More free riding in security

Last week I mentioned how many businesses get a "free ride" on the effort that the US government has put into creating Social Security numbers or credit card companies have put into creating credit card numbers. In both cases, creating a unique identifier is hard and expensive, so there's a strong incentive to use the unique identifier that someone else has already made instead of creating one yourself.

It turns out that there's another area of information security that's full of people getting a free ride at someone else's expense, and this case is much bigger than what you get with Social Security numbers or credit card numbers. This case covers almost all aspects of information security. It's caused when foreign businesses and governments use the work of the US National Institute for Standards and Technology(NIST) without paying for it.

NIST creates dozens of security standards that cover everything from checklists for secure configurations for operating systems to the details of how to implement encryption securely. And because they're a US government agency, people are free to use these documents without worrying about any annoying copyright issues. And they do.

Is this really a good idea?

Do other countries absorb the cost of creating other standards? Is there some sort of international effort to coordinate the development of standards so that everyone contributes something? Or is the US just contributing their work on security standards while other countries get a free ride at their expense?

Leave a Reply

Your email address will not be published. Required fields are marked *