In a report on cybersecurity policy issued in May, the White House said that creating "an identity management vision that addresses privacy and civil liberties" would be an action item in the President's cybersecurity strategy. Over the long term, the government might implement an an "array" of opt-in, interoperable identity management systems for the public, according to the report.
The picture hasn't become much clearer since the report was issued, as the White House continues to gather ideas. "I'm offering questions, not solutions here," Thomas Donahue, director of cyber policy for Obama's National Security Staff, told a gathering of government and cybersecurity executives at a conference on identity management in Washington. "This is just the beginning of a dialogue."
Donahue said a national strategy for identity management was critical because authentication and identity management remain gaps in the world of cybersecurity. "Whatever we do, we must control our own destiny in ID management," he said. "If we don't do it, somebody else might, and it might not gel with our Constitution, our laws."
A national policy won't come without open discussion among government, industry, and the public, Donahue said. He criticized past efforts to sell the public on national ID cards for their "scary, negative" pitches. "There has to be a benefit," he said.
Basic issues remain, including defining the roles of government and of private industry in creating a standard way to deal with digital identity, and a system architecture. Anyone who opted in to a government-led or -guided identity system would likely be able to use an authorization mode of their choice, though the technologies involve are undecided, Donahue said.
Privacy is a major concern for the Obama administration, Donahue stressed. Any system will have to allow for some level of anonymity, with room for a user to shed some anonymity in order to demonstrate trust with another person or a Web site in a digital relationship, Donahue said. Non-negotiable in any identity management plan would be a requirement of voluntary enrollment and discretionary use, he said. People would likely be able to create multiple identities for different roles, such as work and home.
Other challenges include an ID management system's ability to scale, to overcome insider attacks, what to do if someone loses or forgets their authentication mechanism, laws that differ across jurisdictions, and whether and how to store digital identities either centrally or locally.
InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).