The Basics – NSTIC and The Identity Ecosystem

On April 15, the White House announced the National Strategy for Trusted Identities in Cyberspace (NSTIC) – a long-awaited framework for enhancing online security, while in theory, maintaining privacy, efficiency and consumer choice. The NSTIC paper outlines a public/private sector cooperative effort to develop and implement an Identity Ecosystem. The proposed strategy promises to address the often competing challenges of maintaining a secure environment – balancing security, privacy, consumer convenience and accessibility and cost.

The National Institute of Standards and Technology (NIST) would be tasked with designing the Identity Ecosystem. Meanwhile, a newly-formed National Program Office (NPO) would be responsible for coordinating activities needed to implement the NSTIC. This NPO would be accountable to the President via the Department of Commerce and would be charged with facilitating dialog between representatives of industry, academia, standards organizations and civil society organizations to balance the challenges of this task.

Even at this early stage, a range of players are lining up in support of this new strategy, while others express deep reservations and concerns. Google, Verizon, PayPal and AT&T have each come out in support of the initiative, responding to the promise of easier solutions for consumers that enhance confidence in emerging online and mobile solutions, without adding onerous new security challenges that might turn away consumers. On the other side of the debate, a range of privacy, security and consumer advocates all caution about the potential for this initiative to drive a false sense of security, while actually aggregating data in ways that make identity theft even more dangerous and also posing increased potential harm to civil liberties.

The Challenges

The problems of balancing security, privacy, convenience and cost are the intractable and perennial challenges that all information security advocates face as a matter of course. As a result, many seasoned IT and Infosec professionals are skeptical about the prospects for the White House’s latest proposal. Mark Gibbs of Network World bluntly summed up what many in the Infosec community are thinking when he wrote, “The wonks at NIST think they can do what enterprises with far more experience in hardcore IT have learned the hard way; that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizens, it would be effectively impossible!”

I am not a hardcore IT expert, so I can’t speak to whether the task at hand is impossible. What I can say, is that there are a number of distinct and daunting tasks ahead of the NIST, NPO and their private sector counterparts. The ones that seem most challenging to me are the following:

Managing identity source data – One of the most challenging aspects of building an Identity Ecosystem in the United States comes down to the fact that source identity documents (birth certificates and driver’s licenses, etc.) are issued locally by a fragmented array of thousands of city, county and state agencies with varying standards. Most of those records originate in paper form with signature-based authentication and no method of electronically authenticating the validity of those source credentials. The current “birther” debate about the validity of President Obama’s own Hawaiian birth certificate highlights the challenges of basing a sophisticated identity system on a relatively unsophisticated paper-based identity environment. Even the federal government’s own Social Security Administration process is easily circumvented by individuals seeking to create identities eligible to work “legally” in the United States.

Under the NSTIC, the challenge of identity source data validity becomes compounded. New entities, including schools, employers, banks, Internet service providers and a range of other private sector entities, all become eligible to create valid identity cards. In this environment, the validity of the identity issuer becomes a potential problem, particularly without clear standards/laws about who can issue credentials.

Potential for “Hyper Identity Theft” – Another major concern about the proposal is the fact that the Identity Ecosystem might actually “commoditize consumer identities,” leading to capture, storage and aggregation of massive quantities of previously unrelated, and highly sensitive consumer data. These “treasure troves” of data that combined healthcare, financial and other sensitive data would be attractive targets for criminals. Consequently, underlying issues of data security would become even more essential, both for companies that house aggregated data, as well as consumers that might carry data-rich “identity cards” in the form of smart cards or in data stored on mobile devices.

Privacy Concerns – One of the most interesting aspects of the NSTIC is that it does not appear to specifically call for single federated identity but rather allows the emergence of multiple identity credentials that ostensibly protect consumers from having one single view of all their behavior. In fact, several of the specific use cases (“Envision It” boxes) called out in the White House paper specifically highlight how consumers can keep different aspects of their identity separate. That said, many are still concerned about the unintended consequences of the proposal that might lead to significant aggregation of data by the government or third-parties. Identity Finder’s Chief Privacy Officer Aaron Titus warned, “Although the NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.”

