The Obama administration’s recently released plan to create a government-directed electronic “identity ecosystem” is designed to reduce online fraud, identity theft and give users confidence in online transactions. But can it really work? And what impact will it have on already overburdened government managers and security professionals?
It sounds wonderful, but I’m really rather skeptical about the practicality of doing it.
Richard Moulds, vice president of product strategy, Thales Group
The plan, called the National Strategy for Trusted Identities in Cyberspace (NSTIC), is intended to “chart a course for the public and private sectors to collaborate to raise the level of trust associated with the identity of individuals, organizations, networks, services and devices involved in online transactions.” Using the Identity Ecosystem, the centerpiece of NSTIC, individuals will be able to choose among multiple, interoperable digital credentials issued by competing private sector companies, supporting identity portability and meeting burgeoning public demand for secure, privacy-enhanced interactions with the commercial sector and all levels of government.
The National Institute of Standards and Technology, the designated lead agency for NSTIC, will steer the effort to implement the Identity Ecosystem. The agency will work closely with White House cybersecurity coordinator Howard Schmidt and manage the NSTIC undertakings of federal agencies, including the Department pf Health and Human Services, the Department of Homeland Security, the Department of Treasury the General Services Administration and the Department of Veterans Affairs.
While the Identity Ecosystem will be built by the private sector, the government’s presence in the project is a bit like the elephant in the room. Officials are counting on it to help expand government online services and give constituents a rock-solid sense of trust in electronic transactions with agencies, especially as major federally led initiatives, such as health information technology -- the public-private exchange of electronic health information -- move forward in the coming years.
As a result, the government will “lead by example and be an early adopter of identity solutions” that align with the ecosystem framework, NSTIC states. The government also will initiate pilot programs, share its test beds with the private sector, and expand its services to jumpstart deployment of the ecosystem, according to the plan.
“It sounds wonderful, but I’m really rather skeptical about the practicality of doing it,” said Richard Moulds, vice president of product strategy for Thales Group’s e-security division, and a specialist in cryptographic technologies. “To try to come up with an ecosystem in which relatively generic credentials can be used for all manner of purposes and that have been issued by all manner of organizations and then trusted by all manner of different [users] is a pretty tall order,” Moulds said.
Government officials concede that the ecosystem will take “many years” to develop and complete, and achieving the vision of an online environment of trusted identities will require a dedicated effort on the part of both the public and private sectors. Moulds said the very complexity of such an environment may actually work against trust.
“At the end of the day, diversity and complexity are the enemies of security,” he said. “The more things you try to do with credentials, the harder it is to have any trust in those credentials. And the more [vendors] you have issuing these credentials, the harder it becomes to determine the trust levels of those credentials.”
While credential technologies — smart cards or digital certificates, for example — aren’t likely to present significant security concerns, the processes that commercial vendors use to issue the credentials may be cause for unease among managers, according to Moulds.
“The IT guy has to worry about the integrity of systems that actually issue and validate the credentials,” he said. “The credentials themselves will be fine. The question is the systems that issue them and validate them.”
Next: More on what managers need to know about NSTIC, and their role in the Identity Ecosystem.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.