EU Parliament on new tech and certification options for high-assurance ICT in the EU

The EU Parliament Science and Technology Assessment (STOA) has commissioned a report Part 2 – Technology foresight, options for longer term security and privacy improvementswhich brings a greatly needed framing of the most relevant tech and tech standardisation issues that can inform EU policy initiatives. (Much inline with our UVST International High-assurance ICT Standardization Proposal, link).

It is a must read for all interested in what is actually needed for EU and EU IT industry, through new solution and/or new certification standards, to be able to deliver with confidence meaningful ICT privacy and assurance to ordinary EU citizens.

Nonetheless, we believe, the report included several important inconsistencies and omissions including the fact that they:

  1. Assume verification of hardware can be done after fabrication, which you can’t or you can’t be sure of. For example, US Defense Science Board wrote back in 2005 “trust cannot be added to integrated circuits after fabrication”. Bruce Schneier, in this 2 minutes video excerpt, says we should assume all mainstream CPUs are  undetectably compromised (at fabrication, through updates, and/or design).

  2. At first, refer to the fact that end-2-end-encryption (E2EE) is useless if an end-point has some critical malware beyond point-of-decryption, which it says is widespread. But then it goes on assuming it is a solution that provides meaningful assurance, albeit with missing usability and business model.

  3. At first, they correctly state that European (“cloud”) services would be meaningless since (and to the extent to which) they use anyway IT hardware and software from untrustworthy providers. But then, they do not follow up with the only logical conclusion of the need to make so that underlying SW, HW and processes verifiable and adequately verified and overseen.

  4. Over-emphasize free and open-source software vs. software whose source code is merely verifiable by anyone w/out NDA. To date in fact it has proven very difficult to sustain viable business models for adequately engineered and audited free/open-source in lower stacks of high-assurance software and firmware. Aiming at only free/open-source may create huge constrains that may prevent economic feasibility without adding security.

  5. Do not analyze enough the socio-technical aspects of the real-life experience and life-cycles of computing  solutions. The quality and intrinsic self-assurance of organizational processes that affect critical components through the life-cycle are one of the most crucial needs of high-assurance ICT.

Rufo Guerreschi