Feds seek private-sector leadership on trusted online identities
- By William Jackson
- Feb 09, 2012
Federal funding is being offered to establish an independent steering group to deal with the complex policy and technical issues of implementing the president’s National Strategy for Trusted Identities in Cyberspace.
NSTIC, released in April 2011, envisions a secure, online identity ecosystem with interoperable credentials that could be widely accepted for online transactions. The system would be voluntary, and although the initiative’s program office is located in the National Institute of Standards and Technology, it would be operated with a minimum of government involvement.
“NSTIC made clear that the private sector would be charged with building and operating the Identity Ecosystem,” NIST Director Patrick Gallagher said in releasing a report on implementing the strategy.
The strategy calls for creating a privately led steering group to tackle the job of creating a framework for the identity ecosystem. NIST announced it would issue a notice of funding opportunity for an organization to convene the steering group. Although details of the grant being offered have not been released, the NIST report contains a recommended charter for the organization, which eventually would be self-sustaining, as well as recommendations for its structure and priorities.
Trusted online identities plan hinges on collaboration
$10M offered for ideas on creating trusted online identities
Gallagher called the Internet “one of the most transformative creations of modern history” but said it continues to face difficult questions of privacy, security and trust. Existing tools for online authentication often do not provide adequate security, such as usernames and passwords, or are difficult to implement, manage and use, such as electronic credentials. Seen as key to solving these problems is a framework for managing identity in a way that ensures the security and privacy of both parties in a transaction while being resilient, interoperable, voluntary, cost-effective and user-friendly.
Because the infrastructure supporting the Internet and online activities is owned primarily by the private sector, and because of public wariness about the possibility of government introducing a national ID, responsibility for creating and implementing an identity ecosystem is being left to the private sector. The government will help coordinate standards-making and policy development activities in conjunction with the private sector, but companies will develop and implement the technology. The strategy does not define the technology to be used.
The report is the product of a workshop and a notice of inquiry NIST published in June 2011. Key recommendations for the steering group include:
- Steering group initiation: The Identity Ecosystem Steering Group should be established as a new organization in the private sector in conjunction with, but independent of, the federal government. Government can jump-start this through a competitive grant for funding, but the group eventually will become self-sustaining.
- Steering group structure: The government recommends two bodies, a plenary and a management council. The plenary would be a large body with working groups and committees for conducting the work of establishing and adopting standards, policies, and procedures to govern the Identity Ecosystem. The management council would be a smaller group responsible for providing strategic guidance, resources and supervision to the plenary.
- Stakeholder representation: All stakeholders should be effectively represented and advocated for. A number of safeguards are recommended to ensure balanced representation: a privacy coordination committee, an ombudsman, transparent operating principles, and one vote for each stakeholder group.
- International coordination: Given the global nature of online commerce, the steering group should coordinate with representatives from international identity efforts, standards development organizations, trade organizations, and the international departments of member entities. It also should promote international participation.
William Jackson is freelance writer and the author of the CyberEye blog.