Introduction to the Trustless Computing Certification Body & the SeeVik Net
Since 2013, the Trustless Computing Association (TCA) we promoting the creation and wide adoption of new IT security (high-level) standard setting and certification body, Trustless Computing Certification Body (TCCB), and a compliant open computing base and ecosystem, Seevik Net, that radically-exceeds the state-of-the-art in trustworthiness of critical human computing IT systems, while concurrently solidly enabling legitimate lawful access.
Initially targeting human transactions and communications with ultra-high requirements of confidentiality, integrity and non-reputability – for high-profile and ordinary persons alike – TCCB will first evolve from a high-level binding certification framework towards a thoroughly detailed certification scheme, and the will expand to use cases requiring also high and ultra-high availability, including critical governmental communications, AI and cyber-physical systems.
Its claim for substantially or radically superior levels of IT trustworthiness are rooted on (1) extreme levels of ethical security-review in relation to complexity of all critical components and processes, (2) the wide utilization of citizen-witness and citizen-jury oversight processes throughout the service life-cycle, and, most critically, (3) a governance model ensuring with extreme levels of citizen accountability, altruism, independence and technical proficiency.
Such new Certification Body, while free-standing as a voluntary public-private initiative, will also be proposed as a “schema” within the EU Cybersecurity Certification Framework and as a new initiative under UN International Telecommunication Union (ITU-T) processes. It strongly promotes future downward compatibility in respect to EU Secret, eIDAS Qualified, Common Criteria EAL4, SOG-IS. TCCB will be complementary, synergistic and inspirational for existing and upcoming cybersecurity certifications, aiming to eventually be adopted as their highest assurance level at some point in the future.
In parallel, the Association, its partners, and its spin-off startup TRUSTLESS.AI are building the Seevik Net an initial Trustless-Computing-compliant low-royalty open target architecture, HW+SW computing base (Seevik Base) and initial complaint IT services, which will include endpoint computing devices in the form of 2mm-thin touch-screen handheld devices (Seevik Pods) and anonymization and network nodes (Seevik Nodes). All sensitive data and services – of the provider and users – will be hosted in dedicated hosting rooms (Seevik Rooms) whose access at any time requires 5+ randomly-selected citizen-jurors and only utilize dedicated compliant servers (Seevik Servers) and locks. A Seevik Store will offer enable all to submit client and server apps for approval by TCCB.
Fabrication and design of all critical hardware components will be subject to oversight processes, Seevik Fab, that will substantially exceed in end-user trustworthiness the NSA Trusted Foundry Program at substantially lower costs; by adding to state-of-the-art process the exclusive use of compliant monitoring equipment and the presence of 5 trained citizen-witnesses, during the 6-8 critical phases of the chip fabrication process. All Seevik Devices are assembled, verified, flashed and shipped to their users by a compliant electronics manufacturing plant/service (SeevikEMS), applying monitoring processes similar to the Seevik Fab.
Case for a Trustless Computing Certification Body
Can a new certification body deliver radically unprecedented IT security for all, while at once ensuring legitimate lawful access?
In this position paper, we argue that a new cybersecurity certification body can, and should, be created which will be able to reliably and sustainably certify end-to-end IT services with levels of integrity and confidentiality that radically exceed current state-of-the-art, civilian and military, while at once solidly enabling only legitimate and constitutional lawful access. Both can be achieved through uniquely uncompromising “zero trust” security-by-design paradigms down to each critical life-cycle component, including the certification governance itself.
Authors: Rufo Guerreschi, Udit Dhawan, Trustless Computing Association.
(Version 1.0 published on April 30th 2018. Presented at our Free and Safe in Cyberspace in Berlin in May 2018)
An Excerpt 1-pager Summary from the full position paper:
“Recent revelations and reported security breaches have highlighted the fact that even the most stringent current IT security certifications are severely inadequate in their ability to: (a) afford citizens and organizations access to IT services and devices that can meaningfully protect their fundamental civil rights, (b) enable governments to reliably enforce their own regulations aimed at the defense of democratic sovereignty, security agencies’ capabilities and oversight, criminal prosecution, critical infrastructure, and integrity and efficacy of targeted cyber-investigations, and (c) enable an adequate security baseline for the regulation or certification of the most critical deterministic sub-systems of advanced security-critical AI systems, given their huge societal implications.
