Advancing Infosecurity Standards Through Consensus

Written by

More than 40 million Target shoppers were caught off guard when their credit card accounts were hacked in 2014, but it came as no surprise for many security researchers, who had been predicting an authentication attack for more than a decade. The incident prompted Americans to join the rest of the world and start the (sometimes rocky) transition to EMV chip cards.

EMVCo, the organization that standardized and supported the move away from magnetized swipe cards, is an alliance of American Express, Discover, JCB, MasterCard, UnionPay and Visa. Although these brands typically compete in the marketplace, they knew that no single entity could provide a comprehensive solution.

In a classic example of consensus, the companies aligned to address the threats to the credit card industry and protect the financial safety of their customers.

What is consensus?

As a collaborative process, consensus is designed to satisfy a wide group through inclusion, information and participation. Rather than seeking unanimous approval and agreement, it works to establish equality in process and shared acceptance of an end resolution.

EMVCo, a neutral third party entity built by industry stakeholders, relies on a consensus process to develop the standards that ensure card infrastructure uniformity. Consensus requires a large commitment from participants. It demands mutual trust and compromise, asking users to share information normally held private.

Larger organizations must approach negotiations knowing that a forged agreement is more likely to ensure their ongoing success. Startups and smaller businesses must have faith in their partners’ pursuit of a more stable, predictable environment for all.

True consensus ensures that every voice is heard and that all participants will comply with the final results, even if they aren’t ideal. The standards it creates are often voluntary and legally unenforceable, but they offer long-term benefits to business, government and consumers. They help expand national and global markets and enable interchangeability, compatibility and interoperability. They reduce costs and time to market for products and services and promote safety across industries.

How consensus works

The FIDO Alliance is another example of consensus in action. Its diverse membership ranges from Google to Goldman Sachs to the Australian Government, and attests to the broad-spectrum impact of its mission. When an initiative is put to a vote, FIDO requires a quorum of members to participate.

Approval, however, does not require a yes from half of voters. Instead, participants can abstain or withhold their vote from an initiative, thereby expressing an opinion without blocking the group’s progress. As long as a quorum of voters is participating, yes votes only need to outnumber no votes.

Consensus adds transparency, but, like any human endeavor, it’s not perfect. Its emphasis on inclusion and revision can be slow and inefficient, and it is dependent on strong leadership, effective team dynamics, and an assumption that stakeholders are genuinely invested in a solution for the greater good. When done well, however, it helps find creative ways to address competing and overlapping needs, rather than generating lowest common denominator agreements.

Consensus in action

FIDO used consensus to help develop its U2F and UAF protocols, which seek to end the global dependence on and vulnerability of passwords. The most recent hacks at Yahoo may inspire more users to use biometrics or second factor authentication, but the real goal of organizations like FIDO and EMVCo is prevention. To succeed, they’ll need buy-in not only from their members, but also from unaffiliated manufacturers, developers, business, government and the general public.

The Internet of Things is a likely target for future hacks, breaches and outages. Fortunately, awareness is increasing about the vulnerabilities in this rapidly expanding field. The best way for developers to protect themselves, their products and their customers is by creating pervasive interoperability standards that the vast majority of participants adhere to.

A number of groups are facing the task head on. The Industrial Internet Consortium is one of only a few organizations that have made substantial (if gradual) progress. In November, it published a Business Strategy and Innovation Framework for the industrial IoT that identifies and analyzes critical initiatives for its 250 members.

The ZigBee Alliance is also seeing success uniting smaller organizations and industry leaders to research, develop, test and standardize products and services for the IoT. Still, the widespread adoption of standards has a lot of distance to cover, and many unsecured devices will be entering homes and businesses in 2017.

The call to action

Consensus may be the key to improving IoT security, but it will require stakeholders of all shapes and sizes to join the discussion proactively. Understanding how and why standards are created and participating in their development is an important step towards a more secure environment for everyone.

What’s hot on Infosecurity Magazine?