NSTIC Sets Up a Tall Order

http://www.youtube.com/watch?v=32P-IEmBfEA&feature=player_embedded

“The Identity Ecosystem is the embodiment of the vision. It is an online environment where individuals and organizations can trust each other because they follow agreed-upon standards and processes to identify and authenticate their digital identities—and the digital identities of organizations and devices.”FedInsider News

The above paragraph is on page 21 of the National Strategy for Trusted Identities in Cyberspace, released Friday with much fanfare. The strategy came out under the imprimatur of the White House, but this latest iteration is largely the work of the staff at the National Institute of Standards and Technology, joined by senior advisor Jeremy Grant. He joined in December.

The NSTIC, pronounced EN-stick, spells out an important need in the nation, namely a much higher level of trust and security built into online transactions. As the report points out, such commerce represents trillions of dollars in annual value. The ease with which people are directed to phony or spoofed web sites, the productivity of spear phishing, and the annual level of identity theft through a variety of means all attest to this need.

To get there, the NSTIC prescribes development of what it calls an Identity Ecosystem Framework. That’s the set of underlying standards and policies ensuring interoperability to elements in an identity ecosystem including accreditation authorities, trust marks (that are themselves trustworthy), and the machines and people who participate in online commerce. The report recognizes that the technologies for issuing trusted identities, verifying sources and individuals, issuing attributes of people’s electronic representations, and so forth all exist now. But not in a way that forms a system that’s easy to use, inexpensive, and ubiquitous. The NSTIC correctly points out that the username/password model has become woefully inadequate for building trusted systems.

This has all been known for a while. Still, the NSTIC is a thorough description of, and a one-stop explanation of, a big problem in which both the government and the private sector have jobs to do. It lays out a sound strategy, but there are a lot of blanks in terms of timetables and specific deliverables. You must read ‘til page 24 of the 45-page documents before the authors settle down into what’s required to meet the goals. It says the identity ecosystem framework, a steering group, a trust framework, accreditation authorities and a trust mark theme are all to be developed at some indeterminate time in the future.

The goals, by the way, are (in the report’s words):

• Develop a comprehensive Identity Ecosystem Framework

• Build and implement interoperable identity solutions

• Enhance confidence and willingness to participate in the Identity Ecosystem

• Ensure the long-term success and viability of the Identity Ecosystem.
According to the report, the government expects — again, correctly in my opinion — that the private sector must be the primary developer and operator of the elements of the identity ecosystem, with the government being a prime user of it and therefore a driver of widespread adoption. Actually, the government has a somewhat bigger role, namely to be the convener of the private and public parties that must work together to establish the ecosystem.

A series of objectives, leading to establishment of an international ecosystem for trusted identities, lays out what everyone is supposed to do. But how does it all get started? It will start with establishment of a national program office within the Commerce Department, whose job it will be to achieve the goals.

Still also to be written by the government is what the report calls an implementation roadmap “that identifies and assigns responsibility for near- and long-term actions that the federal government can perform.” It’s talking about a 3-year to 5-year timeline for the ecosystem to reach its “initial operating capacity.”

The unanswered question is whether industry will embrace this challenge. The hard nut will be interoperability so that, for example, a credential issued by a big bank will be usable by an online retailer and vice versa. Much of that groundwork exists. But I expect the commercial players to do a hard-nosed analysis of whether losses under the existing hodge-podge, in which the average person has 20 or 30 passwords to remember, will be more than offset by the cost of helping bring about the ecosystem.

A corollary question is whether consumers will embrace new trusted-identity online procedures and hardware. Many business and technical users are familiar with token cards, password generators, and public-key encryption. But not the average person. Still, this is a nation that has purchased 20 million tablets in the past couple of years and learned to use them. So maybe people will see the benefit in peace of mind from trusted online techniques.