As part of President Obama’s Cyberspace Policy Review, a drafted strategy known as the National Strategy for Trusted Identities in Cyberspace (NSTIC) was released to the public for review and comment June 25 through July 19. Developed in collaboration with key government agencies, business leaders and privacy advocates, NSTIC acknowledges the nation’s need for a trusted online environment, referred to as an Identity Ecosystem, where identities and transactions are free from increasing online security threats.
The government’s proposal would enable individuals and organizations to obtain a security credential (smart card, digital certificate, etc.) from an approved list of public and private providers to authenticate themselves while making online transactions. The ultimate goal of the strategy is to improve identity, security and privacy for those who conduct business online.
Entrust President and CEO Bill Conner submitted the following statements on NSTIC’s homepage, http://www.nist.gov/nstic/, in regards to the proposal,
- The Government’s Role: Poor user-experience is putting a brake on the on-line economy and identity theft is rampant. For centuries, Governments have played an active role in solving the high-assurance identity problem for their citizens in order to facilitate safe travel and to promote trade. Now it is time to take responsibility for protecting citizens from cybercrime, while taking maximum advantage of technology to enhance their lives.
- No Compromise on Privacy and Security: Security and privacy are the keys to success. While the conventional wisdom may be that low-risk applications can afford to compromise on both of these dimensions, the separation into low and high assurance applications is a false dichotomy. An application may be considered “low risk” from the relying party’s point of view, but a citizen whose identity becomes stolen as a result of weak security or privacy safeguards may disagree that the risk was acceptable. The subject’s security and privacy must be taken seriously in all settings, regardless of the potential for the relying party to suffer loss.
- Solutions Targeted at Improving Citizen’s Lives: It is absolutely essential that developments be, and be perceived to be, honestly targeted at improving the lives of citizens through solutions that respect their privacy and promote their on-line safety. Pursuing this goal is also enlightened self-interest, because anything less will be rejected by users and lead to failure. Some citizens may be suspicious of solutions promoted by governments and large corporations. So great care is required in developing the communications strategy.
- Extended Access Control (EAC) is a mature privacy technology: The EAC protocol suite which is well-established in the ePassport setting satisfies the well-established privacy principles using a cryptographic certificate in place of (or to supplement) a “trustmark”. The certificate contains an authorization vector that is evaluated by the user’s “wallet” and limits disclosure to just those relying parties that are certified to handle the personal information in accordance with accepted privacy principles and to just those attributes required to complete the task. This suite forms a practical and sound design for the future identity ecosystem and should be carefully considered as an option by the Administration.
- PIV with Privacy Controls: The Administration’s PIV initiative could form a sound basis for an expanded identity ecosystem. However, its existing privacy characteristics make it unsuitable for the broader role. So, some attention to this aspect would be worthwhile.
- Detecting Identity Theft: Technologies for the rapid detection of identity compromise in any part of the ecosystem should be considered, as these can effectively combat cybercrime with little direct impact on the user experience.
- Challenging Landscape: The Administration has set itself a challenging goal. Extreme care is called for because of the complexity, interdependence, and continuous renewal of the underlying technologies that make up the modern Internet and the extensive resources available to criminals that pursue identity theft. A framework for identity and trust management is required that can withstand the rapidly evolving landscape and shifting social mores. In particular, chip and mobile technologies both threaten and enable sound identity solutions, while the social-networking movement is exploring the boundaries of users’ tolerance. A careful course must be plotted around these issues.