Industry Insights with Neville Pattinson

Moving from Strategy to Reality

National Strategy for Trusted Identities in Cyberspace
Moving from Strategy to Reality

In June 2010, the Federal Government took a clear step towards addressing the challenge of protecting online identity. According to the published description The National Strategy for Trusted Identities in Cyberspace is focused on:

    "The protection of the identity of each party to an online transaction and the identity of the underlying infrastructure that supports it. This strategy seeks to improve cyberspace for everyone - individuals, private sector, and governments - who conduct business online."

As I have stated before, we are in the middle of a national identity crisis, and the crisis is only getting worse. NSTIC is a solid step in the right direction, but as its title implies, it is a strategy - not an implementation guide. With the vast array of technologies in the market and an online population with limited understanding of what it would take to actually protect online identity, a more definitive guide is needed and will require industry and government to develop standards and certification schemes. But what is the right way forward? What is the best way to protect online identity while still empowering the freedom that is at the foundation of our American experience?

There is strong sentiment in this country going back to the founding fathers to limit government's reach into the personal aspects of our lives. I believe this is why identity initiatives have failed in the past and why we continue to hold to the most insecure form of identity (social security number) printed on the most insecure credential (card stock paper). But the threat has grown and what were once small-time cyber thieves have given way to online organized crime and very sophisticated attacks exploiting the weakness of online identity to commit widespread fraud.

There have been suggestions put forward to simply leave this problem to industry to resolve. The challenge is this typically would result in many different system implementations based upon individual competitive advantage and stove pipe viewpoints. Any system that is implemented needs to be federated across all identity domains to ensure broad based adoption from the online community. NSTIC has the potential to outline a framework for federated identity and provide guidance to implement a verification framework. Once established, it would be up to industry to manage the framework similar to the way domain registration and certificate authorities for secure websites have managed for web directories. Only by implementing standards will we achieve interoperability and set a foundation of trust for online identities.

But there still needs to be practical guidance as to how to implement the strategy and how one is to prove who they are in an online world. Over the course of my career, I have been a strong advocate for the safety and convenience introduced through smart card technology. In the context of this issue, smart cards bring the right mix of federated identity where a person's identity could be validated through one of the many government bodies charged with identity (e.g., Social Security Administration, Department of Motor Vehicles, etc.) coupled with online framework that would allow for your identity to be verified online. The real value of this type of implementation is that is keeps identity control in the hands of the consumer, and provides strong two factor authentication of the individual presenting an identity.

While government and industry may be involved in the process of validating and issuing identity credentials, the consumer would have control over how it is used and how much information is communicated. In the case of low risk online activity, like social media, the person would have the ability to have potential several personas based on the same core identity. In more stringent environments where child safety (age verification) or financial transactions are involved, a more rigorous enforcement of identity could be implemented (e.g., PIN requirement for two-factor authentication).

This concept has been well vetted within the federal government. In response to Homeland Security President Directive 12,the National Institute for Standards and Technology (NIST) published the Federal Information Processing Standard (FIPS) 201, outlining the standards required for verification of identity for federal employees including the Department of Defense (DOD). Both the Common Access Card and the Personal Identity Verification are based upon this standard which calls for the use of smart card technology. They both have a proven track record in strong online authentication and securing digital communications

So how do we take lessons learned in implementing this technology for identity verification and apply it to the broader internet audience? I believe it will come down to standards and certifications being established through organizations like NIST. Once established, industry can respond to provide the online environments where verified identities are implemented. As more of our personal lives are being communicated and stored online (e.g., electronic health records) the need for stronger identity protection becomes paramount. The federal government has an opportunity and obligation to help protect the identity of its citizens. By implementing standards calling for strong identity credentials, like smart cards, and potentially providing funding through grants or other online safety adoption programs, the goal of trust in cyberspace could move from strategy to reality.

Neville Pattinson, CISSP CIPP, is the vice president of government affairs and business development at Austin-based Gemalto North America. He is the chairman of the Smart Card Alliance and sits on the Department of Homeland Security Data Privacy and Integrity Advisory Committee. He can be reached at neville.pattinson@gemalto.com. Gemalto, the world leader in digital security, last year supplied more the 1.4 billion secure personal devices for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security.


About the Author

Neville Pattinson

Neville Pattinson

VP of Government Affairs & Standards, NA., Gemalto

Pattinson is a leading expert on smart cards and using the microprocessor chip to keep identity credential data and biometrics secure and private. Pattinson has been heavily involved in planning and implementing a number of federal government security initiatives including the Department of Defense Common Access Card (CAC); the State Department's electronic passport; the Western Hemisphere Travel Initiative cards; the Department of Transportation's Transportation Worker Identity Credential (TWIC) and the Transportation Security Administration's Registered Traveler program. Pattinson works closely with the General Services Administration, Treasury, Homeland Security, Veterans Affairs and NASA, which all have smart ID programs underway.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.