In an effort to alleviate one of the biggest issues in online security—the problem of secure online authentication—the Obama administration recently issued its final National Strategy for Trusted Identities in Cyberspace (NSTIC). The goal is to partner with private sector entities to implement the strategy; that initiative is being led by the Commerce Department and the National Institute of Standards and Technology (NIST). If it works, it could help reduce online fraud and identity theft and spur commerce, according to government officials. It would be particularly useful for online banking and in protecting sensitive electronic medical records.
But even supporters acknowledge that creating a new set of authentication tools will be challenging and time-consuming. Some organizations and privacy advocates have also expressed concerns about how NSTIC can be developed while adequately protecting consumer privacy and without creating new vulnerabilities for cybercriminals to exploit.
Whatever the challenges, everyone agrees that the initiative is needed because the current system of passwords is insecure and burdensome, said Howard Schmidt, the White House’s cybersecurity coordinator, speaking on NSTIC at the recent Visa Global Security Summit in Washington, D.C. Many people use weak passwords; others use the same passwords for multiple Web sites, he said. Such practices contribute to the growing rate of online fraud and identity theft, he added. For example, the United States experienced approximately $37 billion in losses from such crimes in 2010, according to a recent study by Javelin Strategy & Research.
In describing the government’s new program, Schmidt sought to alleviate privacy concerns, including fears expressed by some that NSTIC would involve consumers providing too much private information to government entities. “This is specifically not a national ID card,” he said, adding that any new systems would also be voluntary. New devices, which could include smart cards or tokens, would work as federated identities in which a person’s identity and attributes are shared across multiple identity management systems.
The specific solutions will not come from the government, he noted, explaining, “We’re looking for your leadership, your entrepreneurship, and your technologies to make this real.”
(To continue reading "Moving Toward Trusted Identities," from the August 2011 issue of Security Management, please click here)
illustration by Don Hankins from flickr