What can we learn from IT standards processes?
I found an interesting article in today's Times about IBM throwing a bit of a hissy fit because a standards discussion was not going its way. Essentially, IBM is threatening to bail out of certain standards bodies unless they change the way they go about their business. For example, Microsoft submitted OOXML to the ISO under a so-called Fast Track process, which some opponents believed was too rushed and resulted in a poor-quality standard. Many countries and technical experts questioned the need for another standard document format. Similarly, people are labeling the PSIA (no, not the Professional Ski Instructors of America; the Physical Security Interoperability Alliance. Geez) the "Cisco Group," and expressing similar concerns, because the essentials of its first recommended specification (I'm going to get to the difference between a specification and a standard) came from a document supplied by Cisco. And this is why this standards discussion can get so murky. First, the difference between standards and specifications: A specification is a way of doing something issued by an industry group or manufacturer that's kind of like a recommendation or a theory on the best way of doing things. That specification only becomes a standard when an accredited body, like an IEEE or ANSI, vets that specification, puts it through its paces, and then issues it as an accredited standard. Second, the murkiness: Say you're a big manufacturer who'd like to get on this whole "open standards" wave, but would still like to retain its dominance in the marketplace, which was attained through a semi-proprietary way of doing things. Wouldn't you submit your specification for a way of doing things to a standards body and try to fast-track it through, so your way of doing things became the standard and all of your competitors had to play catch-up? And if your competitor did that, wouldn't you, like IBM, cry foul and threaten to take your ball and go home? So, here are some of the questions: Is Cisco using the PSIA as a puppet, knowing that it's done so much heavy lifting on creating the specification for device discovery that the PSIA member companies would be unlikely to change much and just generally be happy with it? Is the Sony-Axis-Bosch alliance (sorry, I mean the ONVIF) similar to IBM's fuss-making, or are they really the more "open" discussion? Here's the essence of the IBM position: IBM's guidelines are based on its belief that open standards increase the range of software products that are interchangeable. Standards prevent one software vendor from capturing a large part of a market by locking users into a proprietary format and limiting their ability to easily switch to another product. Microsoft has long been accused of dominating the market for office productivity programs due to its use of closed file formats. Microsoft changed course, however, and submitted its OOXML format to become an international standard, which means other vendors could implement OOXML in their products. But OOXML was criticized for being unnecessarily complex. Also, Microsoft was accused of pressuring countries to support the standard, which left companies such as IBM fuming. IBM is a long-time backer of ODF. The analogy to security is less than perfect, since the standards are much more developed in IT and security is really just beginning to iron things out, but the potential political situation seems kind of similar to me. Long-time backers of standards are going to resent new positions by old vanguards that, no, really, we're totally into this open standards thing. But that doesn't mean that the old vanguards don't have an ability to write good specifications that would actually be of benefit to the industry. What's going to be important is that people actually look at the documents being created by the PSIA and Sony-Axis-Bosch (and hopefully it won't come to the point where they're issuing competing specs for device discovery, because that would just seem wasteful) and actually figure out which makes more sense for the security community, and not just side with whomever they're friendliest. That would simply be counter-productive in the long run. We've talked here not too long ago about the benefits of standards, and they seem legion, but no one said the process was enjoyable.