On July 16, 2010, Intel released a thought and policy document titled "Global Digital Infrastructure Policy". In this document, Intel shared with the readers what it has been doing regarding driving elements of security into the global infrastructure (as they termed, GDI); what they are doing with regards to working with certain governmental organizations; and what they hope other entities – commercial or governmental, would agree to do in order to facilitate the stated vision.
In this entry, I put forth my thoughts on their ideas. Some I criticize, but most I applaud, and I am glad that a company the stature of Intel has the excellent understanding to design such views into its own plan. I am no kool-aide drinker, however, and one must remember that Intel, just like other organizations, has and will always put forth ideas that help them first and foremost. This is a lens that must be acknowledged before any policy documents are understood and appreciated.
Intel proposes a definition of global digital infrastructure as "GDI". I have not met that definition before, but I do value the comparison of the GDI to the central nervous system in the human body. In fact, those of us who favor "Terminator" movies, would liken it to 'Skynet'…, albeit a positive, benevolent one.
As the GDI concept is integral to this entire paper, it is important to note that Intel is focusing on a global element, and not on any particular political subdivision. This is the strength of this paper, but also its weakness: to include information assets that may be in countries as diverse as the United States or North Korea may assume connectivity and the ability to 'synchronize' across those resources. An ability that, alas, is less than realistic in today's world.
The Global Conundrum
The paper makes a very important statement, which bears repeating here: "As reliance by individual and businesses on the GDI increases, there is a corresponding increase in the value users place upon the security of the network and…data traversing the network".
While I agree that such is a desirable state, I disagree that users, far and large, see the situation as such. It is true that Privacy, in particular, has seen a spike in importance in the US over the last few years. What might not be correct is that all users, or even most, understand, the degree to which their information is accessible, by not-previously-authorized eyes and ears, on the network. The laws, rules and regulation framework which all users rely on is simply not suited, in general, to the level of sophisticated threats which security professionals see day in and day out. I do not disagree with Intel's intent, just with the reality of what I see in the marketplace.
Similarly, the call for a development of a global GDI Policy is seen by me as a desired, yet probably unattainable, call. For example, as I discussed in my article "Time for a Cyber NonProliferation Treaty?" the US has had years to cooperate with Russia or the EU regarding electronic crime policies. Even those policies, which have a more direct and measurable results, have failed to be embraced worldwide.
A Tricky Subject
The paper continues by calling for "an end to import, export and use restrictions on cryptography for COTS and public research". While such a call may sound liberating, it is a hopeless desire. Imagine what could happen if commercial entities, some of which invested billions in development of cyphers, are free to export those to countries which may be at one time or another in a state of war with the origin country. Two 'issues' would come to mind: firstly, the job of Intelligence agencies would become much more difficult (think Nokia-Siemens in Iran in the service of the Iranian government) and second, those cypher methodologies may enhance the development of even more robust cypher for military use worldwide. Consider al-qaida using US made high-level encryption – would YOU want to be responsible for the free export of such tools to Afghanistan?
In my past, I was responsible for standard adoption at Symantec. Doing so enabled me to see, in a limited fashion, 'around corners', and understand better what would come down the pike next. The paper's call for a global adoption of a framework or standard on security is applaud-worthy. I would suggest to start with the ISO's adoption of the British Standards of ISO 27001 and 27002 (and 3, 4,5…) and only then consider jumping into the Common Criteria. Common Criteria, which I discussed in my paper on "The Strategy to Secure the Federal CyberSpace", is an important element in certifying systems and processes. But the world must learn to walk before it can compete in marathons, and CC might be just that.
I applaud the paper's call for deepening government and private sector partnerships, especially on cybersecurity research. Again, in my "The Strategy to Secure the Federal CyberSpace", I called for such an effort, which is also now been made a priority for Howard Schmidt, the National Cyber Security Coordinator for the US. This is an essential element: industry would bring innovation and the government could bring intelligence and forewarning.
Intel's statement that "..a siloed, country-specific regulatory approach may…disrupt (the GDI)" is correct. However, reality dictates, as Intel notes later in the paper, that we are not one 'species' only, but we have cultural, religious and other differences that suggest, nay, require, such regulatory differences. I could give examples here, but they should be self understood by the reader. We are simply too different, perhaps even more than 20%…
A bit later in the document the statement is made that "governments around the globe should apply..principles such as technology neutrality..". I once more agree with the intent, but think that there are reasons such is not the case today. Some countries protect their own manufacturers, others, such as Russia, require to see source code of every vendor coming into the country. I am afraid the distance to make Intel's vision a reality is quite substantial.
The Triangle of Trust
In the 6th page of the document Intel introduces a concept which is new to me. The Triangle of Trust itself is not, but as it is represented here, the sides are Industry, NGOs and Government:
I applaud Intel once more for making the sharing and working together a clear one. Not one of these sides alone can further our security. We must share knowledge and responsibility more freely to assure our success.
All in all, a good paper. I would have liked to see more suggestions on practically approaching the global synchronization.
So, share with me and other readers your thoughts of Intel's "Global Digital Infrastructure Policy" paper!