Internet ID system challenge: Balance security and privacy
Commerce to lead national strategy for identity management, but private sector must build it
A national program management office will be set up in the Commerce Department to oversee development and implementation of a secure “identity ecosystem” that will be outlined in a National Strategy for Trusted Identities in Cyberspace, the Obama administration announced Friday.
Commerce Secretary Gary Locke made the announcement during a symposium at the Stanford Institute for Economic Policy Research at which the groundwork was laid for the public- and private-sector partnership that will be needed for the initiative.
Locke said there were an estimated $41 billion worth of online consumer transactions in the third quarter of 2010, up 14 percent from the previous year. But despite its growing importance to the national economy, “the Internet still faces something of a trust issue,” he said. Online fraud and crime are growing, and identity management schemes to protect privacy and secure online transactions often are unwieldy and inadequate.
National strategy for identity management nearly done
ID management's weakness: Few want to use it
The administration is addressing this issue in the National Strategy, the final version of which will be released “in the coming months,” Locke said. The strategy will outline a system for online identity management that will be voluntary, competitive and diverse.
But the government faces trust issues of its own, said James Dempsey, the Center for Democracy and Technology’s vice president for public policy.
“The government cannot create that identity infrastructure,” Dempsey said at the symposium. “If it tried to, it wouldn’t be trusted.”
Government and industry officials and privacy advocates agreed that while government leadership is needed for creating a trusted identity ecosystem to support online activities, it will be the private sector that must develop and adopt it.
The online world has been recognized by the Obama administration as critical to U.S. security and economic well-being, and the National Strategy for Trusted Identities in Cyberspace is part of a broader effort to improve the nation’s cybersecurity posture. A draft strategy released in June, calls for an interoperable, voluntary scheme for identity verification that enhances both the security and privacy of online transactions. The strategy does not define the technology to be used but sets out four guiding principles:
- The identity solutions must be secure and resilient.
- They must be interoperable.
- They will be voluntary.
- They must be cost-effective and user-friendly.
The first action called for in the draft was to “designate a federal agency to lead the public-/private-sector efforts,” which was done with the announcement that Commerce would house the program management office.
Although the strategy is not likely to specify what the forms of trusted identity will be, Locke was clear about what it would not be.
“We are not talking about a national identity card,” he said. “We are not talking about a government system.”
The identity ecosystem most likely would be built on existing technologies that include digital certificates, tokens and other identity schemes such as passwords, coupled with a trust framework that would allow sharing of credentials across domains.
The challenge will be in implementing the technology in a way that is scalable and manageable both for end users and organizations. Schemes also must be easily adaptable to transactions requiring different levels of security and assurance. The requirements are to limit the amount of information used in a transaction to only that which is needed to secure that particular transaction and to retain no more information than is necessary and for no longer than is necessary to ensure the privacy of the user.
No single set of credentials or form factor will be required or would be adequate in themselves, said White House Cybersecurity Coordinator Howard Schmidt. Users would be able to choose which, if any, forms of ID to use for an online activity. Secure, interoperable ID is not the final answer to online security, Schmidt said.
“This is not a panacea; this is one small piece of everything we’re looking at,” he said.
Schmidt emphasized that the private sector must lead implementation of the strategy but that the private sector has acknowledged the need for government leadership because of the lack of security in the current online environment.
“We’ve created an environment in which there is a low risk and high reward for criminals” and for terrorists, said Dave DeWalt, CEO of McAfee. “We’ve seen an exponential increase in malware and the amount of crime.”
Although he warned against government regulation of consumer identity, Dempsey said one area in which congressional action would help is passage of a federal consumer privacy bill that would establish baseline protections, such as those in the European Community.
“That has to be part of the picture,” he said. “It should be addressed legislatively.”