Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:26 PM
Connect Directly

White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity

Devil's in the details for Obama administration's draft plan for eliminating passwords and advancing authentication, security expert say

The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week.

The White House won't issue a controversial national identity card for online authentication, however, according to the new National Strategy for Trusted Identities in Cyberspace (NSTIC) draft paper, which is open for public comment and input until July 19.

Schmidt said the identity ecosystem or framework would be user-centric: "That means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so," Schmidt blogged.

The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.

"This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy," the NSTIC said. "Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well as joint ownership and accountability for the activities identified."

The concept of a federated identity system is nothing new, however. There's the Open Group's Identity Management Forum standards for identity management and federation; OpenID, which is backed by Microsoft, IBM, VeriSign, Google, Yahoo, Facebook, and PayPal, for instance; as well as Microsoft's U-Prove software, which deploys minimal-disclosure tokens that let a user specify exactly which information he will disclose to each website he visits, eliminating privacy risks associated with unnecessary disclosure of personal information. Microsoft also has been talking up its vision of an "end to end trust" model on the Internet.

"There's no shortage of technology for federated identity systems," says Avivah Litan, vice president and distinguished analyst at Gartner.

Most implementations of trusted and federated identity to date have been all about so-called "low-assurance" authentication, such as using your OpenID credentials for both your Yahoo mail and Gmail accounts, for instance. The National Institute of Health is offering OpenID for low-risk apps, such as accessing its library, Litan notes. "It does give you some convenience," she says, but an imposter using one of these apps wouldn't be catastrophic.

But the Holy Grail of trusted online authentication -- a so-called "high-assurance" authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. "No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work,"says Gartner's Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. "They may not want to assume the liability and pay you if they are wrong," she says.

Meanwhile, The Open Group, which ultimately could play a role in the national framework initiative, welcomed the administration's identity management framework initiative, and is in the process of reviewing the draft's details. "The Open Group's membership has long looked at the issue of identity management and trusted authentication, and applauds this effort to establish a framework where both the private sector and government can collaborate to help define a trusted identity scheme that can be used by everyone," says Dave Lounsbury, vice president of collaboration services at The Open Group. "We're currently doing a more thorough review of the strategy document and encouraging our members to do the same. We will define a possible role for The Open Group to help advance the framework based on feedback from our members."

Microsoft said the administration's strategy is good news for online security and trust. Paul Nicholas, director of global security strategy and diplomacy for Microsoft's Trustworthy Computing group, called the paper "an important step" for improving online identity and trust. "[The draft] ... represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction," Nicholas said in a statement.

"Government and industry must continue to work together on this initiative, as well as, on advancing standards and formats on both a nationally and globally to enable a robust identity ecosystem. As part of its End to End Trust vision, Microsoft has long supported the development of a claims-based identity metasystem that allows for interoperability, privacy, minimal disclosure and higher levels of trust for online transactions. We look forward to continuing to collaborate with the government, privacy advocates and other industry members on this important issue."

The new draft National Strategy for Trusted Identities in Cyberspace (NSTIC), which will be final later this fall, is available at this website set up by the U.S. Department of Homeland Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...