What is not surprising about the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is the role the National Institute of Standards and Technology will take on.
NIST’s responsibilities will be familiar – one of facilitator.
But what is surprising about the new strategy is that with the thousands of comments the White House received about the draft issued last June, the biggest change was in who would lead this effort.
The administration made it clear in the final document that it’s asking the private sector to lead the way in securing online identities in cyberspace.
“This is an area where a public and private partnership can help address real problems and allow for future economic growth by enabling more industry and government to move services online,” said Gene Sperling, the White House’s National Economic Council director, Friday at an event in Washington to release the NSTIC at the U.S. Chamber of Commerce.
Sperling said the goal of NSTIC is to provide a privacy credential that works across different public and private service providers to make it easier to authenticate a person’s identity for transactions.
“The problem is passwords are broken because they don’t offer adequate security, no one can remember all of them, and no one knows if you are a dog on the Internet,” said an administration official during a phone briefing with reporters Friday before the White House event. “The goal of the government is to facilitate growth of a marketplace, where the consumer can go to a provider and have a choice to buy a strong credential. It could be something on a cell phone or a smart card or a USB drive or even a one-time password generator. This would be entirely optional and a voluntary system. Choice is the key.”
While the private sector must provide the credentials, technology and systems to authenticate to, the government will help develop, build and implement what administration officials are calling a comprehensive identity ecosystem framework. The administration will use this framework to work with industry, privacy, security and other experts to formulate policy, governance and standards for cybersecurity.
White House Cyber Security Coordinator Howard Schmidt said NIST will hold several workshops in the coming months around the country to bring people together to begin the conversation.
NIST already has planned three workshops to discuss governance, privacy and technology standards issues.
The high priority actions for NIST will focus on implementing the plan as well as expanding government services, pilots and policies. NIST will pay special attention to security plans in the areas of health care, communication information technology and energy.
NIST also will develop pilots in the Defense Industrial Base and financial sectors.
The bureau asked for almost $25 million in the 2012 budget request, about $17.5 million of which will pay for programs using trusted identity technology in the areas of government services, e-commerce, and health IT. The pilot programs are scheduled to be in place in 2012 but the entire strategy could take three to five years to really come together, said another administration official during the briefing with reporters.
The NSTIC also identifies the benefits the government will receive from collaboration with the private sector. The administration states that security will be improved and efficiency of serving the people better also will increase.
“One of the things we wanted to do at DHS was to integrate the work on cybersecurity with the overall effort to help build the safe, secure, resilient place where the American way of life can thrive,” said Jane Holl Lute, deputy secretary of the Homeland Security Department. “We see cybersecurity as an important aspect of a safe and secure homeland.”
Lute said the NSTIC is the cornerstone of the broad adoption of voluntary, interoperable, privacy enhancing authentication.
Lute also said that since the NSTIC targets the private sector, results will come more speedily and provide effective and efficient solutions.
“This is the totally right way of thinking about how government can help lay a foundation for economic growth,” said Sperling. “Where the government brings together this type of standards where they bring together and create something, you create a platform of confidence that no individual company could create for itself.”