Risk
6/3/2010
02:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Drafts Cyber Identity, Authentication Strategy

National Strategy for Trusted Identities in Cyberspace will recommend policy changes and create federal offices on digital identity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The White House later this month plans to release a draft national identity and authentication strategy that will recommend changes to privacy laws, possible revisions to the liability of online identity providers, and the creation of new government offices leading the way on digital identity and authentication issues.

The plan, which will be called the National Strategy for Trusted Identities in Cyberspace, aims to improve and strengthen identity and authentication procedures for online transactions, according to Ely Kahn, director of cybersecurity policy at the National Security Staff in the White House, who spoke at an event Thursday morning in Washington, D.C.

The effort also includes an action plan that will be delivered to President Obama, and the goal is for the final strategy and action plan to be approved later this year, Kahn said. Currently, the White House is gathering and actively seeking comments on a draft of the plan being passed around among key government and industry stakeholders, and a revised draft will be made available for public comment by the end of June.

The strategy, which has its origins in the cyberspace policy review carried out by the White House last year and was developed with input from an interagency working group, was first discussed publicly in July 2009, and so has been almost a year in the making.

According to Kahn, it will include "bold" recommendations that will carry budgetary and legislative implications as well as operational changes for government agencies.

For example, one of the top recommendations will be to mandate adoption of IPv6 and DNSSEC in government, with an eye toward later efforts to motivate implementation of those technologies in private industry. Other recommendations will be made to limit how companies that manage identities can use private information, as well as to overhaul liability of identity and authentication providers -- which Kahn said has been holding back the development of interoperable identity schemes.

The strategy will also include the creation of pilots, programs, and even new government offices intended to spur the adoption of "strong, interoperable" authentication schemes, which, Kahn said, should help catalyze the development and use of technologies like using smartphones to conduct transactions or enter secured buildings.

Mike Mestrovich, president of the Federation of Identity and Cross-Credentialing Systems, which worked with the Department of Defense to develop a federated trust model for the DoD and defense contractors, said that he's yet to have had any engagement with the White House on its strategy, but has a meeting planned with cybersecurity coordinator Howard Schmidt for next week.

"It's one thing to espouse a policy, but it's another to get everyone to adopt it," Mestrovich said in an interview. The central challenges of any successful effort, he said, will be to ensure engagement with the right stakeholders and to work hard to cut through difficult cultural barriers.

Of course, one of the key other challenges will be to adequately address privacy and civil liberties to gain the public's trust. Though Khan didn't stress the point today, the White House did note those concerns at a conference on identity last July.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?