Accessing online services securely is not a given. The U.S. government wants public and private sector cooperation to see that it is. Is that even possible?
If you shop online, chances are you will become a victim of payment-card fraud. It happened to me (again). Not long ago, a strange purchase caught my attention while reconciling my credit-card bill.
I immediately called customer service and voiced my concern. After a few minutes of checking, the representative asked (I swear I heard snickering) if I ordered a certain enhancement drug. I, of course, denied all knowledge.
Digging deeper, the customer rep determined the transaction in question took place in a different country, and within an hour of my charging for gas in Minnesota. That convinced him to drop the rather substantial charge.
I have written about how to protect oneself from credit-card fraud. And short of not buying online, I follow what experts suggest. Still, it's not enough. Something else is bothering me as well. Who covers the loss?
I found out loss coverage varies, depending on the country. In the United States, payment-card issuers do not take the hit. Merchants do, forcing them to consider credit-card fraud a cost of doing business. I'm told that's retail-speak for passing the losses on to us consumers.
Is there an answer? It seems President Obama's administration is at least trying. They are asking what it would take to have:
"Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation."
A potential answer came in the ensuing report National Strategy for Trusted Identities in Cyberspace. But first, the authors categorized what needs to be addressed:
- Service providers base their current authentication processes and requirements on individual business uses rather than a commonly understood notion of the risk associated with a transaction.
- There is an absence of a common framework to help establish trusted identities among participants in a broad, diverse landscape of online transactions.
- Existing standards do not drive sufficient interoperability across service providers.
- Concerns regarding liability for providing identity, credential, and attribute-related services have prevented development of the Identity Ecosystem.
The paper then suggests how to deal with the above issues. They recommend the National Institute of Standards and Technology (NIST) design what they call an identity ecosystem framework. The agency is the perfect choice. Their mission statement:
"To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
The resultant program is called National Strategy for Trusted Identities in Cyberspace (NSTIC):
"NSTIC is an initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure - such as routers and servers."
Next, how to execute NSTIC needed to be determined. Exact details are still unknown. But, the responsible .gov department was announced during a joint news conference by U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt:
"The Department of Commerce is planning to establish a National Program Office (NPO) to coordinate the federal activities needed to implement NSTIC. The office would be the point of contact to bring the public and private sectors together to meet this challenge."
After one gets through all the bureaucracy, it seems the NSTIC program will be a clearing house for ideas on how to secure online activities, gain private sector buy in, and implement something called an identity credential.
Mixed responses to NSTIC
The NSTIC strategy is ambitious. Realizing that, I was curious to learn what IT professionals thought about the directive. Did they see any insurmountable hurdles?
At coffee, my colleagues agreed with the concept, saying a governing body would have the horsepower to create a workable process. They quickly added, most .gov departments are not doing well on GAO audits, which casts doubts on implementation.
Mark Gibbs of Network World was blunt. He explained in the blog post NSTIC and the feds HUA problem:
"The wonks at NIST think they can do what enterprises with far more experience in hardcore IT have learned the hard way; that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizen, it would be effectively impossible!"
Privacy advocate and attorney, Aaron Titus, in a recent blog post had this to say:
"If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today's Credit Reporting Agencies, all without functionally improving security."
Possible show stopper
There have been hints about the NSTIC framework using individual identity credentials. And, government sources are quick to point out: This is not a national ID. But, that is not remotely comforting to privacy pundits. They have two concerns:
- This will be the granddaddy of all databases, having sensitive information about millions of people. How will it be protected?
- What prevents the government from tracking online activities of the people agreeing to use the Identity Ecosystem?
At least, everyone agrees that something needs to be done. Retailers are concerned. They may lose business if consumers no longer trust online transactions. Consumers want online shopping as an alternative, but need to know the process is safe.
I must admit pulling all the pieces together to where I could write about NSTIC was a bear. I can only imagine what it will take to bring the program to fruition.