Interagency Approach to Cybersecurity

At Tuesday’s GovLoop event, “Evolving Tactics to Combat the Cyber Threat,” govies kicked off the day by focusing on a critical strategy to better tackle cyber threats: interagency collaboration.

Michael Garcia is the Acting Director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) at the National Institute for Standards and Technology (NIST) under the Department of Commerce. NSTIC is an interagency, shared services approach to combatting one of the most common forms of exploitation in cyberspace: identity and authentication.

“NSTIC is the answer to solving our online identity problems without a national ID card,” Garcia said. “If you were to give 320 million Americans the same technology and tell them to do the exact same things with it, you would have a huge attack surface and economic problem when the technology breaks.”

An economic solution to this problem is central to helping government keep up with the market in terms of better serving the public while enhancing security. Garcia showed how economics and cybersecurity – two seemingly disparate fields – can be joined through the shared services approach and how it can make authentication easier, cheaper, and more effective for agencies.

“Users don’t want to have several identification cards,” Garcia said. “We need smarter interoperability. We need to amortize the cost of more comprehensive authentication approaches and spread the costs across different partners so that we can make better solutions cheaper.”

This is where Garcia brought in his economics background to apply Metcalfe’s law.

Just for a quick economics review, Metcalfe’s law states that the value of a network is proportional to the square number of connected users of the system. In other words, the more partners or users you have, the more worthwhile your investments into bigger and better authentication and identity systems, even if it seems costly. More partnerships= cheaper and better solutions.

“We can’t just take government dollars and expect that alone to grow solutions. Each partner adds an additional network value,” Garcia said. “Ultimately, we need a better marketplace for credentials.”

Let’s dive a little deeper into NSTIC to understand exactly how Garcia and his team tie economics and partnerships into cybersecurity strategies for government.

National Strategy for Trusted Identities in Cyberspace
In 2011, the cyberspace market started out as a weak market with a number of barriers. In 2015, there is still a limited market with persistent impediments. The ultimate goal of NSTIC is to help the cyber solutions market evolve faster than it breaks. The NSTIC approach emphasizes a marketplace for solutions. When it comes to credentials and authentication, the key is to look for solutions that are more expensive to break than they are as an investment.

“All solutions will break,” said Garcia. “It’s just a matter of how long it takes and how much it costs.”

Consider authentication devices like a Personal Identity Verification (PIV) card. Trying to break a device like a PIV card is extremely difficult and much more expensive than the actual cost of investing in the device itself. Those are the type of solutions that NSTIC seeks.

NSTIC also seeks to enable federal agencies to adopt better solutions such as those we see in the marketplace.

Federal Adoption
The first step for federal adoption is establishing a default authentication approach that can continue to evolve. Garcia mentioned several examples that apply such approaches, including Connect.gov, The Federal Identity and Credential Management Program (FICAM), and NIST’s 800-63 program.

• Connect.gov: Connect.gov seeks to enable trusted digital interactions between people and government. Their core approach is interagency integration. With its site, a customer can access an online government agency application when identification is needed. The customer can then log in or register with a pre-approved and trusted Sign-in Partner, eliminating the need for multiple passwords and usernames.
• FICAM: Established in 2011 by the Federal Chief Information Officers Council and the Federal Enterprise Architecture, FICAM’s Trust Framework Solutions program can be described as the workhorse of bringing commercial credentials to the federal space. The program’s essential focus is on streamlining authentication processes and increasing market responsiveness.
• NIST 800-63: This is NIST’s Electronic Authentication Guideline. Through 800-63, NIST provides technical guidance to Federal agencies implementing electronic authentication. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, authentication protocols, and related assertions. “This is how we help agencies define how risky your application is and if a given credential allows you to access it,” Garcia said.

He added: “We’re funding pilots to establish technologies in the marketplace to help government adapt and accept credentials at the same rate as the market.”

Ultimately, interagency collaboration and partnerships are key to both improving the market for cyber solutions and better tackling cybersecurity. Garcia concluded by emphasizing the need to create multilateral support between federal agencies when it comes to authentication processes. By integrating resources, government agencies can hope for better solutions, greater cost-efficiency, and more security for users.