Sunday, April 17, 2011

NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE Released. Yep, its on your router.

On Friday the administration released their authoritative document on NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE; Enhancing Online Choice, Efficiency, Security, and Privacy. We covered this a few months ago: National Strategy for Trusted Identities in Cyberspace (NSTIC) on your router?, where I wondered if they would account for Embedded Devices.

The answers to that question is yes. From the examples given they clearly indented this to be implemented at the device hardware level, using Smart Grid Meters as the example and "... a trust framework for the identification of computer network cards...mobile phone...". Clicking on the image in the Commerce Blog shows an Ice Maker in a refrigerator, in image #4! Note that is is the one in the blog index you must click, not the one in the press release, they are the same picture, but only the first one brings up the seven flash-based images. Also take note of the comment under the press release.

Note that this NSTIC "Identity Ecosystem" system is already different than the Federal Identity, Credential, and Access Management (FICAM) Roadmap; NSTIC Objective 2.3 disagrees with me. Makes me wonder why NSTIC is not good enough for them? Let the conspiracy theories begin... Why are we being taxed to pay for both? We also get to pay more in local taxes for our schools "...school also acts as an [NSTIC] attribute provider...", nothing comes for free.

  • Secure authentication between the power company and the meter prevents criminals from deploying fraudulent meters to steal electricity
  • Trusted hardware modules ensure that the hardware and software configurations on the meter are correct.
  • The meter validates that instructions and periodic software upgrades actually come from the power company.

At least they seem to be promoting the use of open standards, do they mean Open Source?: "The effort to develop technical standards should use open, transparent fora and leverage existing, market-recognized guidance on assessing required authentication...".

Alas as of now there is no real details as to what is actually being implemented, nothing more than block diagrams of high level 'warm and fuzzy' ideas, nothing like requirements and specifications so far:

Objective 2.1:

Implement the private-sector elements of the Identity
Ecosystem. The Strategy can only succeed if the private sector voluntarily implements the Identity Ecosystem and only if it makes business sense to do so. The vast majority of the Identity Ecosystem will be built by the private sector, and almost all of the Identity Ecosystem's subjects, relying parties, identity providers, attribute providers, and accreditation authorities will be in the private sector.

The private sector is already providing many services that, if they choose, could be a part of the Identity Ecosystem We encourage these providers to participate in the development of the Identity Ecosystem Framework and the implementation of the Identity Ecosystem, to ensure that both incorporate these providers' knowledge and experience.

To support the private sector, the Federal Government will work to promote and incentivize [SIC] both innovation in the marketplace and the private sector's implementation of the Identity Ecosystem in accordance with the Identity Ecosystem Framework.

There is "NSTIC Implementation" Solicitation Number: SB1341-11-NSTIC if you want to get on the Interested Vendor List. So far no one there strikes me as representing our Embedded interests.

The following seems like more Orwellian Doublespeak to me. How do you have a trusted identity (at the network card level?) and remain anonymous?:

Identity proofing (verifying the identity of an individual) and the quality of identity source documents have a profound impact on establishing trusted digital identities, but the Strategy does not prescribe how these processes and documents need to evolve.

Lastly, the Strategy does not advocate for the establishment of a national identification card or system. Nor does the Strategy seek to circumscribe the ability of individuals to communicate anonymously or pseudonymously, which is vital to protect free speech and freedom of association Instead, the Strategy seeks to provide to individuals and organizations the option of interoperable and higher-assurance credentials to supplement existing options, like anonymity or pseudonymity.

http://nstic.us is a joint effort of non-profits, corporations and individuals to jumpstart[SIC] a wide-open, nationwide discussion of the government's proposed "National Strategy on Trusted Identities in Cyberspace" (NSTIC) system. They have the entire strategy in HTML, complete with embedded citable links to the paragraph level. In your tweet, blog post, article, etc, use their HTML version to facilitate dialog on any facet of the strategy, and include the link to the section or paragraph you are discussing so everybody
can follow along.

