Risk
6/3/2010
02:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Drafts Cyber Identity, Authentication Strategy

National Strategy for Trusted Identities in Cyberspace will recommend policy changes and create federal offices on digital identity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The White House later this month plans to release a draft national identity and authentication strategy that will recommend changes to privacy laws, possible revisions to the liability of online identity providers, and the creation of new government offices leading the way on digital identity and authentication issues.

The plan, which will be called the National Strategy for Trusted Identities in Cyberspace, aims to improve and strengthen identity and authentication procedures for online transactions, according to Ely Kahn, director of cybersecurity policy at the National Security Staff in the White House, who spoke at an event Thursday morning in Washington, D.C.

The effort also includes an action plan that will be delivered to President Obama, and the goal is for the final strategy and action plan to be approved later this year, Kahn said. Currently, the White House is gathering and actively seeking comments on a draft of the plan being passed around among key government and industry stakeholders, and a revised draft will be made available for public comment by the end of June.

The strategy, which has its origins in the cyberspace policy review carried out by the White House last year and was developed with input from an interagency working group, was first discussed publicly in July 2009, and so has been almost a year in the making.

According to Kahn, it will include "bold" recommendations that will carry budgetary and legislative implications as well as operational changes for government agencies.

For example, one of the top recommendations will be to mandate adoption of IPv6 and DNSSEC in government, with an eye toward later efforts to motivate implementation of those technologies in private industry. Other recommendations will be made to limit how companies that manage identities can use private information, as well as to overhaul liability of identity and authentication providers -- which Kahn said has been holding back the development of interoperable identity schemes.

The strategy will also include the creation of pilots, programs, and even new government offices intended to spur the adoption of "strong, interoperable" authentication schemes, which, Kahn said, should help catalyze the development and use of technologies like using smartphones to conduct transactions or enter secured buildings.

Mike Mestrovich, president of the Federation of Identity and Cross-Credentialing Systems, which worked with the Department of Defense to develop a federated trust model for the DoD and defense contractors, said that he's yet to have had any engagement with the White House on its strategy, but has a meeting planned with cybersecurity coordinator Howard Schmidt for next week.

"It's one thing to espouse a policy, but it's another to get everyone to adopt it," Mestrovich said in an interview. The central challenges of any successful effort, he said, will be to ensure engagement with the right stakeholders and to work hard to cut through difficult cultural barriers.

Of course, one of the key other challenges will be to adequately address privacy and civil liberties to gain the public's trust. Though Khan didn't stress the point today, the White House did note those concerns at a conference on identity last July.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.