June 29 2010
Critics of the White House’s proposed national internet identity authentication plan, intended to improve online privacy and security, say the strategy may do just the opposite.
The National Strategy for Trusted Identities in Cyberspace (NSTIC), unveiled on Friday by White House cybersecurity coordinator and special assistant to the president Howard Schmidt, is intended to enable individuals to voluntarily obtain a secure credential, such as a smart identity card, from public and private sector providers. Under the plan, this credential would be used for online authentication when banking, accessing electronic health records, sending email and making online purchases.
“No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to log into various online services,” Schmidt wrote in a White House blog post Friday.
But the focus of this plan is not where it should be, said John Pescatore, vice president and research fellow at Gartner.
“The real issue why there’s successful cybercrime is because we are still using reusable passwords [as opposed to one-time passwords or other strong authentication methods], and that’s the only choice people have,” Pescatore told SCMagazineUS.com on Tuesday. “If you really want to address cybercrime and identity theft, you address what the government can do to minimize the use of reusable passwords versus putting together a complicated framework which will rely on passwords all over again.”
One of the primary goals of the plan is to develop and foster what is referred to as an “identity ecosystem” where users can be confident about the security of their online transactions, while trusting the identity of each other and the infrastructure on which the transaction is running. Under this plan, members of the public would be able to use their multifactor, interoperable credential to authenticate themselves online for various transactions.
A website has been set up where individuals can provide public comment on the draft strategy.
According to a review of the comments, many worry the plan could actually hinder the security of online transactions because it seeks to enable individuals to have a single, centralized identity. This is less secure than multiple identities, many say, as it creates a “single point of failure.”
“This effort will be counterproductive at best and has the potential to cause problems that are orders of magnitude worse than current identity theft issues,” one commenter wrote.
Many others have expressed similar concerns.
“Now, if a black hat hacker hacks this universal access method, they get universal access,” another commenter wrote.
However, one of the plan’s developers, Craig Spiezle, said there has been some confusion as to how the plan is intended to work.
An individual’s identity would be made up of multiple attributes, not all of which would be used for authentication with every transaction, he explained. For example, an individual may have 50 attributes associated with his or her identity, only a fraction of which would be used to complete a transaction with a particular organization. Also, under the plan, identity solutions should be resilient and capable of being restored if compromised.
“It’s not just having a single identity and password – that would be ineffective,” Spiezle, executive director and CEO of the Online Trust Alliance, told SCMagazineUS.com on Tuesday. “Yes, there’s room for improvement, but I think it’s a step in the right direction to address some of the ills we have in the standard username and password.”
Other supporters believe the plan will have a positive impact on cybersecurity.
“Finally we have before us a proposal that can move society forward in protecting individual privacy, and simultaneously create a secure and trustworthy infrastructure with enough protections to be resistant to insider attacks,” Kim Cameron, chief architect of identity in Microsoft’s identity and security division, said in a blog post Sunday.
Meanwhile, Christopher Burgess, senior security adviser at Cisco, told SCMagazine US.com on Tuesday that the plan is a positive step forward and presents a good vision for the future of online transaction security.
“Putting control of an individual’s data in the hands of the individual is an absolute right step,” Burgess said. “It’s really going to have an impact on online crime. When you raise the cost of doing business for criminal elements, then you reduce criminal activity.”
The proposed plan calls for the federal government and private industry to deploy the identity authentication solutions and encourage the deployment of authentication protocols, such as Domain Name Security (DNSSEC), Internet Protocol Security (IPsec), and Border Gateway Protocol Security (BGPSEC), the White House said in a fact sheet about the plan.
Additionally, according to the fact sheet, the plan calls for the federal government to strengthen privacy protections for users of the “ecosystem,” which may be achieved through the passing of new laws. The government would also create a national awareness campaign to promote the importance of cybersecurity and the trusted identities plan.
“A hill they will have to get over is in the education,” Cisco’s Burgess said. “I think that’s going to be one of the most important parts – educating the citizen on the value – if they expect citizen participation.”
For the plan to be successful, citizens must have assurance that their information is under their control and is secured in a reliable manner, he added.
Finally, to manage the identity ecosystem, the government would establish an office to oversee the strategy and an industry advisory council to ensure the long-term success of the ecosystem, the White House said.
The plan was developed collaboratively among government agencies, including the Department of Homeland Security, along with private-sector businesses and privacy advocates.
The White House plans to release a final version in the fall.