Trusted Hardware and Software: An Annotated Bibliography

The Pentagon, which serves as headquarters for the Defense Department (gregwest98, https://flic.kr/p/6FW8b7, CC BY 2.0, https://creativecommons.org/licenses/by/2.0/). In a world of growing dependence on technology, consumers of information and communications technology (ICT) goods face an increasingly important question of provenance: How, if at all, can users be confident that the systems on which they rely will function as they are supposed to? How can they be sure that products and systems have not been altered in the supply chain? The issue is complex. These questions vary across many dimensions, but broadly speaking the issues can be broken down into three categories. First, to some degree, they implicate questions of technical capacity and security: How are we to know that the manufacturers of a hardware or software system have designed and built that system in a way that is secure against error, mistake, natural disruption or deliberate external misconduct? In other words, has the manufacturer performed competently? Second is the question of corporate intent: How are users to be assured that manufacturers have not constructed and marketed a system that affords the manufacturer privileged access and control? In other words, is the software or hardware intended to benefit the end user, or does the manufacturer see a value to be gained for itself from the design? On yet a third axis of inquiry, trust is also a question of politics and law: What protections exist against state-level intervention into the manufacture or operation of an ICT system? Are the flaws in the system such that some third party, for either well-meaning or malicious reasons, can benefit from the gaps in construction? These questions can only be answered with a combination of technology, process, law, and policy. Needless to say, the issue resonates today. As the global supply chain for ICT products expands, new producers enter the field, bringing with them novel and different risks to the security of the products they create. The ongoing discussion regarding the use of Chinese products in Western systems is but one example of a much broader and deeper problem: How do we assess the degree of trustworthiness or lack thereof in ICT products? Trust is always a question of degree. It is the nature of ICT systems that risks of compromise can never be fully eliminated. But they can, with effort, be mitigated. At the same time, investments aimed at mitigating risk often serve perception, rather than actually reducing the risk. Thus, risk assessment can often be a matter of perception, rather than evidence. Trust and risk are also context driven. The risk to one user may be an opportunity for another. Product differentiation, market fragmentation and the context of deployment are tied to these questions of trustability. The simple reality is that a baseline for trustworthiness has yet to be defined and is likely to be differentiated by technology, context of use and capabilities. Increased trustworthiness can come with increased costs. Commonly adopted solutions may add to the comfort of the system owners and customers but may not alter the objective trustworthiness of the system in question. In addition to the need for objective metrics, which have not yet been developed, technology users and customers have differing perceptions of trade-off calculations based on their risk preferences and their business models. That, in turn, leads to a fundamental problem: We do not know how to assess and evaluate trustworthiness or trustability based on evidence. We lack a concrete description of acceptable systems behavior and agreed-upon metrics for assurance. Our political system has yet to reach consensus on a cross-domain definition of trustworthiness. How, then, are ICT manufacturers to provide assurances of their trustworthiness to skeptical consumers? If a producer of ICT goods wishes to differentiate its product by providing convincing assurances, how can it do so? And where may consumers or customers turn if they wish to evaluate the trustworthiness of the product they are selecting? What are the key characteristics of a framework that permits us to answer these questions? No generally accepted answer to these questions exists. Because of the large number of variables contributing to trust, a fully measurable answer to this question may not be possible. Instead, the technology, legal, and policy community are trying to segment the answer, by limiting the inquiry to individual constituent domains. But it should not be impossible to develop a set of principles, some of them evidence based, that can guide an overall assessment of trustworthiness in hardware and software. Even without the prospect of a precisely assessable level of trustworthiness, we hypothesize that a framework for relatively comprehensive assessments can be made with a relatively high degree of confidence. The value of such a coherent framework based on agreed-upon trustworthiness principles should be evident. Using these principles, as well as acceptable evidence as a guideline, ICT manufacturers and consumers could engage in a structured analysis of comparative risks and make more reasoned risk-benefit and resource allocation decisions. To that end, Lawfare has convened a working group with the goal of articulating and justifying such a set of trustworthiness principles. This group, however, does not work off of a blank slate. To paraphrase Newton (and before him, John of Salisbury ), our work stands on the shoulders of others who have gone before us. Indeed, the seminal paper by Lee M. Molho, “ Hardware Aspects of Secure Computing , ” is now 50 years old. Even then, students of the problem recognized that hardware problems have security implications. Today we are still building on that lesson. In the course of the working group’s examination of the problem of trustworthiness, we assembled this annotated bibliography, which we thought would be useful to make public. In this partial bibliography, we attempt to compile a baseline of existing works on the evaluation of trustworthiness. We have sought both to summarize the existing field and to characterize it, as a jumping off point for other efforts. We emphasize at the outset that our intent here is neither comprehensive nor overly technical in nature. We do not purport to have fully defined the field; nor have we tried to plumb the depths of technical intricacy. Our goal, rather, is to provide a systematic overview of the field that is both technically literate and of use to decision-makers in the public and private sectors. This is a living document, and we expect additions and modifications as the working group moves further along. Our preliminary results reveal an unsurprising finding: that consideration of the question of trustworthiness is stove-piped into subcategories. One goal of the working group may well be an effort to recharacterize the field in a way that allows for cross-connections between existing categories. But, for now, we take the field as we find it, including sources related to four categories: Political and legal criteria. Corporate governance criteria. Technical criteria for hardware. Technical criteria for software. Political and Legal Criteria CSIS Working Group on Trust and Security in 5G Networks, Criteria for Security and Trust in Telecommunications Networks and Services (Washington, D.C.: Center for Strategic & International Studies, May 2020). This report of the CSIS Working Group on 5G Security and Trust was requested by the State Department. Criteria are designed to complement the Prague Proposal and the European Union’s 5G Toolbox, and they rely primarily on publicly available information. The criteria are broken into categories as follows: 10 political and governance criteria (for example, suppliers are more trustworthy if headquartered in democracies with an independent judiciary and the rule of law); seven business practices assessment criteria (for example, suppliers are more trustworthy if they are transparently owned and publicly traded); 10 cybersecurity risk mitigation criteria (for example, the supplier has passed independent, credible third-party tests, the technology uses open and consensus-based standards, the supplier has a record of patching systems in reasonable time); and four government actions to increase confidence in the choice of a supplier (for example, selection of diverse suppliers, government and private-sector ability to regularly conduct vulnerability tests and risk assessments). Levite, Ariel, ICT Supply Chain Integrity: Principles for Governmental and Corporate Policies , (Washington, D.C.: Carnegie Endowment for International Peace, October 2019). [also Corporate Governance] This paper proposes several measures for governments and corporations to undertake in order to increase trust in the integrity of information, communications and operational technology supply chains. For example, it calls on governments to refrain from systemic interventions in supply chains and establish interagency processes to consider the equities of potential interventions. The proposed corporate obligations include not supporting systemic interventions in their supply chain; protecting p
Trusted Hardware and Software: An Annotated Bibliography posted first on http://realempcol.tumblr.com/rss