Risk
6/3/2010
02:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Drafts Cyber Identity, Authentication Strategy

National Strategy for Trusted Identities in Cyberspace will recommend policy changes and create federal offices on digital identity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The White House later this month plans to release a draft national identity and authentication strategy that will recommend changes to privacy laws, possible revisions to the liability of online identity providers, and the creation of new government offices leading the way on digital identity and authentication issues.

The plan, which will be called the National Strategy for Trusted Identities in Cyberspace, aims to improve and strengthen identity and authentication procedures for online transactions, according to Ely Kahn, director of cybersecurity policy at the National Security Staff in the White House, who spoke at an event Thursday morning in Washington, D.C.

The effort also includes an action plan that will be delivered to President Obama, and the goal is for the final strategy and action plan to be approved later this year, Kahn said. Currently, the White House is gathering and actively seeking comments on a draft of the plan being passed around among key government and industry stakeholders, and a revised draft will be made available for public comment by the end of June.

The strategy, which has its origins in the cyberspace policy review carried out by the White House last year and was developed with input from an interagency working group, was first discussed publicly in July 2009, and so has been almost a year in the making.

According to Kahn, it will include "bold" recommendations that will carry budgetary and legislative implications as well as operational changes for government agencies.

For example, one of the top recommendations will be to mandate adoption of IPv6 and DNSSEC in government, with an eye toward later efforts to motivate implementation of those technologies in private industry. Other recommendations will be made to limit how companies that manage identities can use private information, as well as to overhaul liability of identity and authentication providers -- which Kahn said has been holding back the development of interoperable identity schemes.

The strategy will also include the creation of pilots, programs, and even new government offices intended to spur the adoption of "strong, interoperable" authentication schemes, which, Kahn said, should help catalyze the development and use of technologies like using smartphones to conduct transactions or enter secured buildings.

Mike Mestrovich, president of the Federation of Identity and Cross-Credentialing Systems, which worked with the Department of Defense to develop a federated trust model for the DoD and defense contractors, said that he's yet to have had any engagement with the White House on its strategy, but has a meeting planned with cybersecurity coordinator Howard Schmidt for next week.

"It's one thing to espouse a policy, but it's another to get everyone to adopt it," Mestrovich said in an interview. The central challenges of any successful effort, he said, will be to ensure engagement with the right stakeholders and to work hard to cut through difficult cultural barriers.

Of course, one of the key other challenges will be to adequately address privacy and civil liberties to gain the public's trust. Though Khan didn't stress the point today, the White House did note those concerns at a conference on identity last July.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.