Moving from Strategy to RealityNational Strategy for Trusted Identities in Cyberspace
- "The protection of the identity of each party to an online transaction and the identity of the underlying infrastructure that supports it. This strategy seeks to improve cyberspace for everyone - individuals, private sector, and governments - who conduct business online."
As I have stated before, we are in the middle of a national identity crisis, and the crisis is only getting worse. NSTIC is a solid step in the right direction, but as its title implies, it is a strategy - not an implementation guide. With the vast array of technologies in the market and an online population with limited understanding of what it would take to actually protect online identity, a more definitive guide is needed and will require industry and government to develop standards and certification schemes. But what is the right way forward? What is the best way to protect online identity while still empowering the freedom that is at the foundation of our American experience?
So how do we take lessons learned in implementing this technology for identity verification and apply it to the broader internet audience?
There is strong sentiment in this country going back to the founding fathers to limit government's reach into the personal aspects of our lives. I believe this is why identity initiatives have failed in the past and why we continue to hold to the most insecure form of identity (social security number) printed on the most insecure credential (card stock paper). But the threat has grown and what were once small-time cyber thieves have given way to online organized crime and very sophisticated attacks exploiting the weakness of online identity to commit widespread fraud.
There have been suggestions put forward to simply leave this problem to industry to resolve. The challenge is this typically would result in many different system implementations based upon individual competitive advantage and stove pipe viewpoints. Any system that is implemented needs to be federated across all identity domains to ensure broad based adoption from the online community. NSTIC has the potential to outline a framework for federated identity and provide guidance to implement a verification framework. Once established, it would be up to industry to manage the framework similar to the way domain registration and certificate authorities for secure websites have managed for web directories. Only by implementing standards will we achieve interoperability and set a foundation of trust for online identities.
But there still needs to be practical guidance as to how to implement the strategy and how one is to prove who they are in an online world. Over the course of my career, I have been a strong advocate for the safety and convenience introduced through smart card technology. In the context of this issue, smart cards bring the right mix of federated identity where a person's identity could be validated through one of the many government bodies charged with identity (e.g., Social Security Administration, Department of Motor Vehicles, etc.) coupled with online framework that would allow for your identity to be verified online. The real value of this type of implementation is that is keeps identity control in the hands of the consumer, and provides strong two factor authentication of the individual presenting an identity.
While government and industry may be involved in the process of validating and issuing identity credentials, the consumer would have control over how it is used and how much information is communicated. In the case of low risk online activity, like social media, the person would have the ability to have potential several personas based on the same core identity. In more stringent environments where child safety (age verification) or financial transactions are involved, a more rigorous enforcement of identity could be implemented (e.g., PIN requirement for two-factor authentication).
This concept has been well vetted within the federal government. In response to Homeland Security President Directive 12,the National Institute for Standards and Technology (NIST) published the Federal Information Processing Standard (FIPS) 201, outlining the standards required for verification of identity for federal employees including the Department of Defense (DOD). Both the Common Access Card and the Personal Identity Verification are based upon this standard which calls for the use of smart card technology. They both have a proven track record in strong online authentication and securing digital communications
So how do we take lessons learned in implementing this technology for identity verification and apply it to the broader internet audience? I believe it will come down to standards and certifications being established through organizations like NIST. Once established, industry can respond to provide the online environments where verified identities are implemented. As more of our personal lives are being communicated and stored online (e.g., electronic health records) the need for stronger identity protection becomes paramount. The federal government has an opportunity and obligation to help protect the identity of its citizens. By implementing standards calling for strong identity credentials, like smart cards, and potentially providing funding through grants or other online safety adoption programs, the goal of trust in cyberspace could move from strategy to reality.