IIW-11 NSTIC Update

NSTIC Update: What has been happening since The June 25 th 2010 Announcement Convener: Jay Unger National Strategy for Trusted Identities in Cyberspace Action: What should the Internet Identity Community do to contribute / get ready?

NSTIC – Update & Action
What is NSTIC ?
National Strategy for Trusted Identities in Cyberspace
Blog post and link to draft document on White House blog on June 25 th 2010 http://www.whitehouse.gov/blog/2010/06/25/ national-strategy-trusted-identities-cyberspace
by Howard Schmidt Cybersecurity Coordinator and Special Assistant to the President
Document still available at http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
Public comments were accepted at http://www.nstic.ideascale.com
From June 25 th to January 19 th 2010
No new comment are being accepted but existing comments can still be viewed

NSTIC Update & Action
The NSTIC Document
Document Summary
36 Pages
Written primarily by a contractor (Deloitte) with input from various government agencies and some information technology organizations and business.
High-level document – mostly vision, examples, and goals and objectives.
Very little technical detail or technology specifics.
No specific implementation plan or schedule.
Fairly repetitive. Not very well written or presented.
Examples are generally poor.
Document Spirit
Does recognize the need for a general identity mechanism on the internet.
To support and enhance both public and private interaction between citizens and government, businesses, organizations etc.
To reduce risks associated with identity theft and fraud for all citizens.
Recognizes the need to work with both the information industry and citizens.
Views government leadership as

The NSTIC Document
Reading between the lines
Talks about present problems and limitations
“ … the online environment today is not user-centric; individuals tend to have little control over their own personal information. They have limited ability to utilize a single digital identity across multiple applications …”
“ Over 10 million Americans are … victims of identity theft each year.”
“… victims of identity theft can spend up to 130 hours reconstructing their identities (e.g., credit rating, bank accounts, reputation, etc.) following an identity crime.”
“ The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.”
Discusses a vision of a “user centric identity ecosystem”
“ The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust one another through proper identification and authentication.”
“… a world where individuals can seamlessly access information and services online from a variety of sources …”
“… and without the need to manage many accounts and passwords.”
“ … eliminate redundant processes associated with collecting, managing, authenticating, authorizing, and validating identity data … “

The NSTIC Document
Reading between the lines
Reference to well established concepts:
Identity Provider - “ … responsible for the processes associated with enrolling a subject, and establishing and maintaining the digital identity associated with an individual … “
User Centric – “ … allow individuals to select the interoperable credential appropriate for the transaction.”
Relying Party – “ … makes transaction decisions based upon its receipt, validation, and acceptance of a subject’s authenticated credentials (sic) and attributes.
Attributes – “Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
Anonymity / Pseudonym – “An individual has the choice to … authenticate to a transaction anonymously or a pseudonym without uniquely identifying himself.”

The NSTIC Process
“ The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation.”
Goals
Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
Enhance confidence and willingness to participate in the Identity Ecosystem
Ensure the long-term success of the Identity Ecosystem
Actions
Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
Coordinate the Development and Refinement of Risk Models and Interoperability Standards

NSTIC Feedback after June 25 th 2010
IdeaScale Comments
Comment period was very short (6/25-7/19).
Over 500 comments were posted and voted on.
Many “knee-jerk” comments from the fringes.
“ Hands off my Internet”, “No National ID”, “Government Power Grab”, etc.
Most frequent (non knee-jerk) comment:
Extend Public Comment Opportunity
Several thoughtful and technically insightful comments and threads
Various authentication methods, process for public engagement, leadership agency, how government should participate, existing standards etc.
No public follow-up response, communication or Announcements
Press Coverage
Lots of trade press coverage - Mostly favorable.
Some general press coverage - Neutral.

NSTIC Feedback after June 25 th 2010 (continued)
Open Letter to Howard Schmidt at the White House on July 16 th 2010
From: Center for Democracy in Technology (CDT), Electronic Frontier Foundation (EFF), Liberty Coalition http://www.cdt.org/files/pdfs/20100716_nstic_extend_ltr.pdf
Requesting:
“… that the public comment period be extended for at least 30 days to facilitate more robust public discussion … that subsequent public comment periods on this topic extend for at least 90 days”
“… clarification on the agency's proposed timeline and process”
“… an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.”
Results:
No extension of public comment period (IdeaScale was closed to new posts on 7/19/2010)
CDT has had at least two follow-up meetings with the cyber-security staff at the White House between mid-July and the present.
CDT has had the opportunity to review and comment on new document drafts being developed including an implementation plan and schedule.
CDT has been informed that work is ongoing, internal agency reviews are being conducted, and no announcements are expected before the beginning of next year

IIW-11 NSTIC Update

by JayUnger on Nov 13, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

IIW-11 NSTIC Update — Presentation Transcript