Also the organization Identity Finder paints a bleak picture of what can go wrong if this system is not implemented perfectly, (Do we have perfect software yet?) NSTIC's Effect on Privacy and Security:

  • New ways to covertly collect personal information, and new markets to commoditize Users' identities.
  • New, powerful credentials that will subject individuals to new risks of identity theft.
  • Identity Ecosystem Participants may not need to comply with industry baseline security or privacy protocols.
  • An enhanced Identity "Marketplace" which enables Participants to profit from the sale of human identities.
  • The Identity Ecosystem "Marketplace" would continue to be opaque to users, and may create a false sense of control, privacy, and security among Users who are unaware that their identities are subject to sale without their knowledge.
  • A User who opts out of the Ecosystem may also inadvertently lose privacy protections.
  • New, powerful NSTIC identity credentials will enable the same functionality as an Internet "Power of Attorney," without the procedural safeguards offline Powers of Attorney provide.

The official links and pronouncements follow:

Kevin S. Xu, Press Assistant Department of Commerce Office of
Public Affairs, sent out the following email on Friday, April
15th, 2011, the traditional Income Tax Day where the government
takes more than fifty percent of your income; I'm Taxed Enough
Already how about you? What is the message they are trying to
send by tying this date to this announcement I wonder? Might have
to do with April 19th being the archival date for the
solicitation, SB1341-11-NSTIC, so fewer people can get in on the
action, which was issued in March?

PREPARED REMARKS FOR COMMERCE SECRETARY GARY LOCKE

Release of the National Strategy for Trusted Identities in Cyberspace | Washington, D.C. April 15, 2011.

[Makes me wonder prepared by whom? {Paragraph spacing is all wonky is the original email, I did not try to duplicate it here.}]

Thank you, Ann, for that kind introduction, and thanks to the U.S. Chamber of Commerce for hosting today's event.

I also want to welcome the many innovators, trade associations, companies, and consumer advocates that are represented here as we mark another important milestone on our mission to build a more secure online environment.

President Obama has made promoting innovation a centerpiece of his economic agenda - and there is perhaps no segment of the economy that has seen more innovation than IT and the Internet.

Fifteen years ago, we saw the dawn of the commercial Internet.

Flash forward to 2011.

Nowadays, the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet:

  • Consumers pay their utility bills from their smart phones;
  • People download movies, music and books online; and
  • Companies, from the smallest local store to the largest multinational corporation, order goods, pay vendors and sell to customers via the Internet.

U.S. companies have led at every stage of the Internet revolution, from:

  • Web browsing and e-commerce technology; to
  • Search and social networking.

But at critical junctures, the US government has helped enable and support private sector innovation in the Internet space:

  • In the early 1990s, the government opened the door for commercialization of the Net;
  • In the late 1990s, the government's promotion of an open
    and public approach to Internet policy helped ensure the Net could grow organically and that companies could innovate freely; and
  • Recently, we've promoted the rollout of broadband facilities and new wireless connections in remote parts of the country.

Today, we take another major step - this one to ensure that the Internet's security features keep up with the many different types of online transactions people now engage in.

The fact is that the "old" password and user-name combination we often use to verify people is no longer good enough. It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft.

This is why the Internet still faces something of a "trust" issue. And it will not reach its full potential - commercial or otherwise - until users and consumers feel more secure than they do today when they go online. President Obama recognized this problem long-ago, which is why the administration's Cyberspace Policy Review called for the creation of an "Identity Ecosystem," where:

  • Individuals and organizations can complete online
    transactions with greater confidence; and
  • They can trust the identities of each other and the integrity of the systems that process those transactions.

I am proud to announce that the President has signed - and that, today, we are publishing - the National Strategy for Trusted Identities in Cyberspace, or NSTIC.

The Strategy is the result of many months of consultation with the public, including innovators and private sector representatives like you in the audience. I'm optimistic that NSTIC will jump-start a range of private-sector initiatives to enhance the security of online transactions. This strategy will leverage the power and imagination of entrepreneurs in the private sector to find uniquely American solutions. Other countries have chosen to rely on government-led initiatives to
essentially create national ID cards.

