06:26 PM
Connect Directly

White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity

Devil's in the details for Obama administration's draft plan for eliminating passwords and advancing authentication, security expert say

The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week.

The White House won't issue a controversial national identity card for online authentication, however, according to the new National Strategy for Trusted Identities in Cyberspace (NSTIC) draft paper, which is open for public comment and input until July 19.

Schmidt said the identity ecosystem or framework would be user-centric: "That means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so," Schmidt blogged.

The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.

"This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy," the NSTIC said. "Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well as joint ownership and accountability for the activities identified."

The concept of a federated identity system is nothing new, however. There's the Open Group's Identity Management Forum standards for identity management and federation; OpenID, which is backed by Microsoft, IBM, VeriSign, Google, Yahoo, Facebook, and PayPal, for instance; as well as Microsoft's U-Prove software, which deploys minimal-disclosure tokens that let a user specify exactly which information he will disclose to each website he visits, eliminating privacy risks associated with unnecessary disclosure of personal information. Microsoft also has been talking up its vision of an "end to end trust" model on the Internet.

"There's no shortage of technology for federated identity systems," says Avivah Litan, vice president and distinguished analyst at Gartner.

Most implementations of trusted and federated identity to date have been all about so-called "low-assurance" authentication, such as using your OpenID credentials for both your Yahoo mail and Gmail accounts, for instance. The National Institute of Health is offering OpenID for low-risk apps, such as accessing its library, Litan notes. "It does give you some convenience," she says, but an imposter using one of these apps wouldn't be catastrophic.

But the Holy Grail of trusted online authentication -- a so-called "high-assurance" authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. "No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work,"says Gartner's Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. "They may not want to assume the liability and pay you if they are wrong," she says.

Meanwhile, The Open Group, which ultimately could play a role in the national framework initiative, welcomed the administration's identity management framework initiative, and is in the process of reviewing the draft's details. "The Open Group's membership has long looked at the issue of identity management and trusted authentication, and applauds this effort to establish a framework where both the private sector and government can collaborate to help define a trusted identity scheme that can be used by everyone," says Dave Lounsbury, vice president of collaboration services at The Open Group. "We're currently doing a more thorough review of the strategy document and encouraging our members to do the same. We will define a possible role for The Open Group to help advance the framework based on feedback from our members."

Microsoft said the administration's strategy is good news for online security and trust. Paul Nicholas, director of global security strategy and diplomacy for Microsoft's Trustworthy Computing group, called the paper "an important step" for improving online identity and trust. "[The draft] ... represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction," Nicholas said in a statement.

"Government and industry must continue to work together on this initiative, as well as, on advancing standards and formats on both a nationally and globally to enable a robust identity ecosystem. As part of its End to End Trust vision, Microsoft has long supported the development of a claims-based identity metasystem that allows for interoperability, privacy, minimal disclosure and higher levels of trust for online transactions. We look forward to continuing to collaborate with the government, privacy advocates and other industry members on this important issue."

The new draft National Strategy for Trusted Identities in Cyberspace (NSTIC), which will be final later this fall, is available at this website set up by the U.S. Department of Homeland Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.