A few days ago, the final verdict was published in the trial following a plane crash that killed 87 persons in 1992. Nobody was finally condemned, as the judge estimated that they had not committed any legal fault. However, an article in today’s “Le Monde” (in French) debates on the very usefulness of such trials. While reading the article, I found many similarities between this issue and the security evaluation of smart cards.
The article discusses the fact that, when a plane crash occurs (at least in France), two investigations take place: an administrative investigation, which focuses on the technical aspects of the crash, and a judiciary investigation, which focuses on the legal aspects. In that particular case, the administrative investigation lasted 2 years, and the legal one 14. The author, Jean Paries, who headed the administrative investigation, claims that the legal investigation did not identify any new element, because the administrative investigation was very thorough and left no element behind.
Of course, this point is open to discussion. However, it is not his major point here. His major issue is that that there is a systematic legal investigation, in parallel with the technical investigation, and that the prospect of legal consequences makes the parties involved more careful about following the rules than willling to really improve security.
The first issue he mentions applies mostly to legal investigations. The airline industry traditionnally tries to identify vulnerabilities in a proactive way, not waiting for an accident to take action. However, since there is always a delay between the detection of an issue and the corresponding action, companies expose themselves to the accusation of “You knew it, and you did nothing about it.” The temptation is therefore quite strong not to perform any proactive action.
Similar issues may occur in security evaluations. If a card manufacturer knows about a vulnerability, they may not be encouraged to do anything about it, because the laboratory (in particular in a white-box evaluation) may then identify the countermeasure, “reverse engineer” the attack, and apply it. In that case, the temptation is to keep newly identified vulnerabilities secret as long as possible, rather than include protections in products as soon as possible. The second issue applies more generally, and in particular in the context of security evaluations. Here is a rough translation of the argument:
In any complex, and therefore incertain, system, risk management is based on a principle of individual responsibility. We expect from each individual, proportionally to its competencies, an understanding of the situation and of the consequences of their actions, and decisions based on the ethics of security that is one of the foundations of their job. Making individual failures a legal issue is intended to increase the conscience of this responsibility. It has exactly the opposite effect. The priority of each individual is not to manage the risk professionally, but to minimize their personal risk of indictment. The personal responsibility is replaced by the responsibility toward law enforcement. The culture of security is undermined by self-protecting attitudes, generalized caution, dissimulation. And most of all, the inflation of regulation.
This is of course where similar issues occur in security evaluations. The overall objective of a security evaluation should be to regularly increase the overall security of systems. Instead, most evaluations are performed against a predetermined checklist. In such contexts, the creativity of evaluators is not encouraged. If an evaluated manufacturer want to discard a vulnerability, they will not claim that “this vulnerability is not significant, because it cannot be exploited.” Instead, they will claim that “this vulnerability is not included in the requirements document.” In such a case, we witness the same shift from an objective of security improvement to an objective of regulation enforcement.
The issue is of course that regulations cannot evolve as fast as the state-of-the-art attacks. The situation of the smart card industry is in that respect quite unique, because there is no notion of full disclosure in the industry, and it is therefore quite safe to rely on regulations that are not regularly updated. This may last for many more years, but it my also stop quite rapidly if attacks start occurring in the wild, and smart card attacks gather more interest from security professionals.
No Comments