Today's release of the US government's National Strategy for Trusted Identities in Cyberspace (NSTIC, pron. "en-stick") was little more than the rollout of a fabulous wish list for an integrated solution to the authentication problem.
Say goodbye to user names and passwords. The White House's specified finish line is a market of less cumbersome, but robustly reliable, credentialing products, developed by vendors, and bringing trust to transactions involving everything from national security and medical records to email and online purchases -- all while guaranteeing some version of individual privacy.
According to Jeremy Grant, the National Institute of Standards and Technology's alpha dog for identity management and the coordinator of NSTIC, we might cross the finishing line three to five years from now. Given the proven ability of professional cybercriminals and mischief-makers to wreck the industry's best efforts, one might think that an optimistic estimate. Especially since this morning's dog-and-pony show -- featuring a cabinet secretary, a senator, several government advisors, and representatives of Google, PayPal, and the civil liberties community -- did little but rehearse just how desperate the need for robust digital security is and how far we are from achieving it.
"A Woodstock for the identity geeks" was how Andrew Nash, Senior Director of Identity Services at PayPal, described the event. The Australian invited the audience out for a beer to discuss the matter further. "Honestly, we've been hard at work wrestling with these issues in the identity community for at least five years now," he said.
What nobody explained was how government serving as "facilitator" is likely to speed progress. Everyone knows why our online transactions, personal and commercial, need to be secure. If anyone knows how to make them secure, but not prohibitively expensive or impractical, they aren't yet saying.
What was made clear, by Grant, by US Commerce Secretary Gary Locke, and by White House Cybersecurity Coordinator Howard A. Schmidt, is that it lies with the private sector to develop the urgent technical fixes. The government is not good at innovation, they chorused -- that's what the private sector is good at. This might come as a surprise to anyone who remembers the Manhattan Project, not to mention the Defense Department origins of a little thing now called the Internet. Never mind all that! Digital identity is Google's problem now, and PayPal's problem, not to mention Microsoft's, which co-sponsored the event.
Given that there will be gold in the development -- and, crucially, demonstration -- of a robust authentication solution, it's reasonable to assume that the behemoths of digital commerce will not be sharing product development information. Why, then, will they be sending their representatives to sit around the table with other stakeholders at a succession of NIST-directed workshops?
Andy Ozment, the White House's Director for Cybersecurity Policy, gave the most illuminating answer to that question in a conference call for media that preceded the Chamber of Commerce's stage show: Security vendors are seeking guidance on privacy and clarity on liability.
In other words, Google does not want to sink its revenue growth even further by putting millions into a multi-layered credential tool, which falls foul of parallel track privacy legislation. Nor does PayPal want to face liability for marketing a solution bearing its own "trusted identity" label if the solution breaks down in the wild. Showing up to meetings with the affable Grant seems a small price to pay for reassurance.
Not to get too historical on you, but does anyone remember the abortive Tobacco Working Group? If the government says it's a safer cigarette, then it's a safer cigarette. The private sector is ready to jump through hoops again in hopes that the government will stamp "certified" on a new identity ecosystem. Check back with me five years from now.
— Kim Davis, Community Editor, Internet Evolution