We don't think that's a good model, despite what you might have read on blogs frequented by the conspiracy theory set.

To the contrary, we expect the private sector to lead the way in fulfilling the goals of NSTIC.

Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it.

And we want to set a floor for privacy protection that is higher than what we see today, without placing a ceiling on the potential of American innovators to make additional improvements over time. Behind you are a number of firms exhibiting technologies and applications that can make a real difference in our future, and some are already out in the market today. At the end of today's event, you'll have an opportunity to see all of them, but let me take a minute to highlight two in particular.

Each year, medical researchers make discoveries that save lives and improve the well-being of those afflicted with disease.

Part of this rigorous scientific research is the review and approval of clinical trials, such as the Cancer Therapy Evaluation Program run by the National Institutes of Health.

To conduct these trials, paper signatures are needed for approvals at every turn.

This adds hundreds of dollars of cost - and more importantly, weeks of time that could be better spent getting patients into treatment more quickly. But the system has been stuck in paper as the world moves digital for a simple reason: because there has been no reliable way to verify identity online. Passwords just won't cut it here, as they are too insecure and the stakes are too high to risk fraud. The good news is that today, NIH has come together with private sector groups - including patient advocates, researchers and pharmaceutical firms - to eliminate this inefficient paper system through new identity technology that enables all sides to trust the transaction.

With trusted identities, patients can be enrolled more quickly in potentially life-saving therapy programs, saving hundreds of dollars per transaction. Trusted identities enable:

  • Trials to run faster;
  • Researchers to spend more time in the lab; and
  • A faster and cheaper way to move new therapies from the lab to the treating cancer patients.

At the other end of the identity spectrum, we have the scourge of ID and data theft, with phishing schemes being among the most prevalent.

Every second, phishing emails show up in people's inboxes, asking unwitting consumers to type their username and password into a fraudulent site.

In the audience today is Kimberly Bonney, a consumer from Bethesda, Maryland, who was victimized by one of these schemes last year.

She received an e-mail that she thought was from her Internet service provider, telling her that her account was in danger of being closed. The email asked that she provide her password, which she did.

Then, her co-workers, fellow members of her church, and her landlord began receiving emails that appeared to be from her stating that she was overseas and in need of a $2,800 loan to fly back to the United States.

It was a fraudulent e-mail of course.

Kimberly had become one of the 8.1 million Americans who were victims of identity theft or fraud last year. These crimes cost us some $37 billion a year.

But companies are introducing technologies that can help us turn the tide. At least one leader in the U.S. technology sector has come up with a simple solution to stop scammers from accessing their customers' accounts with just a stolen password.

They've recently rolled out a simple tool where verification codes are sent over the mobile phone network to a user's smart-phone or wirelessly connected computer - and when they want to access their online accounts, they have this additional and incredibly simple layer of protection.

I urge you to walk around this room to see for yourself how stronger authentication technology can protect against identity theft and cybercrime.

This is a difficult challenge. We're trying to improve security, convenience and privacy all at once.

That's why it's so important that we are leveraging the power and imagination of entrepreneurs in the private sector.

And the Commerce Department - led by Jeremy Grant at NIST - is staffing up to facilitate these private sector efforts.

I'm looking forward to learning of your future successes - perhaps you can send me an email - an authenticated email - describing those successes to my new email address at the U.S. embassy in China - that is, if I'm confirmed of course. Thank you again for your support, and now let me turn it over to Jane Lute, who is the Deputy Secretary of the Department of Homeland Security.

Jane has over 30 years of military and senior executive experience, having served at the United Nations, on the National Security Council and in the United States Army. She understands how integral cyber security is to our national security, and I'd like to bring her up here to offer a few thoughts...



# # #

The The Commerce Blog has other related items:

"A public-private steering group will ensure that accreditation authorities" translated, in my cynical mind, to an other 'fee', the latest way to get around Taxation Without Representation, that we must pay out of our hard-earned money.



"The nine most terrifying words in the English language are, 'I'm from the government and I'm here to help.'"



Ronald Reagan 40th president of US (1911 - 2004)