Limited Government: Path to NSTIC
Fed's NSTIC Point Man Jeremy Grant Explains Government's Role
Before joining NIST, Grant helped draft the legislation that laid the groundwork for the Department of Defense and General Services Administration smart card and PKI efforts.
Unveiled by White House Cybersecurity Coordinator Howard Schmidt, NSTIC aims to create a trusted, online ecosystem that would let users obtain a single credential as a one-time digital password - in the form of software on a mobile device, a smart card or token, for instance - to transact business safely over the Internet.
The proposed system would solve authentication issues, such as anonymity, privacy, and user authentication, including passwords, which Grant says "aren't quite what they used to be."
An important role for government is to be an early adopter of NSTIC authentication credentials. Grant says the first credentials to be offered through NSTIC likely won't be available till at least mid-decade.
With NSTIC, there would be different credential providers who would supply users with technology that would be more secure than the usernames and passwords used today. The initiative is also designed so that customers could obtain multiple credentials and use them for different purposes, depending on the kind of transaction.
With the issue of privacy, the trend for a few years was for the user to provide a great deal of information. "You don't have a whole lot of control over what you actually have to provide ... or how it's being collected, used, or shared," Grant says.
"We're trying to put more choice and control back in the hands of the consumer," he says.
In an interview with GovInfoSecurity.com's Eric Chabrow, Grant also explains:
- How NSTIC would work;
- Who would issue credentials;
- How IT security practitioners can help develop NSTIC.
Grant began his career as a Senate aide, where he helped draft the legislation that laid the groundwork for the Department of Defense and General Services Administration smart card and PKI efforts. Afterward, Grant worked at the government services firm Maximus as head of its security and identity management practice and Washington Research Group as an identity and cybersecurity market analyst. Before joining NIST, Grant served as chief development officer for the consultancy ASI Government.
A graduate in biology and political science from the University of Michigan, Grant is a former co-chair of the identity management committee at TechAmerica, an IT industry lobbying and trade group.
NSTIC's PurposeCHABROW: What is NSTIC and how would it work?
GRANT: NSTIC is the National Strategy for Trusted Identities in Cyberspace. It was produced by the White House and released on April 15th. It's essentially focused on how we can, as a country, better enhance online choice, efficiency, security and privacy in all the transactions that we do every day online. It's trying to solve a couple of different issues.
The first is passwords, which are what most of us use as our authentication layer when we go online for transactions. They aren't quite what they used to be and in fact it's questionable whether what they used to be was anything that's good. If your 25 different passwords are all complex, in which case you're writing them down and carrying them in a wallet or notebook, it's not overly convenient. It's not overly secure. Or they're all using the same one or two passwords for everything they do online, which creates all sorts of different vulnerabilities if that one password is stolen. And we start talking to a lot of different people in the industry about how common that is and what the impact is.
The second issue we're trying to address is how people still don't know that you're a dog on the internet - and in some circumstances that's perfectly acceptable. There are a lot of things we do online, whether it's just surfing the web or engaging in low risk transactions, where nobody needs to know who you are so long as you can pay or log in online, or conferencing on a blog where you can be unanimous or even be going online under a pseudonym. Businesses and government would like to be able to move more high value transactions online and they can't because of the risk it involves. As a result, there are things you could be doing online today that continue to require paper signatures and waiting in line at offices.
The third thing we're focused on is the enhancement of privacy. Some of the trends over the last few years were providing more and more information everywhere you go. You don't have a whole lot of control over what you actually have to provide in order to engage in a transaction, or how it's being collected, used, or shared. We're trying to put more choice and control back in the hands of the consumer.
The NSTIC is a strategy that is focused on all three of those. It looks at its core. How can we come up with a system, an identity ecosystem, which would be a very large, vibrant, and diverse marketplace of different credential providers that could get you technology that would be more secure than the usernames and passwords that we use today? There has been a lot of talk about it being a single identity. It's important to note there's nothing in NSTIC that would actually encourage or mandate that people have only one single identity. There is going to be something for if you wanted to have a single credential for a single sign-on purpose. But NSTIC is also designed in a way that you could obtain multiple credentials and use them for different purposes depending on the kind of transaction you're engaged in.
