Bangalore, India ,17-18 December 2012

Sustainable Broadband Communications: International Perspective – Common Criteria

David Martin,Head of International Assurance,

Common Criteria Scheme Director, CESG, UK,

david.martin@cesg.gsi.gov.uk

Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on

Sustainable Rural Communications”(Bangalore, India, 17-18 December 2012)

David Martin

Involved in Information Assurance Standards for many yearsChair of International Common Criteria Development BoardScheme Director for the UK Common Criteria Scheme (operated by UK government)Representing UK Scheme - reporting on new CC vision statement

Bangalore, India ,17-18 December 2012 2

Bangalore, India ,17-18 December 2012 3

Common Criteria - Background

Standards for Assurance of IT Product Security 26 Nations (more to come)16 Nations evaluate/certify productsAlso an ISO standard (15408 and 18045)Run by a Management Committee (with an executive to support) and a Development Board

Bangalore, India ,17-18 December 2012 4

Common Criteria – The Value

Manufacturers do not have to evaluate products in multiple places.

Evaluation is very expensive in time and moneyGood cyber defence (and sustainable telecom) needs many more products evaluatedAll nations agree and procure to the common standardIndustry involvement (CCUF)

Bangalore, India ,17-18 December 2012 5

Common Criteria – New Vision – Rationale -1

CC usage has been little changed for more than 12 years A number of nations found that:-

The focus on ‘assurance level (EAL)’ was damaging product security Not enough products are evaluated - Cyber defence needs many moreExpertise is applied in the wrong place, inconsistently, and without wide peer review.

Bangalore, India ,17-18 December 2012 6

Common Criteria – New Vision – Rationale -2

Smartcard Community has developed a very effective way of using CCWork has taken place to support a similar approach for general IT products Resulting in the CCMC (management Committee) vision statement – published in September 2012

Bangalore, India ,17-18 December 2012 7

For more information

Common Criteria Portal: www.commoncriteriaportal.orgThe vision statement links from the

front pageOther links show the products,

schemes, operating documents etc.Also see CCUF at

www.ccusersforum.org

Existing Approach

Bangalore, India ,17-18 December 2012 8

New Approach

Bangalore, India ,17-18 December 2012 9

Technical Communities

Bangalore, India ,17-18 December 2012 10

Meeting virtually

Bangalore, India ,17-18 December 2012 11

Much quicker and more effective

Bangalore, India ,17-18 December 2012 12

Bespoke design/evaluation

Bangalore, India ,17-18 December 2012 13

Better to have known standards

Bangalore, India ,17-18 December 2012 14

Other Important developments

Common view on cryptographySecurity Configuration AutomationStrong Linkage to Vulnerability/Weakness reportingSupply Chain working groupConsistent Government Procurement (and other major users) – addressing what ‘recognition’ really means

Bangalore, India ,17-18 December 2012 15

Common support for procurement

Bangalore, India ,17-18 December 2012 16

Bangalore, India ,17-18 December 2012 17

Common Criteria – New Vision – Summary

More assurance than a simple ‘EAL approach’ Uses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International StandardStep change in volume – better for cyberdefenceLowers procurement costs

Bangalore, India ,17-18 December 2012 18

What does this mean for Sustainable Broadband Communications?

More assurance (Ignore ‘EAL’ look at what is assured)More responsiveLower costWider range and choice of productsUses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International Standard

Bangalore, India ,17-18 December 2012 19

Further detail

First International Technical Community about to launch – based on USB storage deviceMany more to follow next yearAlready many TCs exist (mostly US based)

Example TC Areas

Networking (NDPP, Firewalls, VPNs, etc)Storage (USB, Hard disks, etc)Applications on Operating systemsMobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)

Bangalore, India ,17-18 December 2012 20

Bangalore, India ,17-18 December 2012 21

Telecoms Applicability

3gPP discussion – potential development of cPPsCould extend to system approachesKey is to have the real technical expertise setting the standards CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors

Conclusions and Recommendations

Bangalore, India ,17-18 December 2012 22