NEWS FROM THE 2009 BLACK HAT BRIEFINGS

Better ID assurance is essential for the new online world, DOD deputy secretary says

LAS VEGAS—Just as the Defense Department is getting used to working in a network-centric world, it has begun moving into a newer content-centric environment, said Robert F. Lentz, DOD's chief information assurance officer.

Leveraging interactive Web 2.0 applications and cloud services in a secure way, “that’s the biggest challenge,” Lentz said Thursday at the Black Hat Briefings security conference. “That race is daunting.”

Doing this requires moving from the current whack-a-mole process of static defenses to a more agile, strategy-based take on risk management.

“We are in a paradigm shift right now,” Lentz said. A necessary element in that shift is reducing online anonymity and improving the assurance of identity online. “In my opinion, there needs to be a cyber czar just for identity, because without it, we’re going to be done.”

Lentz outlined recent changes in the world of cybersecurity, saying that the Internet has become essential not only to our economy, but to our national security and well-being. Protecting the online environment is a joint responsibility of government and the private sector, he said.

“We have to think of cyberspace as a global common that touches everything we do,” he said. “Securing the global common is the joint responsibility of everyone.”

Currently, however, the Internet is a “very fragile ecosystem,” he said.

Among the major challenges facing DOD in securing its online presence is deployment of Domain Name System Security Extensions and transitioning from IPv4 to IPv6. The department must also leverage virtualization to minimize its attacks surface, Lentz said. But the management of identity, which is essential to control access and understanding activity online, is the foundation for a reliable networking environment.

DOD operates one of the world’s largest public key infrastructures, based on its Common Access Card, but that technology is not adequate, Lentz said.

“It’s still not easy to use,” he said. Directory services remains an Achilles' heel for DOD, and the department must provide a better system for federated identity management and embrace better multifactor authentication to take advantage of a new environment.


About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Jul 31, 2009 Jim Sullivan Atlanta

As multifactor authentication becomes a core requirement to assure identity, we need to consider several issues with identity: 1. the impact of "Authentication friction" on the usability of systems 2. How to prevent someone from obtaining multiple identities in order to double dip benefits (e.g. food stamps or assistance), or avoid the repercussions of a bad record (e.g. get a ticket under one license, apply for insurance under another). 3. How to prevent someone from sharing their identity, in order to transfer the benefit to another person (e.g. Health Insurance benefit sharing). The only means to meet and overcome all three issues is highly accurate, 1 to many capable biometric technologies. Correctly implemented, they reduce authentication friction, can detect and prevent duplicate identities, and bind an identity strongly to a person, preventing identity sharing, even with cooperation.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above