Limited Government in NSTICCHABROW: What is the government's role in NSTIC?
GRANT: One is to convene. For years, NIST has helped to bring together different stakeholders outside of government to forge consensus standards and best practices on a variety of technologies, including work we've done around cybersecurity and identity management.
The second role of government is to be an early adopter. By agreeing to accept them for different transactions online and being a party to some of the contracts that will govern their views, we can catalyze a whole new range of different technologies being used by the rest of the country as they go online.
CHABROW: Is there a role for government in governing NSTIC once these credentials are out?
GRANT: Our vision is that this is an area where the private sector could lead. The strategy specifically calls for the establishment of a steering body for the identity eco system we want to create. It would be led by the private sector, and to be clear by the private sector we don't just mean industry. We mean the broader range of non-government entities which would include advocacy groups for things like privacy and consumer interest, non-profit, academia, and other organizations that are out there. We will play a big role in helping to stand that up over the first few years and do whatever we can to create the standards and best practices that will govern NSTIC. Ultimately, we think this is something that ought to be led by the private sector. Having said that, there could certainly be some areas where government plays a role in enforcement. We're still in the early stages and need to delve into it quite a bit more.
CHABROW: Is there an example of the kind of organization that could be set up to govern NSTIC existing in some other area today?
GRANT: About 15 years ago the federal government, along with other stakeholders, thought that we shouldn't have paper food stamps or welfare checks anymore. When was the last time you actually saw somebody at the supermarket with paper food stamps? They swipe a card that goes through the point-of-sale (POS) terminal, the same as you use for your Visa or MasterCard. The card is their food stamps, and it has a logo on it that's called Quest. The U.S. Department of Agriculture, which oversees food stamps, worked with a group called the North America Clearing House Association (NACHA), which maintains the technical standards and operating rules for how bank cards work, and asked them to form what was known as the electronic benefits transfer (EBT) counsel. They brought in different stakeholders, from technology providers, people who made point-of-sales terminals, the retailers who accept them, consumer advocates, privacy advocates, the advocates for the poor, the banks who have a lot to do with how that system works; really anybody else who had a stake in it. (NACHA) facilitated the creation of the standards and operating rules that enabled the elimination of paper food stamps and moved everything toward the bank-card system. That's just one example of what the government has done before and we're currently studying a number of different governance model and trying to figure out what the best one should be.
CHABROW: Our audience primarily consists of IT security professionals working in government, banking and healthcare. What aspect of NSTIC should be important to them?
GRANT: What NSTIC will offer all of those different stakeholder groups is an ability to help solve whatever identity and security challenges they're facing today without actually having to issue credentials themselves. And there are some banks that will issue more secure technology and passwords. For example, my stockbroker gives me a one-time password generator for free because somebody there has done the calculation. They think that people like me will care about the added security and be loyal to them, which in fact for my personal case is true, or the values of the transactions I'm engaging with them are at a high enough risk profile that they simply need to provide this in order to protect themselves, which is also true.
The problem with that credential is it's pretty expensive. Its single use is not inter-operable anyplace. There are a lot of companies who would like to be able to take advantage of a customer base that's carrying ways to strongly and reliably authenticate their identity online. But they don't have the money to spend or the ability to put the technical infrastructure in place. What NSTIC aims to do is create a vibrant identity ecosystem where there're multiple providers out there coming up with innovative ways to get into the hands of Americans. Suddenly you have a customer base that has options to authenticate beyond the username or password that they'll issue you. That means you don't have to deal with issuing the new credential or the new password. This helps the cost go down. Most studies show an average of $25 to $70 on password resets. You'll have more assurance that essentially you're not the dog on the internet; if you need to know more about a person, you'll have some assurance that they are who they say they are.
CHABROW: What's the timetable for NSTIC?
