Wednesday, April 27, 2011

National Strategy for Trusted Identities in Cyberspace

On April 15, 2011, the Whitehouse released the National Strategy for Trusted Identities in Cyberspace (NSTIC) during a launch event that included U.S. Sec. of Commerce Gary Locke, other Administration officials, and U.S. Senator Barbara Mikulski, as well as a panel discussion with private sector, consumer advocate, and government ID management experts. 

What is it a trusted identity in Cyberspace?   This animation describes the scope of the effort.  It includes smartcards, biometrics, soft tokens, hard tokens, and certificate management applications.

NSTIC envisions a cyber world - the Identity Ecosystem - that improves upon the passwords currently used to access electronic resources. It includes a vibrant marketplace that allows people to choose among multiple identity providers - both private and public - that will issue trusted credentials proving identity. 

Why do we need it?

NSTIC provides a framework for individuals and organizations to utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation.

Shopping, banking, social networking, and accessing employee intranets result in greater opportunities for innovation and economic growth, but the online infrastructure for supporting these services has not evolved at the same pace. The National Strategy for Trusted Identities in Cyberspace addresses two central problems impeding economic growth online - 1) Passwords are inconvenient and insecure 
2) Individuals are unable to prove their true identity online for significant transactions.

Identity theft is costly, inconvenient and all-too common
*In 2010, 8.1 million U.S. adults were the victims of identity theft or fraud, with total costs of $37 billion.
*The average out-of-pocket loss of identity theft in 2008 was $631 per incident.
*Consumers reported spending an average of 59 hours recovering from a “new account” instance of ID theft.

Phishing continues to rise, with attacks becoming more sophisticated
*In 2008 and 2009, specific brands or entities were targeted by more than 286,000 phishing attacks, all attempting to replicate their site and harvest user credentials. 
*A 2009 report from Trusteer found that 45% of targets divulge their personal information when redirected to a phishing site, and that financial institutions are subjected to an average of 16 phishing attacks per week, costing them between $2.4 and $9.4 million in losses each year.5

Managing multiple passwords is expensive
*A small business of 500 employees spends approximately $110,000 per year on password management. That’s $220 per user per year.

Passwords are failing
*In December 2009, the Rockyou password breach revealed the vulnerability of passwords. Nearly 50% of users’ passwords included names, slang words, dictionary words or were extremely weak, with passwords like “123456”.

Maintenance of multiple accounts is increasing as more services move online
*One federal agency with 44,000 users discovered over 700,000 user accounts, with the average user having 16 individual accounts.

Improving identity practices makes a difference
*Implementation of strong credentials across the Department of Defense resulted in a 46% reduction in intrusions.
*Use of single sign-on technologies can reduce annual sign-in time by 50 hours/user/year.

The next step is creation of a national program office to manage the project and coordinate public-private efforts.    I look forward to a voluntary, opt in strong identity for e-commerce.   Who knows, if this effort is successful, maybe we can move forward with a voluntary, opt in strong identity for healthcare.


Alan said...

There are plenty of people that think this sort of thing is rearranging the deck chairs on the Titanic. If your computer has been compromised by something like Spyeye/Zeus your "trusted credential" doesn't "prove you are you".


Marco Deterink said...

In the Netherlands, the Government has established an Identity Provider for citizens to access governmental on-line services, called DigiD. DigiD offeres various levels of authentication, depending on the service: UserID/Passwd only or in combination with SMS. Besides municipalities and tax services, this service is also made available for use at hospitals. Currently, we at University Medical Center Utrecht are in the process of implementing DigiD for patients to access their data. To go live this summer. More info, see

Alan said...

The most sophisticated Trojans have no problem bypassing two-factor authentication (as well as anti-virus and firewall). This has been the case for some time now. They don't even need to steal your credentials; they just piggyback on your own legitimate online session.