Trustless Computing Certification Body & the SeeVik Pod Service
Since 2013, the Trustless Computing Association (“TCA“) has been promoting the creation and wide adoption of new IT security (high-level) standard setting and certification body, Trustless Computing Certification Body (TCCB) and a compliant open computing base, ecosystem and human computing systems, Seevik Pod Service, that aim to radically-exceeds the state-of-the-art in trustworthiness of sensitive digital human computing, while concurrently solidly enabling legitimate lawful access.
TCCB claim for substantially or radically superior levels of IT trustworthiness are rooted on (1) extreme levels of ethical security-review in relation to complexity of all critical components and processes, (2) the wide utilization of citizen-witness and citizen-jury oversight processes throughout the service life-cycle, and, most critically, (3) a governance model ensuring with extreme levels of altruistic echnical proficiency, citizen accountability, independence and resilience to pressures.
CONTEXT & POSITIONING
Our Trustless Computing standards will be from the start downward compatible with eIDAS High, positioning itself as a sort of eIDAS High++ certification, whereby it satisfies the highest standards for e-transactions and e-services, but also offer levels levels of confidentiality and integrity of human computing radically beyond state-of-the-art. While free-standing as a voluntary public-private initiative, TCCB will be complementary, synergistic and inspirational for existing and upcoming EU and UN promoted cybersecurity certifications, aiming to eventually be adopted as their highest assurance level at some point in the future. To that end, it will also be proposed as a “schema” within the EU Cybersecurity Certification Framework and as a new initiative under UN International Telecommunication Union (ITU-T) processes. It will also promotes future downward compatibility in respect to EU Secret and Common Criteria EAL4-6 for future use in advanced governamental sectors.
INITIAL COMPLIANT IT SERVICE & ECOSYSTEM
In parallel, the Association and some of its technical partners, together with its spin-off startup TRUSTLESS.AI are building the Seevik Pod Service an initial Trustless-Computing-compliant low-royalty open target architecture, HW+SW computing base (Seevik Base) and initial complaint IT services, which will include endpoint computing devices in the form of 2mm-thin touch-screen handheld devices (Seevik Pods) and anonymization and network nodes (Seevik Nodes). All sensitive data and services – of the provider and users – will be hosted in dedicated hosting rooms (Seevik Rooms) whose access at any time requires 5+ randomly-selected citizen-jurors and only utilize dedicated compliant servers (Seevik Servers) and locks. A Seevik Store will offer enable all to submit client and server apps for approval by TCCB.
Initially targeting human transactions and communications with ultra-high requirements of confidentiality, integrity and non-reputability – for high-profile and ordinary persons alike – TCCB will first evolve from a high-level binding certification framework towards a thoroughly detailed certification scheme, and the will expand to use cases requiring also high and ultra-high availability, including critical governmental communications, AI and cyber-physical systems.
UNIQUE FABRICATION OVERSIGHT
Fabrication and design of all critical hardware components will be subject to oversight processes, Seevik Fab, that will substantially exceed in end-user trustworthiness the NSA Trusted Foundry Program at substantially lower costs; by adding to state-of-the-art process the exclusive use of compliant monitoring equipment and the presence of 5 trained citizen-witnesses, during the 6-8 critical phases of the chip fabrication process. All Seevik Devices are assembled, verified, flashed and shipped to their users by a compliant electronics manufacturing plant/service (SeevikEMS), applying monitoring processes similar to the Seevik Fab.
The mission of the TrustlessComputing Association, and its Trustless Computing Certification Body and CivicNet open computing base is:
Restore, and improve upon, the pre-Internet balance between the public sphere – of streets and squares – and the private sphere – of businesses, homes, and spaces for private assembly – that was crucial to sustain democracy, freedom of speech and freedom of thought in our democratic societies.
Contribute to the wide availability of IT services and life-cycles with radically-unprecedented, constitutionally meaningful levels of trustworthiness, that are sufficiently-extreme to enable a responsible remote exercise of political and communication civil rights, except public institution vote; and therefore promote global democratic processes, and digital sovereignty of citizens and democratic nations.
Increase overall public safety and cyber-investigation capabilities, by validating our intuition that citizens’ digital freedoms and states’ ability to investigate criminal suspects are not an “either or” choice, but a “both or neither” challenge, and which can be substantially resolved by solving the lack of extremely transparent and accountable certification and oversight.
Contribute to creating and sustaining an ultra-high assurance low-level deterministic open computing base and certification governance model, that will be critical to substantially or radically increase the user trustworthiness of security-critical artificial intelligence systems.Promote the creation and wide adoption of new multi-stakeholder cybersecurity certification body, and an compliant open computing base and ecosystem, that radically-exceed state-of-the-art in user-trustworthiness of IT and AI systems, while increasing public safety, cyber-investigation capabilities and economic growth.”
Case for a Trustless Computing Certification Body
Can a new certification body deliver radically unprecedented IT security for all, while at once ensuring legitimate lawful access?
In this position paper, we argue that a new cybersecurity certification body can, and should, be created which will be able to reliably and sustainably certify end-to-end IT services with levels of integrity and confidentiality that radically exceed current state-of-the-art, civilian and military, while at once solidly enabling only legitimate and constitutional lawful access. Both can be achieved through uniquely uncompromising “zero trust” security-by-design paradigms down to each critical life-cycle component, including the certification governance itself.
