Saturday, November 13, 2010

Certification, Licensing, and Accreditation in Digital Forensics

Considering the subject matter that I’m going to be wading into with this blog post, I want to start off by doing some full disclosure.  I’m a member of the Board of Directors for the Consortium of Digital Forensics Specialists (CDFS) and I’m also in the orbit of the SANS Institute. I’ve done both volunteer and paid work for SANS and the Global Information Assurance Certification (GIAC). I’m hoping to teach my first Community SANS class for them sometime in 2012 which would be a paid engagement.  As always, I speak only for myself on this blog and what I write does not necessarily reflect the views of any organizations that I’m associated with such as CDFS or SANS.

Some of the hottest topics of discussion in the digital forensics community are the issues of certification, accreditation, and  licensing.  In fact, one of the most common errors that I see in these discussions is confusing the terms and their goals.  In the digital forensics community, these terms have specific meanings that I would like to try and define up front.

Certification takes the form of an outside entity who certifies that an individual has met some sort of minimum standard of competency in an area of digital forensics.  The entities that do this inside of the digital forensics community are legion and include organizations such as the International Society of Forensic Computer Examiners (ISFCE), the International Association of Computer Investigative Specialists (IACIS) and GIAC.

Accreditation, for the purposes of this discussion, is an outside entity such as the Forensic Science Accreditation Board (FSAB) or American National Standards Institute (ANSI) who through an accreditation process validates that  a digital forensics certification or organization meets its minimum standards.  For example, GIAC has several of it’s certifications accredited by ANSI including the GIAC Certified Forensic Analyst (GCFA) certification.  There are several entities such as the Digital Forensics Certification Board (DFCB) and IACIS who are interested in pursing FSAB accreditation.

Licensing is a government entity regulating a particular profession in such manner where it becomes unlawful to engage in certain professional activities without a license. There are a whole host of professions that are regulated in this manner to the extent that a person needs government permission to engage in activities such as private investigation, practicing medicine, cutting hair, giving therapeutic massages, and a long list of other activities.

Two out of the three of these things are good ideas for the digital forensics community.  Certification of practitioners and the accreditation of the bodies that certify them are vital to professionalizing the industry and helping us progress as a community.  The licensing of digital forensics practitioners is a bad idea regardless if digital forensics practitioners are required to be licensed as private investigators or specifically as digital forensics examiners.

I’m not an absolutist when it comes to licensing.  I understand that in certain limited cases pertaining to critical issues such as public health and safety, there is an important role for government to play in regulating certain activities.  However, it’s important that we as community understand that the history of professional regulation has not been a rosy one.  Much of what we see here in the United States relative to professional licensing is just a modern day version of the guild system where professions use licensing  to keep out competition and control the market.

The common case that is made by those who support the licensing of digital forensics is that it will somehow increase professionalization by weeding out those who are unethical or incompetent.  This gets into a common mistake that is made by supporters of licensing which is to assume that licensing is a measure of competency.   While it’s true that, licensing arrangements frequently mandate some sort of training in the professional area, this is not necessarily a measure of professional competence. In the cases when testing is performed as part of the process, it is generally used to validate regulatory knowledge rather than professional competency.  It’s that mandatory training requirement (if one exists) that allegedly insures professional competency. Not coincidentally, it’s also what is used to establish modern day guilds that we see in professions like law, medicine, and even massage therapists. 

Because digital forensics is a convergence of technology and law, we already have measures in place that protect the public from unethical and incompetent examiners and methods.  We have standards like Daubert and an adversarial legal process that has well established methods of vetting those who would act as expert witnesses during legal proceedings.  Licensing of digital forensics people is unnecessary in the face of well known and accepted gatekeeping processes for legal proceedings. 

Not only is it unnecessary, but it’s harmful for both the profession and the public.  This is because licensing will likely result in a digital forensics guild system where the government will decide who can practice digital forensics and who can’t.  It will do this without much serious thought to the issue of professional competency which is the banner in which proponents of digital forensics licensing frequently rally under.

One argument is that a digital forensics licensing system can be established that would provide for competency assurance by requiring that licensees have a certification in digital forensics from an approved entity.  This is unhealthy for the community because it could very well result in the various certification organizations having to put a lot of time and money into lobbying the various government entities to allow their certification to be one of the approved certifications.  It gets worse if a government regulatory body were to decide that they were only going to accept one digital forensics certification as the standard for licensing.  That will put the certification bodies in direct adversarial competition with each other to make themselves the standard for that regulatory body.

