It is commonly agreed that the market for cybersecurity products and services is what economists call a lemon market (according to the 1970 work of the economist George Akerlof who was jointly received the prestigious Nobel Memorial Prize in Economic Sciences with Michael Spence and Joseph Stiglitz in 2001), and people sometimes argue that certification may remedy the situation.
In this note, I contradict this argument, mainly because the market for certificates is itself a lemon market. So the key question is: Can we remedy a lemon market by putting in place another lemon market, or do we need something else? To reasonably argue about this question, one has to first look at the market for certificates as it stands today.
Since the early 1980s, people have tried to define criteria to evaluate and certify the security of computer systems used for the processing, storage, and retrieval of sensitive or
even classified information. In 1983, for example, the U.S. Department of Defense (DoD) released the Trusted Computer System Evaluation Criteria (TCSEC), frequently referred to as the Orange Book. In 1998, the European Union published its Information Technology Security Evaluation Criteria (ITSEC) based on previous work done in Germany, France, the United Kingdom, and the Netherlands. These and a few other initiatives finally culminated in the Common Criteria (CC) that refer to internationally agreed and standardized criteria to evaluate and certify the security of computer systems. Unfortunately, the CC are not self-contained, meaning that every nontrivial set of functionalities requires a protection profile (PP), against which the CC can be applied. These PPs are usually defined by the largest maufacturers in the respective field, and hence they tend to be a little bit biased towards what can be done by the leading products. Also, certificates issued in the context of a CC PP are usually hard to understand by the customers. The situation is far away from being mature and satisfactory for both the manufacturers and the customers.
A similar lack of maturity applies to cerzificates issued for information security management systems (ISMS) according to ISO/IEC 27001. The systems can be customized and fine-tuned according to their scopes and statements of applicability, and hence one has to exactly look at what an ISO/IEC 27001 certificate is actually standing for. It does not necessarily stand for best practices and a reasonable level of security in all cases. As is usually the case in security, the devil is in the details.
In all types of certificates that are currently on the market, including the CC and ISO/IEC 27001, the owner of the certificate pays for the evaluation and certification processes done by some accredited body. This is expensive and time-consuming. Consequently, almost all actors go for a a body that is minimally invasive. This means that the body that makes the best offer is usually going to win the competition. This means that the market in driven by pricing, and that low-priced offerings are always preferred. This is exactly how a lemon market works and downgrades quality in the long term.
The bottom line is that we have a lemon market for cybersecurity products and services that we want to remedy with another lemon market for certificates. This is not going to work. The manufacturers of low-security products and services are always going to find a body that takes a loose stance and doesn’t really question the security promises of the products and services they look at. They will find something (they have to, because they are paid for it), and everybody is happy, if the findings are not too embarassing. Even the customers like a positive statement in favor of security. The economic incentives are not going to change, unless the customers pay for the evaluation and certification. This, however, is illusionary and not going to happen. So we have to live with the situation that security certificates are neither expressive nor particularly useful, and we have to find other means to convince us about the security of a product or service. This is not simple, but needed in the field.