Moving Towards Trusted Identities

By John Wagley

01 August 2011

Print Issue: August 2011

IN AN EFFORT TO alleviate one of the biggest issues in online security—the problem of secure online authentication—the Obama administration recently issued its final National Strategy for Trusted Identities in Cyberspace (NSTIC). The goal is to partner with private sector entities to implement the strategy; that initiative is being led by the Commerce Department and the National Institute of Standards and Technology (NIST). If it works, it could help reduce online fraud and identity theft and spur commerce, according to government officials. It would be particularly useful for online banking and in protecting sensitive electronic medical records.

But even supporters acknowledge that creating a new set of authentication tools will be challenging and time-consuming. Some organizations and privacy advocates have also expressed concerns about how NSTIC can be developed while adequately protecting consumer privacy and without creating new vulnerabilities for cybercriminals to exploit.

Whatever the challenges, everyone agrees that the initiative is needed because the current system of passwords is insecure and burdensome, said Howard Schmidt, the White House’s cybersecurity coordinator, speaking on NSTIC at the recent Visa Global Security Summit in Washington, D.C. Many people use weak passwords; others use the same passwords for multiple Web sites, he said. Such practices contribute to the growing rate of online fraud and identity theft, he added. For example, the United States experienced approximately $37 billion in losses from such crimes in 2010, according to a recent study by Javelin Strategy & Research.

In describing the government’s new program, Schmidt sought to alleviate privacy concerns, including fears expressed by some that NSTIC would involve consumers providing too much private information to government entities. “This is specifically not a national ID card,” he said, adding that any new systems would also be voluntary. New devices, which could include smart cards or tokens, would work as federated identities in which a person’s identity and attributes are shared across multiple identity management systems.

The specific solutions will not come from the government, he noted, explaining, “We’re looking for your leadership, your entrepreneurship, and your technologies to make this real.”

Another concern is that a national trusted identity program that centralizes large amounts of personal data could create a common point of failure for privacy, according to NSTIC’s Effect on Privacy, a paper from Identity Finder, an organization that develops data loss prevention solutions. The paper considers the situation analogous to what happened with the Social Security system.

“U.S. citizens were given a Social Security card, and it took us decades to realize that we should not carry them around in our wallets. Now citizens are being given a more powerful form of identification and being told it is okay to carry it on our phones, tablets, laptops, and computers,” according to the paper.

Providing organizations with relatively large amounts of private information could create the risk of “hyper identity theft,” says Aaron Titus, the paper’s coauthor and chief privacy officer for Identity Finder. And theft is not the only risk to privacy. With so much personal data, organizations charged with collecting data will be under “intense economic pressure” to commoditize it for financial gain, he says.

The paper calls for a federal regulation, currently not part of the NSTIC proposal, which would have “unambiguous and mandatory restrictions” on how NSTIC participants could use sensitive personal information. Creating an effective regulation will be challenging, Titus says, especially with ongoing and rapid developments in areas such as the Internet, application development, and mobile devices. NSTIC will need “the input of privacy advocates at every step of the way,” he says.

Any new types of authentication methods proposed will need to be easy to use, and they will have to offer high levels of trust and assurance around security and privacy, says John Casillas, a senior vice president at the nonprofit Healthcare Information and Management Systems Society, an organization that aims to promote the effective use of information technology in healthcare.

Developing NSTIC will be “a tough thing to do,” said Schmidt. To jumpstart the effort, the government is holding a series of workshops around the United States run by NIST.