There also is the issue of law not keeping up with technology which is a frequent occurrence in the digital age.  Even if I were to allow myself to be swayed by some siren song of licensing, how does state specific licensing work here in the United States?  Licensing systems are generally done at the state level.  Digital forensics is very much an interstate and international issue.   What if you have a case that requires you to engage in regulated activities in many states where a license is required for each one?  What if each of those states not only requires a license, but they also require different digital forensics certifications as part of that licensing process?

We don’t need a modern day digital forensics guild system.  We are capable as a community to regulate ourselves through collaborative efforts like the CDFS, the various well established and respected organizations like ISFCE and IACIS, and through the legal system’s standards in vetting people who provide testimony in legal proceedings.

Just say no to digital forensics licensing.

Certification and accreditation are something that we should embrace as a community in part to help ward off any licensing efforts by the government.  This should be an area of common ground between those who support licensing and those who support industry self-regulation.  For example, if one supports licensing of digital forensics professionals as a way to ensure basic competency, there has to be some sort of competency testing component to that process. That component can be achieved by professional certification through the various digital forensics certification bodies.

If we are going to be taken seriously as a profession, we ourselves have to take our profession seriously.  That means coming together as a community to establish minimum standards of competency for digital forensics examiners and providing methods in which examiners can show that they have met these standards.  We have many respected organizations who have spent a lot of time and effort doing that very thing and judging by the amount of people I see who hold digital forensics certifications, we have embraced those efforts as a community.

It’s important to understand that certification does not mean mastery.  It just means that an outside organization has validated that an individual has met the minimum standards as defined by the organization.  In fact, certification doesn’t necessarily even mean professional competency.  Ask any digital forensics hiring manager and they will be able to provide you with stories of certified applicants who failed their hiring process because of a lack of technical competency.  Doing a week of digital forensics training and then obtaining a certification doesn’t mean that someone is necessarily a competent digital forensics examiner, but it’s a start especially someone who is interested in getting into the field.

Accreditation is a key component of certification.  It’s essentially the certification bodies being certified themselves by a trusted outside entity such as the FSAB or ANSI. As a community, we should be pushing the various certification organizations to advance the cause of digital forensics professionalism by pursing accreditation.   We should do this because our professional organizations and their associated certifications will be taken more seriously if these organizations can show that they are following industry standard practices when it comes to the credentialing of digital forensics practitioners.

GIAC went the ANSI route and I think that means that the GCFA certification might be the first digital forensics certification that has achieved accreditation from a well recognized standards organization.

I know IACIS (I’m an associate member) is interested pursing FSAB accreditation.  That’s great to see because IACIS has spent a lot of time and effort into making their CFCE certification into a well respected certification in the digital forensics community.  They recently made the decision to open up that certification process to those who aren’t members of IACIS which is part of what needs to happen for FSAB accreditation.  The FSAB prohibits membership in an organization as a requirement for certification.  I’m not sure when the certification will be available to the public, but IACIS is working on getting that done.

One of the primary premises behind the DFCB is to establish an industry standard digital forensics certification that would achieve FSAB accreditation.  This effort hasn’t gone all that smoothly, unfortunately.  The “Founders” Digital Forensic Certified Practitioners (DFCP)  process that I went through to achieve my DFCP certification was disorganized and understaffed.  Since that time, I haven’t seen much in the way of improvement when it comes to communication and organization on the part of the DFCB.   They haven’t been very good when it comes to communication of what is going on with the organization and what progress is behind made towards their ultimate goals. Transparency hasn’t been a hallmark of the organization.   For example, I would like to know who makes up the various committees.  The website lists who leads their committees, but not who are members, what the committee goals are, and what progress has been made towards those goals.  Early in their history they posted some documents of this nature pertaining to early organizational meetings, but that has not occurred in some time. I’ve yet to find a DFCP certified person who is happy with the organization. They mean very well, but they’ve clearly had some trouble when it comes to communication and execution. I’m hoping things will get better for them as they pick up some momentum because their stated goals are laudable. I would also like to see at least one digital forensics organization achieve FSAB accreditation.