Risk
6/3/2010
02:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Drafts Cyber Identity, Authentication Strategy

National Strategy for Trusted Identities in Cyberspace will recommend policy changes and create federal offices on digital identity.




Image Gallery: Who's Who In U.S. Intelligence
(click for larger image and for full photo gallery)
The White House later this month plans to release a draft national identity and authentication strategy that will recommend changes to privacy laws, possible revisions to the liability of online identity providers, and the creation of new government offices leading the way on digital identity and authentication issues.

The plan, which will be called the National Strategy for Trusted Identities in Cyberspace, aims to improve and strengthen identity and authentication procedures for online transactions, according to Ely Kahn, director of cybersecurity policy at the National Security Staff in the White House, who spoke at an event Thursday morning in Washington, D.C.

The effort also includes an action plan that will be delivered to President Obama, and the goal is for the final strategy and action plan to be approved later this year, Kahn said. Currently, the White House is gathering and actively seeking comments on a draft of the plan being passed around among key government and industry stakeholders, and a revised draft will be made available for public comment by the end of June.

The strategy, which has its origins in the cyberspace policy review carried out by the White House last year and was developed with input from an interagency working group, was first discussed publicly in July 2009, and so has been almost a year in the making.

According to Kahn, it will include "bold" recommendations that will carry budgetary and legislative implications as well as operational changes for government agencies.

For example, one of the top recommendations will be to mandate adoption of IPv6 and DNSSEC in government, with an eye toward later efforts to motivate implementation of those technologies in private industry. Other recommendations will be made to limit how companies that manage identities can use private information, as well as to overhaul liability of identity and authentication providers -- which Kahn said has been holding back the development of interoperable identity schemes.

The strategy will also include the creation of pilots, programs, and even new government offices intended to spur the adoption of "strong, interoperable" authentication schemes, which, Kahn said, should help catalyze the development and use of technologies like using smartphones to conduct transactions or enter secured buildings.

Mike Mestrovich, president of the Federation of Identity and Cross-Credentialing Systems, which worked with the Department of Defense to develop a federated trust model for the DoD and defense contractors, said that he's yet to have had any engagement with the White House on its strategy, but has a meeting planned with cybersecurity coordinator Howard Schmidt for next week.

"It's one thing to espouse a policy, but it's another to get everyone to adopt it," Mestrovich said in an interview. The central challenges of any successful effort, he said, will be to ensure engagement with the right stakeholders and to work hard to cut through difficult cultural barriers.

Of course, one of the key other challenges will be to adequately address privacy and civil liberties to gain the public's trust. Though Khan didn't stress the point today, the White House did note those concerns at a conference on identity last July.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.