02:10 PM
Connect Directly

White House Drafts Cyber Identity, Authentication Strategy

National Strategy for Trusted Identities in Cyberspace will recommend policy changes and create federal offices on digital identity.

Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The White House later this month plans to release a draft national identity and authentication strategy that will recommend changes to privacy laws, possible revisions to the liability of online identity providers, and the creation of new government offices leading the way on digital identity and authentication issues.

The plan, which will be called the National Strategy for Trusted Identities in Cyberspace, aims to improve and strengthen identity and authentication procedures for online transactions, according to Ely Kahn, director of cybersecurity policy at the National Security Staff in the White House, who spoke at an event Thursday morning in Washington, D.C.

The effort also includes an action plan that will be delivered to President Obama, and the goal is for the final strategy and action plan to be approved later this year, Kahn said. Currently, the White House is gathering and actively seeking comments on a draft of the plan being passed around among key government and industry stakeholders, and a revised draft will be made available for public comment by the end of June.

The strategy, which has its origins in the cyberspace policy review carried out by the White House last year and was developed with input from an interagency working group, was first discussed publicly in July 2009, and so has been almost a year in the making.

According to Kahn, it will include "bold" recommendations that will carry budgetary and legislative implications as well as operational changes for government agencies.

For example, one of the top recommendations will be to mandate adoption of IPv6 and DNSSEC in government, with an eye toward later efforts to motivate implementation of those technologies in private industry. Other recommendations will be made to limit how companies that manage identities can use private information, as well as to overhaul liability of identity and authentication providers -- which Kahn said has been holding back the development of interoperable identity schemes.

The strategy will also include the creation of pilots, programs, and even new government offices intended to spur the adoption of "strong, interoperable" authentication schemes, which, Kahn said, should help catalyze the development and use of technologies like using smartphones to conduct transactions or enter secured buildings.

Mike Mestrovich, president of the Federation of Identity and Cross-Credentialing Systems, which worked with the Department of Defense to develop a federated trust model for the DoD and defense contractors, said that he's yet to have had any engagement with the White House on its strategy, but has a meeting planned with cybersecurity coordinator Howard Schmidt for next week.

"It's one thing to espouse a policy, but it's another to get everyone to adopt it," Mestrovich said in an interview. The central challenges of any successful effort, he said, will be to ensure engagement with the right stakeholders and to work hard to cut through difficult cultural barriers.

Of course, one of the key other challenges will be to adequately address privacy and civil liberties to gain the public's trust. Though Khan didn't stress the point today, the White House did note those concerns at a conference on identity last July.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.