Appendix D Models for GSSP
This section discusses three areas in which technical standards are set by the kind of private sector-public sector interaction that this committee is recommending for Generally Accepted System Security Principles (GSSP): the building codes, the Underwriters Laboratories, Inc., and the Financial Accounting Standards Board. The latter organization is responsible for what have been called Generally Accepted Accounting Principles (GAAP), a set of standards that provides a model for the GSSP proposal.
Building codes endeavor to establish standards for safe construction. The field is marked by extreme decentralization, with codes mandated and enforced by local municipalities. The quality of code enforcement depends on the particular code enforcement officials (Falk, 1975). The codes themselves are based on so-called model codes that are produced by a small number of competing organizations. These code-writing organizations are associations of enforcement officers and therefore can be thought of as representing the government sector exclusively. There is, however, significant private sector input into the process from the various materials suppliers and their trade associations.
Building codes contain both performance and specification standards. A pure performance standard would stipulate something like, "Walls of residences must resist the spread of fire to the degree nec-
essary to allow occupants to escape." Such standards, because they are so difficult to evaluate (the only true test of failure would be in an actual fire) are generally recast in a testable form, such as, "Materials used in residence walls must resist an x degree fire for y minutes." Upholding even this standard requires the existence of testing capabilities that may be beyond the resources of an enforcement activity, and so the pressure from the evaluation community is for specification standards, such as, "Residence walls must be covered with a double layer of 3/4-inch sheetrock."
Performance standards are viewed as being fairer and as providing greater room for innovation, but they impose a much greater burden on the evaluators.
Building codes have been widely criticized as inhibiting innovation and raising construction costs by mandating outdated materials and labor practices. In part, this is a natural byproduct of the specification approach, which militates against new technologies that deviate from the required specifications. In some cases the problem reflects local failures to adopt the latest revisions to model codes (Falk, 1975).
Underwriters Laboratories, Inc.
Underwriters Laboratories, Inc. (UL) was established essentially by an entrepreneurial process because insurance companies could not rate the hazards resulting from new technology, in this case, electric lighting. It began as a purely private sector activity and then, because of the quality of its work, became recognized by the government. It operates as both a standard-setting and an evaluation organization, issuing its famous "Seal of Approval" to equipment and components that meet its standards (Underwriters Laboratories, Inc., 1989, 1990b). As described by one journalist,
The UL Mark … means that the equipment has been checked for potential hazards, using objective tests laid out in detailed handbooks called Standards. No federal law mandates such testing. But UL's clients, manufacturers who pay to have their products tortured and then listed by the lab, know that the Mark is an important selling point. (Williams, 1988, p. 79)
Underwriters Laboratories, Inc., has developed a preliminary draft of a software safety standard, scheduled to be completed in 1990 (Underwriters Laboratories, Inc., 1990a). It is forming an Industry Advisory Committee, open to interested parties, to assist it in drafting a formal UL standard. Burglary protection systems, motor control mechanisms (e.g., for temperature, speed), industrial computers (i.e., programmable machines), "smart" appliances, and medical devices have been identified by UL as having software that affects safety and
thus should be evaluated. Note, however, that UL is a public safety organization. It does not necessarily deal with certification, verification, and so on, unless a device affects safety.
