INTRO

Our proposed new Trustless Computing Certification Body will constitute a new high-level cybersecurity certification body  suitable for ultra-high levels of assurance, rooted in on a governance with extreme levels of citizen accountability, independence and technical proficiency, the wide utilization of citizen-witness and citizen-jury oversight processes throughout the service lifecycle, and extreme levels of ethical security review in relation to complexity. In parallel, and an initial TC-compliant low-royalty open target architecture and computing base and IT serviceCivicNet, will be built by the Association R&D and governance partners and the Association spin-off startup TRUSTLESS.AI. While initially a certification scheme for enterprise and consumer transactions and communications with ultra-high assurance of confidentiality, integrity and non-repudiability, theTrustless Computing Certification Body will expand to other sub-domains, to ultra-high availability use cases, and strongly promote downward compatibility in respect to EU SecreteIDAS QualifiedCommon Criteria EAL4, SOG-IS, and the inspire future certification schemes produced by the European Cybersecurity Certification Framework. It will be complementary, synergic and inspirational for existing and upcoming cybersecurity certifications, aiming to eventually be adopted as their highest assurance level at some point in the future.

The initial compliant open general-purpose computing base (CivicBase) and initial complaint IT services (CivicNet and CivicChain) will include include compliant endpoint computing devices, in the form of a 2mm-thin touch-screen e-ink screen handheld device (CivicPods) and anonymization and network nodes (CivicNode) running on dedicated desktop docking stations (CivicDocks) that include an HDMI switch to connect the CivicPod to the user desktop monitor.

All security and privacy-sensitive data and services – of the provider and the users – will be hosted in dedicated hosting room, CivicRoom, whose access at any time requires 5 randomly-selected citizen-jurors and only utilize dedicated servers (CivicServers). The same base HW&SW base will run CivicDevices and CivicRoom locks. A CivicStore, managed by TRUSTLES.AI will offer additional client and server apps available in a (CivicStore), while anyone will be able to offer dApps on our semi-permissioned blockchain (CivicChain)running on CivicDocks

Fabrication and design of all critical hardware components will be subject to oversight processes, CivicFab, that will substantially exceed in end-user-trustworthiness those of NSA Trusted Foundry Program, at substantially lower costs; by adding to state-of-the-art process the exclusive use of compliant monitoring equipment and the presence of 5 trained citizen-witnesses, during the 6-8 critical phases of the chip fabrication process.  All CivicDevices are assembled, verified, flashed and shipped to their users by a compliant electronics manufacturing plant/service (CivicEMS), applying monitoring processes similar to the CivicFab.

WHY do we need new cybersecurity certification body, paradigms and computing base?

Why do we need a new standard-setting and certification body, and related open target architecture, that achieves levels of trustworthiness that are radically beyond state-of-the-art, while increasing public safety and cyber-investigation capabilities?!

Wikileaks recent revelations, about the widespread availability of CIA hacking tools in the deep web, has made it clear that large corporate, financial and public institutions – and of course simple citizens – are much more exposed to scalable and targeted endpoint attacks by an ever larger number of competitors, criminals, and abusive states, than previously thought.

What is often unreported – but well known in top boardrooms and governments – is the impressively low cost and high scalability of carrying out such attacks. State tools like NSA Turbine and NSA FoxAcid, or their private equivalents like Hacking Team RCS, are capable of the automated or semi-automated exploit and remote management of up to hundreds of thousands of exploited mobile devices.

Todays’ commercially available IT technologies – even those meant for the most societal critical use cases – are radically below the level of trustworthiness that is desired, remanded or required by its users for sensitive or critical use case scenarios. Current standards and certifications are not strong nor comprehensive enough to deliver such levels of trustworthiness. This produces enormous societal costs and risks of hampered economic and social progress, especially given their impact on our democratic institutions and on the future of artificial intelligence.

Current IT security standards, standard setting and certification processes like NIST, ISO, ETSI – even those of the highest levels of security, such as Common Criteria, FIPS, SOGIS, EU Top Secret, NATO Top Secret – have one or more of the following severe shortcomings:

  • do not certify any complete end-to-end computing experience and device service and lifecycle, but just parts of devices, server-side service stacks or components;
  • include only partially, if at all, critical hardware designs and fabrication phase, and when they are included the requirements and very inadequate and incomplete to resist a determined attacker;
  • are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user- or citizen-accountable, and subject to various undue pressures;
  • make dubious crypto requirements, such as “national crypto standards”, including custom elliptic cryptographic curves, that leave substantial doubts about the ability of certain national agencies (and potentially others) to bypass them;
  • certify devices that are embedded into or critically connected to other devices that are not subject to the same certification processes;
  • have very slow and costly certification processes, due to various organizational inefficiencies and to the fact that they mostly certify large (and often new) proprietary target architectures, rather than an extension of certified and open ones.