Goals (a) and (b) have increasingly revealed themselves as interlinked, since the failure of current IT security certifications to provide (a) has been in fact overwhelmingly due to at-all-costs efforts by powerful nations to retain cyber-investigation capabilities through remote and local “lawful hacking”. This has in turn prevented such endpoint cyber-investigation capabilities to achieve the required levels of integrity of evidence so acquired to stand the scrutiny of constitutional courts, and their own required resistance from external and internal abuse to foster the level of international intelligence exchange needed to best prosecute grave international crimes.
In this position paper, we argue that a new cybersecurity certification body, the Trustless Computing Certification Body (“Certification Body” or “TCCB”), could and should be created. It should be suitable to confidently certify end-to-end IT services that are able to sustain levels of integrity and confidentiality radically exceeding current state-of-the-art in their resistance against state-grade remote or local hacking. It should also be suitable for the responsible exercise of citizens’ privacy, assembly, communication and political rights, except for the most sensitive political and institutional voting.
Key paradigms will center on uniquely ultra-high levels of transparency, accountability and oversight of all critically-involved technologies, procedures and people. These include ultra-high ethical, expert and public security-review in relation to complexity”, advanced citizen-witness and citizen-jury-like oversight processes, online and in-person multi-jurisdictional secret-sharing techniques. Economic feasibility is granted by radical minimization of features and performance, effective compartmentalization, and critical technical stacks that are time-proven and subject to open IP regimes.
Compliant providers – in order to prevent crimes, stave off its outlawing and cater to user need for safer key recovery – will be mandated to voluntarily (i.e. in excess of legal obligations) offer to national security agencies evaluation of their lawful access requests for adherence to law and international human rights, through an offline key or data escrow/recovery process. By applying the same safeguards used to ensure ultra-high security, and more, the inevitable added risk will be radically mitigated, resulting in compliant IT services that overall reduce the risk of abuse of end-users by anyone to levels that are radically (or at least substantially) lower than any of the other alternative secure IT systems – available today or knowingly in development – which do or do not offer such voluntary processing.”
Why do we need new ultra-high assurance IT paradigms, certification body, and computing base?
Why do we need a new standard-setting and certification body, and related open target architecture, that achieves levels of trustworthiness that are radically beyond state-of-the-art, while increasing public safety and cyber-investigation capabilities?!
Wikileaks recent revelations, about the widespread availability of CIA hacking tools in the deep web, has made it clear that large corporate, financial and public institutions – and of course simple citizens – are much more exposed to scalable and targeted endpoint attacks by an ever larger number of competitors, criminals, and abusive states, than previously thought.
What is often unreported – but well known in top boardrooms and governments – is the impressively low cost and high scalability of carrying out such attacks. State tools like NSA Turbine and NSA FoxAcid, or their private equivalents like Hacking Team RCS, are capable of the automated or semi-automated exploit and remote management of up to hundreds of thousands of exploited mobile devices.
Todays’ commercially available IT technologies – even those meant for the most societal critical use cases – are radically below the level of trustworthiness that is desired, remanded or required by its users for sensitive or critical use case scenarios. Current standards and certifications are not strong nor comprehensive enough to deliver such levels of trustworthiness. This produces enormous societal costs and risks of hampered economic and social progress, especially given their impact on our democratic institutions and on the future of artificial intelligence.
Current IT security standards, standard setting and certification processes like NIST, ISO, ETSI – even those of the highest levels of security, such as Common Criteria, FIPS, SOGIS, EU Top Secret, NATO Top Secret – have one or more of the following severe shortcomings:
do not certify any complete end-to-end computing experience and device service and lifecycle, but just parts of devices, server-side service stacks or components;
include only partially, if at all, critical hardware designs and fabrication phase, and when they are included the requirements and very inadequate and incomplete to resist a determined attacker;
are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user- or citizen-accountable, and subject to various undue pressures;
make dubious crypto requirements, such as “national crypto standards”, including custom elliptic cryptographic curves, that leave substantial doubts about the ability of certain national agencies (and potentially others) to bypass them;
certify devices that are embedded into or critically connected to other devices that are not subject to the same certification processes;
have very slow and costly certification processes, due to various organizational inefficiencies and to the fact that they mostly certify large (and often new) proprietary target architectures, rather than an extension of certified and open ones.
The mission of the TrustlessComputing Association, and its Trustless Computing Certification Body and CivicNet open computing base is:
Restore, and improve upon, the pre-Internet balance between the public sphere – of streets and squares – and the private sphere – of businesses, homes, and spaces for private assembly – that was crucial to sustain democracy, freedom of speech and freedom of thought in our democratic societies.
