Contributing to the
ITU social mission
Helping drive standardization of security best practices.
As a Contributing Expert and US Delegate for 2018 and 2019 @ International Telecommunications Union, Standardization, Study Group 17: Security, with a focus on Q14 DLT Security, I focus on applying the basic principles of Threat Attack Expressions, Security Control Expressions, and the architecture of Protection Assurance Expressions.
As former Vice-Chair, ITU Focus Group on "Cryptocurrencies including Digital Fiat Currency" and co-chair of Security Working Group, security deliverables were submitted.
Deliverables available below.
As per the terms of reference of the ITU-T Focus Group on Digital Currency including Digital Fiat Currency (FG DFC), the Focus Group would develop security models around which security requirements could be defined in consideration of current best practices and the critical security challenges faced by the industry today.
What is so special about transitioning the traditions and precedents of physical money into its digital equivalent?
We have successfully transitioned from physical signatures to their digital and electronic equivalents. Almost everything today is digital. Can we apply current security best practices in the same way we protect current systems? Can we accept the typical financial industry fraud losses? It is a cost of doing business. Can we accept a breach once and a while?
The truth of the matter is that most Internet-connected systems are not secure-by-design and are compromised or can be compromised with just intent and resources.
Does Digital Fiat Currency or a Central Bank Digital Currency warrant a higher level of security assurance than is typical of financial services today?
What will it take to “protect” various forms of Digital Currency? What is the problem? Do we have the capability and resources? The simple answer, based on our track record, highly uncertain. What will it take to get to the required answer – with confidence?
The field of Cybersecurity - one cannot see it, touch it, smell it, hear it. For these ephemeral reasons, the field has been and continues to be avoided by most and mostly misunderstood. Even within the active security field, there is great variability in skill levels. This is becoming worse with the influx of new practitioners. The field could benefit from analytical skills since the level-of-complexity of the field is very high and growing rapidly.
The field of Internet and eCommerce was initially relegated “to the basement” within IT. A security chasm formed between Security and IT who spoke “technobabble” and used fear, uncertainty and doubt and the business who had a “technophobia” for the rapidly changing Internet. Initially, the separation of the two worlds worked. However, in the last decade, a security awakening has occurred. Fiduciary executives have awakened to the impact of decades-long underinvestment in and lack of commitment to security. The excessive residual risk was taken.
Unlike other fields, Security is an art and not a science. It is not formed in the traditional “field-of-science” manner with formal university creation but rather through grass-root, technical expertise as the information revolution exploded. With spreadsheets being the primary industry tool to manage security controls, most practitioners develop their own approach and method each time they need to measure, track and demonstrate compliance. This institutional security information is entombed in the spreadsheet and sometimes lost and/or reinterpreted by others. The cycle of loss repeats itself.
Secure-by-Design is most often not incorporated into the original design due to increased costs and complexities. In this case, security is relegated to a “bad IT” Band-Aid role with poor protection results.
Today, innovation is outpacing our ability to secure and protect with confidence. The impact of not having a formal security taxonomy and ontology results in variability and subjectivity in the nature, form, and prescriptiveness of security control descriptions for identical security control topics. This variability requires significant human reconciliation and interpretation efforts, resulting in significant time and costs allocated to understanding, managing and normalizing.
This paper outlines a security model and method that addresses two security challenges at the core of insufficient and ineffective protection - funding driving amount-of-security and visibility driving quality-of-security.
• The Unified Security Model (USM) integrates into a single system level model the fiduciary cycle of risk acceptance which determines resource funding (amount-of-security).
• The Unified Expression Model (UEM) integrates expressions into the USM as a single system with high visibility of “Risk to Value and its Protection” down to the more specific “Attack Exploit to Target Vulnerability and its Countermeasures” enabling advanced visibility, measurability and analysis of state-of-security to ensure quality-of-security.
Given the criticality of currency to people, nations and society and the severity of damages that could result from a loss of currency trust and confidence, the level of security assurance for the Digital Fiat Currency use case will be deemed to be:
Security Assurance Level: 4-5 High to Very High
On a 1 to 5 scale of 1: Very Low | 2: Low | 3: Average | 4: High | 5: Very High
For general reference purposes, the assurance level proposed is similar to the security assurance expected of the following.
• NIST 800-54 r4: “Security and Privacy Controls for Federal Information Systems and Organizations” High Assurance on a 3-level scale of Low | Medium | High
• Common Criteria v3.1 r5 for supply chain hardware and software security: Common Criteria for IT Security Evaluation (ISO/IEC 15408)
• US FIPS high assurance standards like FIPS 140-3 “Security Requirements for Cryptographic Modules”
The papers recommends that for high to very high assurance use cases such as Digital Currency, an integrated, high precision, inheritance-based system, and method be used to define, model and analyze all aspects of security required to provide reasonable protection.
Deliverable 1 "Protection Assurance for Digital Currencies," Method for achieving the required Security Assurance Level for Protecting Digital Currencies including Digital Fiat Currency with High Confidence"
Deliverable 2 "Protection Assurance use case for a payment transaction"
These deliverable(s) are directly at :