US Cybersecurity Czar Howard Schmidt announced the release of the draft “National Strategy for Trusted Identities in Cyberspace” last Friday. With identity theft thriving it is clear that some improvement in Internet authentication needs to happen, but this plan repeats the major error in focus of the private industry efforts before it (Liberty, Passport, Open Identity Trust Framework, etc): it is attempting to build an inter-operable or federated identity “ecosystem” vs. focusing on the root cause of the problem: replacing reusable passwords.
First off, the usual privacy lobbyists who have no problem with Google having an identity system and collecting and exposing all kinds of personal information will rail against any such government plan, but this draft does address that issue pretty well, in keeping things voluntary and a joint government/private industry effort – with one major exception: the “Fair Information Practice Principles” listed in the draft has this key principle around Individual Participation:
Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII
Arrrgh – we need to move towards opt-in, not leave “to the extent practicable” loopholes!!
But my real point is that the government would be much better off focusing on the root of identity theft and cybercrime problems: reusable passwords. That doesn’t mean any form of stronger authentication is unbreakable, but it doesn’t have to be. Get rid of reusable passwords and the level of identity theft online drops to the same level as in the real world, which is what the goal should be. An “inter-operable identity ecosystem” is all about benefit to the consumers of identity, not to the people who actually own their own identities.
In the US, the IRS (national tax agency) essentially allows reusable passwords for online tax filing. Imagine if the government focused on defining standards for stronger authentication choices and required all government agencies to use such choices for all government employee access and all interaction with citizens. Get a critical mass of use of techniques beyond the lowest common denominator (reusable passwords) and interoperability will follow.
As usual, I find myself pointing back to May 1998, and Presidential Decision Directive 63, which had the right idea about what the US Government could best to in spurring improvement in Internet security:
The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors.
Category: Uncategorized Tags: