Fight global warming with the Common Criteria
There seems to be an unexpected benefit to Common Criteria certifications: they may actually be able to effectively combat global warming. Here's why.
There are essentially two ways to reduce the amount of carbon dioxide in the air: you can either stop adding more or you can find a way to take some out. Planting more trees is an easy way to remove carbon dioxide from the air because the cellulose fibers and the other components of wood are made from carbon dioxide that trees get from air. In the language that's used to discuss global warming, trees are a carbon dioxide "sink." Some businesses even promise to take advantage of this fact by planting additional trees to offset any emissions that their operations create. The information security industry may have its own way to take advantage of this, and it relates to the Common Criteria.
Buying security products can be tricky because you can't always tell if they're working or not. If you have an intrusion detection system running, for example, you know that you're going to have false alarms as well as missing some real intrusion attempts, and those missed attacks can cause trouble. You can hope to get the number of such missed attacks down to an acceptable level, but you'll never really know how many you missed. With spam filtering you have a similar trade-off between mislabeling legitimate e-mail as spam and letting spam sneak through your filter, and unless you check the list of messages that have been identified as spam on a regular basis, you'll never know how many messages were mislabeled.
If a vendor claims that their spam filtering technology only misidentifies 0.01 percent of legitimate e-mail as spam while catching 99.99 percent of all spam, you might be inclined to think that they got this estimate under laboratory conditions that may not reflect the real-world. On the other hand, if an independent testing laboratory comes up with the same estimate, you'd probably be more inclined to believe it. So one good way to work around the problem of the unknown quality of security products is to have an independent third-party test them and certify them as being good in some way. Doing this helps both security vendors and their customers. The vendors benefit from the trust that comes with such a certification as well as the shorter sales cycle that it can bring. Their customers benefit by the reduced effort required to test the products before buying them.
On the other hand, too many certifications can also be a problem. Getting products certified is expensive and time-consuming, so vendors certainly don't want to do separate certifications for each country or for each industry segment. So from the point of view of security vendors, the Common Criteria is very useful. As its name tells us, it’s supposed to be a single standard that’s widely accepted. So by getting their products Common Criteria certified, vendors only need to get a single certification rather than needing to get many different certifications.
But the Common Criteria uses a very generalized definition of a product that includes lots of additional specialized documentation that has little or no relevance to the actual security provided by the product. These documents are almost impossible for a non-specialist to get correct, and most of the time and effort spent on a Common Criteria certification is spent getting these documents just right. And because these documents are considered part of the product from the Common Criteria point of view, supporters of the Common Criteria can point to the errors that occur in these documents as proof that evaluations virtually always uncover “flaws” in security products. This is definitely not the kind of standard that security vendors or their customers would develop on their own, and it really doesn’t provide the type information that most customers find useful.
Because products (at least as most people would define it – which does not include this specialized documentation) almost never changes during the evaluation process, being Common Criteria certified doesn’t really give customers much useful information about the product that they might buy – it just verifies that lots of unnecessary paperwork was completed. Because of this, customers still need to do additional security testing of products that are Common Criteria certified, which eliminates one of the key advantages that a certified product is supposed to provide. On the other hand, the unnecessary paperwork created by a Common Criteria evaluation provides an additional benefit: it helps to fight global warming.
The reams of paper that are used for the Common Criteria documents come from trees, which are great carbon dioxide sinks. So the extra documentation that the Common Criteria process requires may actually have a beneficial side effect: the paper that's used for the Common Criteria documentation binds up carbon that came from carbon dioxide in the air, making it unavailable as a greenhouse gas that can contribute to global warming. Note that you just need to print these documents to get this advantage; you should feel lucky that you don't actually have to read them.