GRANT: It's tough to say right now because this was just released last week and our implementation efforts are just getting underway. Most of us who have been working on the product think this is going to take some time to bring different folks together and forge the consensus standards, not to mention once standards are in place allow for the market to have a little bit of time to develop on its own and embrace the standards and rules. Our take is that in 2 to 3 years we should have most of the baseline rules and standards in place. Beyond that it'll be 3 to 5 years to start having the signs where we could consider a vibrant identity ecosystem emerging across the country.
CHABROW: With the market-based approach in implementing this, do you expect there may be some credential providers? Perhaps there are people out there now who would be offering credentials?
GRANT: There are a healthy number who will enable you to get stronger credentials today. Google for example recently created a free one-time password generator that you can download in just a few minutes to your Blackberry, iPhone or Android phone that can be used as a second factor of authentication when logging into Gmail or any of the other services with your Google account. There are other companies like Symantec that have made credentials available for several years that will work with a variety of private sector-reliant parties. But it's a limited number and thus because there is not a huge network that you can use it with, it doesn't necessarily have the value that something like Google could have if everybody in the country took it.
The value that NSTIC brings is if you can build a framework of standards that will ensure inter-offerability, these credentials that are frequent with technologies today can be used any place you go, and it becomes a lot more worthwhile for you to have one. And we think the uptake will be much more significant at that point.
NSTIC vs. Global EffortsCHABROW: The internet is global obviously. What is being done in the same arena elsewhere in the world and how does what we'll be doing here in the United States work with those initiatives?
GRANT: NSTIC is a really unique strategy relative to the way the rest of the world has tried to solve this, which has generally been through the issuance of government sponsored identity cards, or national IDs. It's a model that NSTIC specifically rejects because we've been through that debate here several times and it's not something we want to do. From the U.S. government's perspective, there are some noticeable privacy and civil liberty issues when you have the government essentially becoming the single issuer of identity credentials. You're also at that point locking into a single technology which the market continues to innovate, but it doesn't other innovations in this space to get a foothold in the market. It's just not a model that we're overly interested in. To that extent, if we need to be compatible with national ID programs we will certainly engage where possible and with the standards for around the world - but it is a fundamentally different model.
What has been interesting is the level of expression we've gotten since announcing the NSTIC from other countries who in many cases are looking where they spend a lot of money on issuing a national ID. And they find nobody is really using it because it was designed by the government for a specific purpose and doesn't actually fit with what consumers want to use. With the model we've made up with NSTIC, you'll have a number of private sector issuers leading the way and allow room for a multitude of different technologies, letting people in the marketplace chose which one makes the most sense for them. It's something that's going to make a lot of sense going forward.
CHABROW: Is there any concern that there may be too many different kinds of offerings that could be confusing to the internet user?
GRANT: You can certainly run into that if you have several dozen different varieties to choose from. On our side, from what we're seeing we think there will be several models that emerge pretty quickly. As for being one that will make sense for everybody, especially given how we're moving toward more mobile devices, having something like what we've seen several companies offer which can be stored automatically on your mobile phone seems to make a lot of sense. I wouldn't say we're in an area where we think giving choices to consumers is a bad thing. If anything, we're eager to see a number of different technologies emerge and let the marketplace decide which is the most compelling to be adopted.
CHABROW: Anything we should be thinking about now about NSTIC that we didn't address in this conversation?
GRANT: The president has proposed $17.5 million in the FY12 government budget to fund pilots that could test out different use cases that are envisioned for NSTIC, try different architectural approaches, perfect some of the different concepts and hopefully provide a foundation that we could build NSTIC on going forward. So we'll be looking to the private sector for interesting ideas in a few months for what a pilot should look like. At some point in the next few months we will be putting out criteria for pilots and set up a formal proposal process to get input and suggestions from people.
CHABROW: And those interested in participating, how do they get in touch with you?
GRANT: The easiest way to stay in touch with us is through the website for NSTIC, www.nist.gov/nstic. We keep a lot of information there. We're continually updating the web page each week.