Saturday, July 3, 2010

The National Strategy for Trusted Identities in Cyberspace

The White House announced a draft National Strategy for Trusted Identities in Cyberspace (NS-TIC). I've seen some strong negative takes on the government getting involved in this aspect of security cyberspace (e.g. Lauren Weinstein), but I'm cautiously optimistic.

First, as a vision document, NS-TIC pretty good. I had no big issues with it and thought it touched on all the key problems that we have today. One small complaint is that it doesn't mention higher education as a player in this space - alas, my pond is not as big as I might hope.

But NS-TIC is just a vision document, without specifics. It does lay out some action items: the first, and biggest in my mind, being Action 1: "Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy." Which agency is chosen will have a big impact on how this progresses.

My hope is that the Government will serve two roles: a key service provider that will serve as a catalyst to bring the current mis-mash of identities standards into a coherent whole, and as a coordinator for those standards.

With regards to the first role - what I mean is that the Government should be a provider of services using identities, and not a provider of identities themselves. There seem to be enough companies who want to play the identity provider role (for a small sample, just click the 'Sign In' button on the NS-TIC web page). And by having a range of companies do it, that fosters some competition and privacy in it's own right, as opposed to have a single source of identities, that being the Government. In an ideal world, some non-profits will emerge in addition to for-profit companies, who will always have commercial tensions, specifically to be identity providers.

In terms of the latter role of coordination, I think the National Institute of Standards and Technologies (NIST), who has done a good job on brining us key cryptographic standards such as AES, and has already been serving, in a small way, to drive a community around identities with by participating in activities such as the Symposium on Identity and Trust on the Internet, would be the best choice of agency. I note they were selected to coordinate the new cybersecurity education initiative, so I'm hopefully about this.



The worst case senario is the National Security Agency is selected as the agency. Sociologically, this would be a non-starter as no one would trust the process or results. Objectively, being in charge of both securing cyberspace and spying in cyberspace is a conflict of interest for the NSA.

In the middle would be the Department of Homeland Security. At least the conflict of interest wouldn't be as overt a problem (I suspect many would argue this and I have to agree it would still be a problem to some degree), but, frankly, DHS just hasn't demonstrated they have the ability to handle something of a technical nature such as this and there would be huge skepticism in the community in their ability to lead. I think other agencies that might be selected (Commerce perhaps?) fall into this same boat in my mind.

So, I'm cautiously optimistic. I'm glad to see cyber identities getting this attention. If this vision gets implemented in the right way, with NIST leading, the government acting as a service and not identity provider, and it helping to coalesce all the competing standards, it is a good thing.

Added 7/12, other comments on NS-TIC:

No comments:

Post a Comment