Contribute to the wide availability of IT services and life-cycles with radically-unprecedented, constitutionally meaningful levels of trustworthiness, that are sufficiently-extreme to enable a responsible remote exercise of political and communication civil rights, except public institution vote; and therefore promote global democratic processes, and digital sovereignty of citizens and democratic nations.
Increase overall public safety and cyber-investigation capabilities, by validating our intuition that citizens’ digital freedoms and states’ ability to investigate criminal suspects are not an “either or” choice, but a “both or neither” challenge, and which can be substantially resolved by solving the lack of extremely transparent and accountable certification and oversight.
Contribute to creating and sustaining an ultra-high assurance low-level deterministic open computing base and certification governance model, that will be critical to substantially or radically increase the user trustworthiness of security-critical artificial intelligence systems.Promote the creation and wide adoption of new multi-stakeholder cybersecurity certification body, and an compliant open computing base and ecosystem, that radically-exceed state-of-the-art in user-trustworthiness of IT and AI systems, while increasing public safety, cyber-investigation capabilities and economic growth.”
The world is rapidly turning into a Hacker Republic. On one hand, most political and economic power accrues to those with sustained informational and malicious hacking superiority in critical communications and AI systems, resulting in a huge asymmetry of power between them and all others, creating two sets of citizens. On the other hand, ethical hackers and whistle-blowers serve crucial public service to reign in such power by informing citizens and legislators, through revelations about critical vulnerabilities, unconstitutional state surveillance programs, and unearthing mass-scale crimes and frauds of the rich and powerful.
We believe that meaningful personal freedom and effective public safety in cyberspace may be not “either or” choice, but a “both or neither” challenge that can be radically improved through the same kind of uncompromisingly distrustful oversight and certification processes that produced unimaginable levels of success in the safety of commercial aviation, the integrity of paper democratic election systems, and security of socio-technical systems for defense of weapons of mass destruction.
Neither freedom nor safety are available today because all or nearly all communications IT systems are scalably compromisable – even the most secure ones and cyber-investigation tools – by many critical vulnerabilities and back-doors that a few powerful nations have directly implanted or implicitly sanctioned by hugely financing the zero day market, by deliberate strategic subversion of key IT life-cycles, by not disclosing found vulnerabilities, and by deliberately promoting broken certification standards.
This state of affairs is inevitable for nearly all current systems, even high trustworthiness ones, because their technical and life-cycle complexity is by at least one order of magnitude beyond any sufficient verification, no matter what budget. It is not inevitable, on the other hand, for IT systems, services and life-cycle that would certifiably implement extreme levels of transparency, accountability, oversight and ethical security-review relative to complexity for all technologies and processes critically involved; from CPU design to fabrication oversight, from hosting facilities access management to standard setting governance.
Extreme compartmentalization, and minimization of features and complexity, in hardware and software, can economically allow radically-unprecedented and consistently-extreme levels of ethical security review relative to the complexity of all software, firmware, hardware and processes – including hardware design and fabrication, and hosting room management processes – that are critically involved in a TC-compliant IT service, and its life-cycle. The availability of at least one open low-level TC-compliant computing base will instead ensure wide uptake.
Meaningful digital confidentiality and integrity, ultimately, are not a product, nor a service or a process, but the by-product of the relevant organizational and human process that are critically-involved in fruition, provisioning and life-cycle of a given IT service or experience. It is therefore critical that “so called” privacy-by-design and security-by-design paradigms be brought to their ultimate conclusion, by requiring that IT services be trust-free, i.e. devoid of the need or assumption of any unverified trust in anyone or anything, except in quality of self-guaranteeing transparent and accountable organizational processes, that underlie all critical service and technology life-cycle and provisioning, whose quality is recognizable by moderately informed and educated citizens.
The trustworthiness of an IT service should not be assessed according to compliance of part of its critical components to insufficiently comprehensive, state-subverted and self-referential certification standards, or according to reputation – as it is done today through the dominant “trusted computing model”. Rather it will be measured through a utterly trustless fine-grained continuous modeling and real-time transparent monitoring of all relevant technological and procedural intrinsic constraints and all relevant organizational, economic, liability, legal and social behavioral disincentives, that might cause individuals and organizations critically-involved to perform unexpected compromising actions.