The National Institute of Standards and Technology has set up a website to provide the public with information relating to the U.S. federal government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) program, which is aimed at protecting people’s identities online.
One of NSTIC’s goals is to ensure that people give the minimum information about themselves needed when conducting transactions online.
However, participation is voluntary, which raises questions of how effective the program will be. Further, advocacy groups have raised concerns about online security.
Tying the Fed’s Efforts Together
In addition, the government is setting up a national program office to help coordinate federal activities to implement its strategy for trusted identities online. This office will be established within the Department of Commerce.
The National Program Office was jointly announced recently by U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt at a meeting with business and academic leaders at Stanford University.
It will serve as the point of contact to bring the public and private sectors together to establish identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers.
The National Program Office will collaborate with the Department of Homeland Security, the General Services Administration and other federal departments to implement NSTIC. Its job is to build a consensus on the legal and policy frameworks needed to achieve the vision of NSTIC.
The office will also work with industry to identify where new standards or collaborative efforts may be needed, support collaboration within the federal government and promote important pilot projects.
“This is a strategy that’s introduced by the government but is going to be industry-driven,” Ben Stein, a spokesperson for the NIST, told TechNewsWorld.
Funding the National Program Office may not be a problem because U.S. Senator Barbara Mikulski, who chairs the Commerce, Justice and Science subcommittee on appropriations, has pledged support for it.
Deconstructing NSTIC
NSTIC will focus on improving the ability to authenticate individuals, organizations and the underlying infrastructure, such as servers and routers, involved in sensitive online transactions.
Such sensitive transactions are “the type of transactions that would involve personally identifiable information,” NIST’s Stein said.
However, consumers can opt out, and participation in the program by service providers is voluntary.
“This is a set of multiple solutions that users and businesses can opt into,” Stein pointed out. “The two keys are cybersecurity and privacy. The idea is to ensure that only the information that’s truly needed for an online transaction is communicated.”
Whether or not the government can ensure anonymity to users who don’t want to opt in remains open to question.
“Much depends on the methods the NSTIC will use to guarantee anonymity, and such specifics are lacking in the information given in the proposals to date,” Ara Trembly, founder of The Tech Consultant, told TechNewsWorld.
Eye in the Sky
If consumers and businesses opt in, what guarantee would they have that the government won’t monitor their activities?
“Nothing’s ever guaranteed,” Chester Wisniewski, a senior security adviser at Sophos, told TechNewsWorld. “If it’s privately operated as Howard Schmidt suggests, it would require the government to compel these companies to feed it the data. It would be no worse than the situation today with the exception of being more centralized.”
This might be a better option for consumers, Wisniewski suggested. “Individuals today are spreading around their personal details on thousands of websites with little or no oversight,” he remarked.
On the other hand, perhaps fears that the U.S. government might spy on people who opt in could be justified.
“Even if the government pledges to limit what data it’ll collect, there are always rogue people within these organizations who will break the rules,” Laura DiDio, principal at ITIC, told TechNewsWorld.
Further, the restrictions on collecting data or monitoring members of the public could always be changed.
“The public would have whatever guarantee was issued by the current crop of politicians who make such pronouncements,” Trembly said. “Even if such guarantees were written into legislation, however, there is always the possibility that future politicians will see fit to change them.”
Money for Nothing?
The ability to opt out of participation raises yet another question — is Washington just throwing away money on yet another grandiose scheme? After all, if this national online identity doesn’t apply to everyone, what’s the point of spending time and money to create one?
“There’s no point, unless what people opt into is demonstrably more secure than what they use now,” Trembly said.
“This strategy has received initial public comment,” the NIST’s Stein stated. “To be successful, the system must be something that’s acceptable to consumers and addresses concerns they have. This will involve a lot of discussion and consensus and thought.”
President Obama will issue the final version of NSTIC later this year, Stein said.