Update: At the recent Internet Identity Workshop (IIW), the private sector is moving forward with NSTIC ideas and "is self-organizing" at a higher speed than the wheels of government can turn - especially funding. IT in the federal government is starting to align with NSTIC regardless of funding. See this update from John Fontana for more details.
Over the past five years, our use of the web for sensitive transactions has grown dramatically. I clearly remember my early orders at Amazon, hesitating at the thought of typing my credit card information on a payment page, worrying that there'd be some technical glitch somewhere between me and the server during processing. (I still have my early-adopter Amazon Bookstore customer gift to prove it!) We've all gotten much more comfortable with e-commerce since then, of course, but there's a very sharp line between what kinds of sensitive transactions you can do online and what kinds you can't (or shouldn't). Many transactions that fall into the “shouldn’t” category are there because of the question of identity. It’s the essence of the phishing malware attack: Is this person who he says he is? This anonymity, for better or worse, was pointed out in a famous New Yorker cartoon in 1993, in which the canine protagonist sitting in front of a computer says to his companion, “On the Internet, nobody knows you’re a dog.”
If you're reading this column, you're already acutely aware of what's safe to enter and what's not safe. But you’re also in the tiny minority. According to the “2011 Identity Fraud Survey Report” by Javelin Strategy and Research, 8.1 million adults were victims of identity theft or fraud, with total costs of $37 billion. Research from Trusteer in 2010 found that phishing attacks continue to increase, and an amazing 50 percent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received.
And passwords just can’t cope with the boom. Back in 2004, an RSA working paper found that a small business of 500 employees spends about $110,000 per year on internal password management alone. That’s $220 per user per year, and it doesn’t account for the costs and risks associated with the explosion in SaaS services since then, most of which require their own user ID and password. We badly need an alternative to passwords. As Jeremy Grant, manager of the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “en-stick” by the cool kids) program office, likes to say, “We think the password is fundamentally insecure and needs to be shot.”
Jeremy doesn't just want to make it easier for us to put sensitive information on the Internet. After all, that's the same goal of the phishing messages we're bombarded with on a daily basis. No, Jeremy also wants to make it far more secure for US citizens to conduct all kinds of transactions on the Internet.
The NSTIC program office is part of the National Institute for Standards and Technology (NIST), the people who do everything from keeping track of the fundamental constants of nature to improving diamond machine polishing techniques. NSTIC describes “a vision of the future—an Identity Ecosystem—where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely support transactions ranging from anonymous to fully authenticated and from low to high value. Key attributes of the Identity Ecosystem include privacy, convenience, efficiency, ease-of-use, security, confidence, innovation, and choice.”
NSTIC isn’t a national ID system like the one India is planning; in fact, it’s exactly the opposite. No, it's not a devious attempt by the federal government to discover who has assault weapons and take them away in the middle of the night. NSTIC is an acknowledgment that what's needed for secure transactions on the Internet is a common framework that both identity providers (e.g., Google, Facebook, the Department of Defense—DoD) and service providers (aka relying parties, such as ADP and Dropbox) agree to work within. Since this kind of "co-opitition" can be difficult and time-consuming to achieve, the federal government wants to jumpstart and assist this process as a neutral—but stakeholder—third party. (The government is a stakeholder in this because it is itself one of the world's largest collections of identity providers.) The leaders in developing a national identity ecosystem must be in the private sector, if for no other reason than we wouldn’t trust a government system and thus never use it.
NSTIC’s envisioned identity ecosystem wouldn’t be run by a single identity provider. First, here in the United States, everyone would be suspicious of just one identity provider. Second, consumers want choices and are already associated with a wide variety of identity providers. Unless you’re one of the 15 consumers in the United States that hasn’t either bought anything from Amazon, logged on to Facebook, or created a webmail account, you already have an identity with a consumer identity provider. You don’t need another for a national identity ecosystem.
Instead, NSTIC’s vision is to have an online environment where identity providers (both public and private), service providers, and consumers share a set of agreed-upon technologies and standards that create a network supporting trusted IDs that can be used by all parties.
Here’s an important point: NSTIC isn’t getting into new technology. Secure technologies already exist (e.g., smart cards, digital certificates), so NSTIC is instead focused on policy and standards to ensure that everyone can interoperate with these technologies.
The NSTIC identity ecosystem would allow the consumer to make secure online transactions, with his or her trusted ID, that range from low value and completely anonymous to high value and fully authenticated. This ecosystem would minimize the use of passwords and enable us to do things on the web such as using a smartphone anywhere you’d use a credit card or driver’s license today.
From a business standpoint, the NSTIC trusted ID would allow businesses to easily conduct highly secure transactions with each other, minimizing the cybercrime impact that affects so much of e-commerce today. Given a much higher level of security, consumers would be more likely to do their business online, and entirely new classes of e-commerce—such as legal services and online healthcare interactions—would be opened up.
One tenet of this identity ecosystem is that it’s voluntary. Identity providers, service providers, and consumers themselves don’t have to join. The goal of developing a well-thought out framework that takes all stakeholders into consideration is to have a Field of Dreams model: If you build it, they will come. Consumers will have choices for who they want as an identity provider, and consumer demand will encourage more identity providers and service providers to join the ecosystem. The NSTIC identity ecosystem’s benefits will be so compelling for all parties that its adoption will be fueled by its own benefits. As a stakeholder, the government looks to benefit from this framework and is offering its large identity infrastructure to dogfood early implementations as an incentive for deployment.
An NSTIC identity ecosystem is far from deployment though; if some of these descriptions sound a bit vague, it’s because NSTIC is still in its early stages. The strategy has been published, a national program office for coordinating work has been established, an implementation roadmap has been created, and the deadline for submitting comments on a proposed NSTIC governance structure closed at the end of August.
NSTIC isn’t without its challenges. Aaron Titus, chief privacy officer at Identity Finder, is concerned that NSTIC makes privacy a core principle but doesn’t recommend regulation to ensure privacy. In other words, regulation must provide the legal stick to the identity ecosystem’s carrot to lessen the chance these powerful new identity credentials will be subject to “hyper-identity theft” if stolen or misused by unscrupulous participants. And getting national legislation passed nowadays, for any reason, is a pretty daunting undertaking. In his blog, Ben Tomhave believes the identity ecosystem is secondary to the number-one identity problem: getting rid of passwords entirely.
It’s a vision of how things should be. But as the old proverb says, “The devil’s in the details.” The private sector must be the entity to step up and figure this out, with a solid governance model that includes a trusted framework between all members. The end result must be trustworthy—not just in the security sense but in the consumer sense. Because if Jim Bob next door or your Aunt Mary doesn’t trust it, it won’t be adopted. Fortunately, key private-sector identity providers and service providers are commending this effort and getting involved.
At the NSTIC launch event, Andrew Nash, director of Internet identity products at Google, stated, “If we don’t work out how to move forward from here, the potential of having an Internet that we feel comfortable about using is diminishing rapidly. And that’s bad for all of us.” If you’re an identity geek or a privacy advocate and you want to have a say in how the identity ecosystem is developed, you should get involved. Go to NSTIC’s home page, read the documentation about what NSTIC is (and what it isn’t), watch for upcoming notices of inquiry to submit comments and workshops to participate in, or contact Jeremy.