Trusted online identities plan hinges on collaboration
NSTIC director says strategy needs input of public, private sectors
SAN FRANCISCO — The National Strategy for Trusted Identities in Cyberspace is expected to be finalized in the next few weeks, and its success will depend on the collaboration of a wide range of stakeholders in both the public and private sectors, information security officials said Feb. 15 at the RSA Security Conference.
“Collaboration is going to be at the core of the strategy,” said Jeremy Grant, newly appointed director of the NSTIC National Program Office. “We can’t do this ourselves, and we really don’t want to.”
The goal of the strategy is creation of an identity ecosystem that will make flexible, voluntary and easy-to-use tools for online identity authentication widely available. This is seen as a key to ensuring the viability of the Internet as an economic driver.
One of the challenges to encouraging adoption of the plan is the concern that NSTIC will involve an online national ID. Countering this fear will require the involvement of industry in making a variety of technologies available and adopting their use.
NIST: National ID is not part of ‘identity ecosystem’
ID management’s weakness: ‘There is no demand’
White House Cybersecurity Coordinator Howard Schmidt said at the conference that the government intends to use its “convening powers” to bring private industry to the table to address these issues. The plan does not envision a single credential and need not threaten privacy, Schmidt said.
“Trust does not mean you know everything about everybody,” he said. The NSTIC ecosystem envisions selective use of credentials as appropriate.
On Tuesday, Grant was in his second day on the job as head of the program office, which has not been formally set up yet. It was announced two weeks ago that NSTIC would be established in the Commerce Department. Once the office is set up and the strategy has been signed, Grant said, his first task would be to identify government stakeholders to participate. These probably will include the General Services Administration, which oversees the government’s federated identity programs, as well as technology providers and relying parties.
As for plans for identifying and bringing companies to the table, Grant could say only, “stay tuned.” That is a job he has not yet worked out.