Over the past decade, there have been handbooks, bridges and memos, but never an official strategy to make identity management ubiquitous and interoperable across the government and the private sector.
The Defense Department’s Common Access Card morphed into Homeland Security Presidential Directive-12 under the Bush administration, but it still mainly is used only by federal employees, and is barely used as anything more than a fancy flash pass to get in and out of buildings. The Federal Bridge, run by the General Services Administration, brought in some private sector partners, but it never really took off like some expected.
So now, the Obama administration is trying its hand at promoting identity management. Officials believe a new comprehensive strategy for secure online transactions would do what others fell short in the past.
“The ability to conduct transactions is key to everything we are doing, whether it’s a transaction with the government moving from a 90 percent to 95 percent of people filing taxes online,” says Howard Schmidt, the White House Cyber Coordinator, yesterday during his speech at the Symantec Government Symposium 2010 in Washington. “The ability to interact with the government in a very secure manner, where privacy and civil liberties are protected and you can only do that with some of the things you look at from an identity management perspective.”
To that end, Schmidt says the White House Friday will release the draft National Strategy for Trusted Identity in Cyberspace (N-STIC) for public comment.
Schmidt’s office, along with the Homeland Security Department and others, has been leading the development of the strategy. The project manager, Ely Kahn, a detailee from DHS, will be leaving on Friday, Schmidt says.
“This strategy, while it’s still in draft form, is a response one of the requirements laid out in the Cyberspace that basically called for us to develop a cybersecurity focused identity management vision,” he says. “We’ve talked about it for a long time. We’ve not really had a comprehensive national strategy. We are talking about improving our ability to work and identity and authenticate the organizations, the individuals and underlying infrastructure.”
Schmidt says the draft document will detail goals and objectives around laws, policies and programs to improve the security of online identities. Schmidt says this could be for online banking or making purchases online, or something even as simple as sending a secure e-mail.
“When you look at the various identification processes to allow me to feel more confident in how I’m interacting with organizations, individuals or computers, I want to make sure the computer on the other end is also confident that it’s me who is interacting with them,” he says. “That is one of the problems we have. Not only do we have to worry about who we are interacting with, but particularly those we are doing business with…that those computer systems have to trust that it’s really us.”
Schmidt says the increase of spear fishing attacks and denial of service incidents with botnets makes this more necessary and more challenging.
The strategy will call for systems to be secure and resilient, tested to withstand attacks, interoperable and federated, and maybe most important, cost effective and easy to use.
“We need to make sure if I come to a kiosk that has a USB port that I can plug it into, that I can use my identity there, or I can use a smart card reader or I can use my mobile device,” he says. “We’ve talked for a long-time about two-factor authentication being subject to man-in-the-middle attacks, compromised systems and everything else, as we develop this let’s take those things into consideration.”
Schmidt says to get there the government will need help from the private sector, especially to design how the identity management system will work throughout the public and private sectors.
“The strategy cannot exist in isolation,” he says.
Schmidt says the White House is setting up a comment system for the private sector using Web 2.0 tools.
“What we want to make sure we do after this process and we move this document over to the President’s review, and the President will have the final decision on what the strategy will say, we want to make sure we have every viewpoint possible in pulling this together,” he says.
Along with the draft strategy, the White House will provide industry with a copy of the implementation plan for comment, says an administration source. The plan will not be released publicly, but some of its concepts will be included in the draft strategy.
Schmidt expects to send the final strategy to the White House for approval by the fall. He didn’t say when the President would sign off on the document.