IIW-11 NSTIC Update


Published on

IIW-11 Session Presentation
November 2-4, 2010

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IIW-11 NSTIC Update

  1. 1. NSTIC Update: What has been happening since The June 25th 2010 Announcement Convener: Jay Unger National Strategy for Trusted Identities in Cyberspace Action: What should the Internet Identity Community do to contribute / get ready?
  2. 2. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC – Update & Action What is NSTIC ? National Strategy for Trusted Identities in Cyberspace ● Blog post and link to draft document on White House blog on June 25th 2010 http://www.whitehouse.gov/blog/2010/06/25/ national-strategy-trusted-identities-cyberspace ● by Howard Schmidt Cybersecurity Coordinator and Special Assistant to the President ● Document still available at http://www.dhs.gov/xlibrary/assets/ns_tic.pdf ● Public comments were accepted at http://www.nstic.ideascale.com  From June 25th to January 19th 2010  No new comment are being accepted but existing comments can still be viewed
  3. 3. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action The NSTIC Document ● Document Summary  36 Pages  Written primarily by a contractor (Deloitte) with input from various government agencies and some information technology organizations and business.  High-level document – mostly vision, examples, and goals and objectives.  Very little technical detail or technology specifics.  No specific implementation plan or schedule.  Fairly repetitive. Not very well written or presented.  Examples are generally poor. ● Document Spirit  Does recognize the need for a general identity mechanism on the internet. –To support and enhance both public and private interaction between citizens and government, businesses, organizations etc. –To reduce risks associated with identity theft and fraud for all citizens. –Recognizes the need to work with both the information industry and citizens. –Views government leadership as
  4. 4. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action The NSTIC Document ● Reading between the lines  Talks about present problems and limitations – “ … the online environment today is not user-centric; individuals tend to have little control over their own personal information. They have limited ability to utilize a single digital identity across multiple applications …” – “Over 10 million Americans are … victims of identity theft each year.” – “… victims of identity theft can spend up to 130 hours reconstructing their identities (e.g., credit rating, bank accounts, reputation, etc.) following an identity crime.” – “The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.”  Discusses a vision of a “user centric identity ecosystem” – “The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust one another through proper identification and authentication.” – “… a world where individuals can seamlessly access information and services online from a variety of sources …” – “… and without the need to manage many accounts and passwords.” – “ … eliminate redundant processes associated with collecting, managing, authenticating, authorizing, and validating identity data … “
  5. 5. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action The NSTIC Document ● Reading between the lines  Reference to well established concepts: – Identity Provider - “ … responsible for the processes associated with enrolling a subject, and establishing and maintaining the digital identity associated with an individual … “ – User Centric – “ … allow individuals to select the interoperable credential appropriate for the transaction.” – Relying Party – “ … makes transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials (sic) and attributes. – Attributes – “Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions. – Anonymity / Pseudonym – “An individual has the choice to … authenticate to a transaction anonymously or a pseudonym without uniquely identifying himself.”
  6. 6. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action The NSTIC Process “The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation.”  Goals – Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework – Enhance confidence and willingness to participate in the Identity Ecosystem – Ensure the long-term success of the Identity Ecosystem  Actions – Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy – Develop a Shared, Comprehensive Public/Private Sector Implementation Plan – Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem – Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections – Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  7. 7. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action NSTIC Feedback after June 25th 2010 ● IdeaScale Comments  Comment period was very short (6/25-7/19).  Over 500 comments were posted and voted on.  Many “knee-jerk” comments from the fringes. – “Hands off my Internet”, “No National ID”, “Government Power Grab”, etc.  Most frequent (non knee-jerk) comment: – Extend Public Comment Opportunity  Several thoughtful and technically insightful comments and threads – Various authentication methods, process for public engagement, leadership agency, how government should participate, existing standards etc.  No public follow-up response, communication or Announcements ● Press Coverage  Lots of trade press coverage - Mostly favorable.  Some general press coverage - Neutral.
  8. 8. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010 NSTIC Update & Action NSTIC Feedback after June 25th 2010 (continued) ● Open Letter to Howard Schmidt at the White House on July 16th 2010  From: Center for Democracy in Technology (CDT), Electronic Frontier Foundation (EFF), Liberty Coalition http://www.cdt.org/files/pdfs/20100716_nstic_extend_ltr.pdf  Requesting: – “… that the public comment period be extended for at least 30 days to facilitate more robust public discussion … that subsequent public comment periods on this topic extend for at least 90 days” – “… clarification on the agency's proposed timeline and process” – “… an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.”  Results: – No extension of public comment period (IdeaScale was closed to new posts on 7/19/2010) – CDT has had at least two follow-up meetings with the cyber-security staff at the White House between mid-July and the present. – CDT has had the opportunity to review and comment on new document drafts being developed including an implementation plan and schedule. – CDT has been informed that work is ongoing, internal agency reviews are being conducted, and no announcements are expected before the beginning of next year
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.