Implementation Concerns – Perhaps the biggest challenges associated with the new initiative come in the “devil in the details” form. There are a host of unanswered questions that have huge implications for the effectiveness of the program in achieving its stated objectives, including:

- Oversight for Credential Issuing Authorities – The NSTIC references the creation of “trust marks” for entities qualified to issue secure credentials. The NPO would be responsible for developing these. But there is no clear standard, requirements or process outlined for doing this. Given the already staggering number of essentially unregulated credential issuing authorities in the United States (hospitals, city, county and state governments, employers, healthcare organizations, etc.), the question of how these entities would be evaluated is large. What security standards would be required? What electronification requirements would need to be in place? How would the NPO be staffed to handle the workload? How often would these credential issuing entities be required to “recertify?” Clearly, the certification process alone would be a huge task. If recent PCI compliance efforts are any guide, the expectation that massive compliance would be done without major investment seems unlikely. And in the current environment of fiscal constraint, it seems unlikely that large government financial incentives or assistance would be available.

- Privacy Rights Oversight – This is an area that is completely undefined so far. Many worry that this proposal could lead the government to be able to amass a range of data about citizens, including healthcare, banking and other personal information that wouldn’t necessarily be beneficial to the citizen.

- Credential Acceptance Challenges, Liabilities and Recourse – Today, there is an established body of law and regulation around the responsibilities and liabilities associated with using specific forms of identity. Government and private sector players alike understand when and for what purposes it is appropriate to use a driver’s license for age verification or a social security number for employment eligibility verification. As new credential issuers emerge, including schools, healthcare organizations, banks, telecommunications companies, (each of these was called out specifically in the NSTIC paper), a wide range of new liability scenarios will emerge. For example, if a local Internet service provider (ISP) issues credentials associated with an Internet account that are later found to be based on stolen identity information, will companies that used those credentials for secure retail Internet purchases have recourse to sue the ISP for lax security? Although that is one simple example, as credential issuing authorities proliferate, the lack of clear case law and precedent could add uncertainty.

The Beneficiaries

It is clear why online retailers, payments companies and telecommunications companies are coming out in favor of the proposal. Today’s weak security standards based on easily hacked (or easily guessed) username and password combinations are frustrating for consumers and commerce providers alike.  In addition, there are some other players who will benefit from the renewed dialog in this arena:

Internet & Mobile Commerce Players – New standards that provide a clear path for identity management in cyberspace should simplify and reduce costs for retailers, banks and telecommunications players. Anyone that has a major expense associated with management of customer username and password information (at some entities this accounts for 2/3 of all customer call volume) would theoretically benefit from true progress in this realm.

Information Security Technology Solution Providers – New companies like Azigo, which has an “online identity data wallet.” should be well-positioned to help simplify the complexity of the new ecosystem. Traditional information security management solution providers like RSA that have history both protecting large stores of data and authenticating businesses and consumers might also be well-positioned to take advantage of this new government program.

Consultants and Lawyers – Sadly, whenever a new government entity or initiative emerges, the private sector players that have to live within the evolving new environment are forced to rely on input from a range of consulting and legal resources. In this case, consultants and lawyers with experience ranging from very technical disciplines (database and network security, authentication,) to consumer behavior and marketing disciplines, to privacy expertise will be required to help chart the course for players operating in this newly defined Identity Ecosystem.

The Way Forward

The proposed NSTIC approach actually appears to be a fairly balanced attempt to manage the often competing claims of security, privacy, efficiency and choice. The “Envision It” use cases highlighted in the NSTIC paper showcase a wide range of practical scenarios and suggest ways in which the NSTIC might be implemented in ways that balance the competing interests of consumer privacy, efficiency and security. So, it appears a sincere attempt has been made to think about the various constituencies facing these challenges. It will be interesting to see how the newly announced NPO is staffed, since any likely success must be rooted in a program office that manages this delicate balance of government coordination, baseline regulation & standards and private sector leadership.

Margaret is a Managing Director at Market Platform Dynamics and experienced payments industry executive with a proven track record of commercializing new technologies in small start-ups, and large multi-national corporations. Read More