Government's best role in an ID ecosystem: consumer
Agency use of commercial products is key to the plan's success
The Obama administration unveiled its National Strategy for Trusted Identities in Cyberspace in April, laying out a vision of an industry-led digital ecosystem to securely manage identities for online transactions. The government’s role in the strategy is that of facilitator, but the scheme’s success might well depend on the government’s willingness to adopt it.
The White House's strategy recognizes this fact.
“The Federal Government must continue to be a leader through its own participation in the Identity Ecosystem as both a subject and relying party,” it says. “Whenever possible, the Federal Government will use existing private-sector Identity Ecosystem solutions rather than developing or operating its own. Moreover, it must not require levels of assurance that are excessive compared to the risk of a given transaction. Through these actions, the Federal Government will encourage the market toward trustworthy and interoperable identity solutions.”
Trusted Identities plan a 'major step' toward securing online transactions
NIST: National ID is not part of 'identity ecosystem'
If agencies follow through on this commitment and become early adopters, it could help achieve the critical mass and trust needed for a successful system of competitive, interoperable credentials. If agencies turn their backs on these offerings, it will be hard to convince companies and consumers to adopt them.
NSTIC’s roots go back to the president’s Cyberspace Policy Review, which recommended the creation of an identity ecosystem that would allow the use of strong, interoperable credentials for online activities. A public draft of the strategy was released in June and the final version was released April 15 at the U.S. Chamber of Commerce in Washington.
The strategy does not define the technology that will be used. The government's role “is to help ensure the outcome,” it says; “the private sector is better suited to ascertaining the means of achieving that outcome.” But it sets out four guiding principles: Identity solutions will be privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use.
A NSTIC program office being set up and the National Institute of Standards and Technology plans to invite public- and private-sector stakeholders to a series of three workshops this summer, and to select a handful of pilot projects for funding in fiscal 2012.
But the implementation of the Identity Ecosystem will not occur overnight. The office will set near-term benchmarks, for the next three to five years, that will include the establishment of a competitive credentials marketplace. Full implementation is expected to take as long as a decade.
A secure, convenient replacement for current cumbersome password schemes could be a powerful tool to promote the online economy and protect privacy, and in the long run the private-sector applications probably would dwarf those of government. Companies will have to accept the scheme in order for it to thrive.
But in the near term, the government’s willingness to prime the pump in this identity ecosystem by accepting credentials and writing them into acquisition requirements could determine whether the private sector sees it as worthwhile to make the investment in these technologies. If I can use a set of commercial credentials to access my Social Security account, enter a government building or to file my tax return, there is no reason why they should not be accepted by my bank and Amazon.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.