Authors: Rufo Guerreschi and Udit Dhawan
(Version 1.0 – April 30th 2018.
An Excerpt 1-pager Summary
“Recent revelations and reported security breaches have highlighted the fact that even the most stringent current IT security certifications are severely inadequate in their ability to: (a) afford citizens and organizations access to IT services and devices that can meaningfully protect their fundamental civil rights, (b) enable governments to reliably enforce their own regulations aimed at the defense of democratic sovereignty, security agencies’ capabilities and oversight, criminal prosecution, critical infrastructure, and integrity and efficacy of targeted cyber-investigations, and (c) enable an adequate security baseline for the regulation or certification of the most critical deterministic sub-systems of advanced security-critical AI systems, given their huge societal implications.
Goals (a) and (b) have increasingly revealed themselves as interlinked, since the failure of current IT security certifications to provide (a) has been in fact overwhelmingly due to at-all-costs efforts by powerful nations to retain cyber-investigation capabilities through remote and local “lawful hacking”. This has in turn prevented such endpoint cyber-investigation capabilities to achieve the required levels of integrity of evidence so acquired to stand the scrutiny of constitutional courts, and their own required resistance from external and internal abuse to foster the level of international intelligence exchange needed to best prosecute grave international crimes.
In this position paper, we argue that a new cybersecurity certification body, the Trustless Computing Certification Body (“Certification Body” or “TCCB”), could and should be created. It should be suitable to confidently certify end-to-end IT services that are able to sustain levels of integrity and confidentiality radically exceeding current state-of-the-art in their resistance against state-grade remote or local hacking. It should also be suitable for the responsible exercise of citizens’ privacy, assembly, communication and political rights, except for the most sensitive political and institutional voting.
Key paradigms will center on uniquely ultra-high levels of transparency, accountability and oversight of all critically-involved technologies, procedures and people. These include ultra-high ethical, expert and public security-review in relation to complexity”, advanced citizen-witness and citizen-jury-like oversight processes, online and in-person multi-jurisdictional secret-sharing techniques. Economic feasibility is granted by radical minimization of features and performance, effective compartmentalization, and critical technical stacks that are time-proven and subject to open IP regimes.
Compliant providers – in order to prevent crimes, stave off its outlawing and cater to user need for safer key recovery – will be mandated to voluntarily (i.e. in excess of legal obligations) offer to national security agencies evaluation of their lawful access requests for adherence to law and international human rights, through an offline key or data escrow/recovery process. By applying the same safeguards used to ensure ultra-high security, and more, the inevitable added risk will be radically mitigated, resulting in compliant IT services that overall reduce the risk of abuse of end-users by anyone to levels that are radically (or at least substantially) lower than any of the other alternative secure IT systems – available today or knowingly in development – which do or do not offer such voluntary processing.”
Why do we need new ultra-high assurance IT paradigms, certification body, and computing base?
Why do we need a new standard-setting and certification body, and related open target architecture, that achieves levels of trustworthiness that are radically beyond state-of-the-art, while increasing public safety and cyber-investigation capabilities?!
Wikileaks recent revelations, about the widespread availability of CIA hacking tools in the deep web, has made it clear that large corporate, financial and public institutions – and of course simple citizens – are much more exposed to scalable and targeted endpoint attacks by an ever larger number of competitors, criminals, and abusive states, than previously thought.
What is often unreported – but well known in top boardrooms and governments – is the impressively low cost and high scalability of carrying out such attacks. State tools like NSA Turbine and NSA FoxAcid, or their private equivalents like Hacking Team RCS, are capable of the automated or semi-automated exploit and remote management of up to hundreds of thousands of exploited mobile devices.
Todays’ commercially available IT technologies – even those meant for the most societal critical use cases – are radically below the level of trustworthiness that is desired, remanded or required by its users for sensitive or critical use case scenarios. Current standards and certifications are not strong nor comprehensive enough to deliver such levels of trustworthiness. This produces enormous societal costs and risks of hampered economic and social progress, especially given their impact on our democratic institutions and on the future of artificial intelligence.
Current IT security standards, standard setting and certification processes like NIST, ISO, ETSI – even those of the highest levels of security, such as Common Criteria, FIPS, SOGIS, EU Top Secret, NATO Top Secret – have one or more of the following severe shortcomings:
do not certify any complete end-to-end computing experience and device service and lifecycle, but just parts of devices, server-side service stacks or components;
include only partially, if at all, critical hardware designs and fabrication phase, and when they are included the requirements and very inadequate and incomplete to resist a determined attacker;
are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user- or citizen-accountable, and subject to various undue pressures;
make dubious crypto requirements, such as “national crypto standards”, including custom elliptic cryptographic curves, that leave substantial doubts about the ability of certain national agencies (and potentially others) to bypass them;
certify devices that are embedded into or critically connected to other devices that are not subject to the same certification processes;
have very slow and costly certification processes, due to various organizational inefficiencies and to the fact that they mostly certify large (and often new) proprietary target architectures, rather than an extension of certified and open ones.