dumb" password for use as authenticating who I am - that's a design problem that can be tested for.

Second, the paper recognizes that the "cyber" world is a lot more complex and the rate of change is greater (than the physical world that UL lives in). The paper goes on to point out that being "cyber" also lends itself to automation. So there are challenges, as well as opportunities for folks to whom everything doesn't look like a nail.

The most frustrating to hear, come from folks who have tried to do this commercially and run into problems. Surprise! The biggest point of the paper was that this can't be done commercially. So long as your shareholder value is maximized through revenues from "certifying" things, you are the customer's biatch. If your shareholder value is maximized by providing accurate inputs for decision making around risk management, then you're beholden only to the truth. Unless you're ready to grade on a bell-curve rather than set scientific minimums that need to be met no matter what, you're going to lose customers to the competition that will emerge. I suggest everyone think about the different "drivers" that emerge with commercial vs. what is essentially non-profit. Wouldn't things be different if the owners of the organization didn't focus on revenue from certifications; but instead on getting good product (the data for making informed risk management decisions).

And this is why CyberUL hasn't had a snowball's chance in Hades for a long time.

About seven years ago, it was starting to look like the Payment Card Industry (PCI) had the right foundation to build something like that on. They have their army of assessors and their (way too muddy) guidelines. Having a PCI Labs publishing unbiased truth about product quality in the form of "listing" acceptable components would help that army be smarter about what they do. There are a ton of other steps they'd need to take but the bottom line is, PCI's stakeholders/ownership is taking a beating in terms of compromised credit cards. They could at least potentially, be more interested in secure eCommerce components than certification revenues. So this could have easily been them stepping up as "PCI" rather than "Underwriter's" Labs.

That brings us to the last days of... June, 2015 with .mudge's tweet that the White House has asked him to start a CyberUL. The ability for the shareholders of this organization to look not past the profit motive, but at the bigger picture profit motive is obvious. The ability for the leadership to keep the big picture in mind while being drowned in the details has been demonstrated over and over by .mudge. This is the sort of thing that has the potential to bring on a sea of change in an area that seems to have been treading water for at least 2 decades.

It will be a long swim to shore though; and I ask that people keep in mind that establishing UL didn't stop rampant fires at the stroke of a pen. It's been well over 100 years since UL was formed but the bottom line is, even if by some freak chance, your toaster somehow does catch fire, the drapes and carpets and paint on your walls have all changed; as has the outcome of such an event. UL was the force that drove that change and created a much safer environment for us all.
Shared publiclyView activity