Financial Accounting Standards Board
The history of the Financial Accouting Standards Board (FASB) dates to the stock market crash of 1929 and the entry of the government into the capital markets through the establishment of the Securities and Exchange Commission (SEC). In the late 1930s, when SEC activism was at a peak, the American Institute of Certified Public Accountants formed a part-time and volunteer Accounting Practices Board to set accounting standards. The clear aim of this activity was to forestall government-mandated standards; this aim persists in FASB's own description of what causes a standard to be promulgated, where potential SEC or congressional action is explicitly mentioned as a criterion in deciding whether a new standard is needed. Overwhelmed by the changes in the financial markets in the 1960s, the Accounting Practices Board instituted a study in the early 1970s that led to the establishment of a full-time independent institute, the Financial Accounting Foundation (FAF), to oversee the FASB and the production of what have been referred to as Generally Accepted Accounting Principles (GAAP) and other standards of financial accounting and reporting for private sector organizations. Similar standards are established by a newer sister unit of the FASB for the public sector, the Government Accounting Standards Board (GASB). According to its own literature,
The mission of the Financial Accounting Standards Board is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors, and users of financial information.…
The FASB develops broad accounting concepts as well as standards for financial reporting. It also provides guidance on implementation of standards.…
The Board's work on both concepts and standards is based on research conducted by the FASB staff and by others. (FASB, 1990)
The Financial Accounting Foundation, FASB, and GASB serve to maintain the independence of the accounting profession by providing an effective alternative to government regulation. The effectiveness of the alternative rests on the use of standards to maintain what is called the "decision usefulness" of accounting information. In simplified form, accounting information has decision usefulness if the standards under which it was generated permit meaningful comparison of financial data from different companies that are competing for capital (e.g., from potential purchasers of common stock). Accounting standards
differ from engineering standards in that they are not subject to verification by experiment (e.g., failure of a beam under loading) and their wording balances the concerns of buyers and sellers in the capital markets.
In order to achieve this balance, the FASB has established an elaborate due process for the establishment of standards. The process appears to work reasonably well; the primary criticisms levied against the FASB are those of "standards overload," in which the establishment of a full-time standards-setting body has had the not surprising outcome that a large number of standards have been established. This prolificness combined with the large number of practicing accountants may be one reason why the FAF has earned some $10 million in revenue from sales of publications (FAF, 1990). Also, the FASB and GASB are independent of relevant professional organizations.
At the end of its first decade the FASB received approximately 40 percent of its financial support from the accounting profession and 60 percent from outside sources such as financial institutions and banks. More recently, the FASB has run deficits, in part because it "has always had the delicate problem of having to seek contributions from the very companies it sometimes alienates" (Cowan, 1990). The FAF considers contributions as essential to its viability (FAF, 1990).
The FASB and the GAAP can be viewed as a modified or hybrid form of professional self-regulation, in which a professional community, under constant threat of government intervention, prevents that intervention by satisfactorily handling the various problems themselves. The GAAP have force of law in that their use is required for financial reporting by companies that raise capital in the regulated markets. They are recognized as authoritative by the SEC (Sprouse, 1987). The SEC and the General Accounting Office maintain liaison with both the FASB and GASB.
LESSONS RELEVANT TO ESTABLISHING GSSP
Each of the undertakings discussed in this appendix offers lessons that are relevant to the concept of GSSP and the manner in which GSSP may be defined and enforced.
The experience with building codes indicates clearly that having competing standards and decentralized evaluation and enforcement is counterproductive; these factors inhibit technological progress. It is also clear that any set of standards will always have some mix of performance and specification requirements. It appears to be a fundamental principle of standards and evaluation that performance standards permit more rapid evolution than do specification stan-
dards, but at the cost of difficulty of evaluation. Note that in both building code and computer security experience, major innovations have taken some ten years to go from concept to general acceptance.
The UL experience shows that an evaluation process can be initiated in the private sector and then accepted by government, and that it is not necessary to begin such an activity with a legal or administrative mandate. The FASB is also an example of a private effort that achieved government recognition.
The FASB's history shows quite clearly that a forcing function is needed both initially and in the long term. In the case of the FASB it is the threat of government regulation of a particular profession. The experience with the FASB, and to a lesser extent the building codes, shows the importance of determining, by consensus, standards that balance the interests of all involved parties, and of setting up those standards according to a due process. The FASB's history also illustrates the importance of institutional independence in balancing pressures and criticisms from interested parties.
Those concerned with setting standards for computer security should nevertheless be cautious in drawing too close an analogy to the FASB. Computer security does not involve an organized, recognized profession whose prerogatives are threatened. Much less money is involved (at least directly), and a clear forcing function, either in the form of an initiating incident or ongoing threat of government action, is not present, although a liability crisis for system vendors, were it to develop, could serve that purpose.