MISSION

The mission of the TrustlessComputing Association, and its Trustless Computing Certification Body and CivicNet open computing base is:
  • Restore, and improve upon, the pre-Internet balance between the public sphere – of streets and squares – and the private sphere – of businesses, homes, and spaces for private assembly – that was crucial to sustain democracy, freedom of speech and freedom of thought in our democratic societies.
  • Contribute to the wide availability of IT services and life-cycles with radically-unprecedented, constitutionally meaningful levels of trustworthiness, that are sufficiently-extreme to enable a responsible remote exercise of political and communication civil rights, except public institution vote; and therefore promote global democratic processes, and digital sovereignty of citizens and democratic nations.
  • Increase overall public safety and cyber-investigation capabilities, by validating our intuition that citizens’ digital freedoms and states’ ability to investigate criminal suspects are not an “either or” choice, but a “both or neither” challenge, and which can be substantially resolved by solving the lack of extremely transparent and accountable certification and oversight.
  • Contribute to creating and sustaining an ultra-high assurance low-level deterministic open computing base and certification governance model, that will be critical to substantially or radically increase the user trustworthiness of security-critical artificial intelligence systems.Promote the creation and wide adoption of new multi-stakeholder cybersecurity certification body, and an compliant open computing base and ecosystem, that radically-exceed state-of-the-art in user-trustworthiness of IT and AI systems, while increasing public safety, cyber-investigation capabilities and economic growth.”

MANIFESTO

During our last Free and Safe in Cyberspace event in Berlin, on May 4th 2018, we presented this Manifesto,which you can endorse and sign below, in its version 1.0 and a related Position Paper:

The world is rapidly turning into a Hacker Republic. On one hand, most political and economic power accrues to those with sustained informational and malicious hacking superiority in critical communications and AI systems, resulting in a huge asymmetry of power between them and all others, creating two sets of citizens. On the other hand, ethical hackers and whistleblowers serve crucial public service to reign in such power by informing citizens and legislators, through revelations about critical vulnerabilities, unconstitutional state surveillance programs, and unearthing mass-scale crimes and frauds of the rich and powerful.

We believe that meaningful personal freedom and effective public safety in cyberspace may be not “either or” choice, but a “both or neither” challenge that can be radically improved through the same kind of uncompromisingly distrustful oversight and certification processes that produced unimagined levels of success in the safety of commercial aviation, the integrity of paper democratic election systems, and security of socio-technical systems for defense of weapons of mass destruction.

Neither freedom nor safety are available today because all or nearly all communications IT systems are scalably compromisable – even the most secure ones and cyber-investigation tools – by many critical vulnerabilities and backdoorsthat a few powerful nations have directly implanted or implicitly sanctioned by hugely financing the zero day market, by deliberate strategic subversion of key IT lifecycles, by not disclosing found vulnerabilities, and by deliberately promoting broken certification standards.

This state of affairs is inevitable for nearly all current systems, even high trustworthiness ones, because their technical and lifecycle complexity is by at least one order of magnitude beyond any sufficient verifiability, no matter what budget. It is not inevitable, on the other hand, for IT systems, services and lifecycle that would certifiably implement extreme levels of transparency, accountability, oversight and ethical security-review relative to complexity for all technologies and processes critically involved; from CPU design to fabrication oversight, from hosting facilities access management to standard setting governance.

Extreme compartmentalization, and minimization of features and complexity, in hardware and software, can economically allow radically-unprecedented and consistently-extreme levels of ethical security review relative to the complexity of all software, firmware, hardware and processes – including hardware design and fabrication, and hosting room management processes – that are critically involved in a TC-compliant IT service, and its lifecycle. The availability of at least one open low-level TC-compliant computing base will instead ensure wide uptake.

Meaningful digital confidentiality and integrity, ultimately, are not a product, nor a service or a process, but the by-product of the relevant organizational and human process that are critically-involved in fruition, provisioning and lifecycle of a given IT service or experience. It is therefore critical that “so called” privacy-by-design and security-by-design paradigms be brought to their ultimate conclusion, by requiring that IT services be trust-free, i.e. devoid of the need or assumption of any unverified trust in anyone or anything, except in quality of self-guaranteeing transparent and accountable organizational processes, that underlie all critical service and technology lifecycle and provisioning, whose quality is recognizable by moderately informed and educated citizens.

The trustworthiness of an IT service should not be assessed according to compliance of part of its critical components to insufficiently comprehensive, state-subverted and self-referential certification standards, or according to reputation – as it is done today through the dominant “trusted computing model”. Rather it will be measured through a utterly trustless fine-grained continuous modeling and real-time transparent monitoring of all relevant technological and procedural intrinsic constraints and all relevant organizational, economic, liability, legal and social behavioral disincentives, that might cause individuals and organizations critically-involved to perform unexpected compromising actions.