National ID management plan draft short on details
Online users and a former top IT official question how security and privacy will be addressed in the proposed strategy to verify identities online.
A draft of a national plan to manage identities on the Internet that the Obama administration released on June 25 advocates using standard credentials to prove individuals' identities online, including making sure devices and software are legitimate, but some cyber experts say the policy still leaves open security and privacy issues.
As promised, White House cybersecurity coordinator Howard Schmidt announced the release of the National Strategy for Trusted Identities in Cyberspace, which will act as a "a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities."
The proposed strategy, which the Homeland Security Department posted online for public comment, would allow individuals to choose voluntarily to obtain a "secure, interoperable and privacy-enhancing credential," such as a smart identity card, from a variety of public and private services. The credential would authenticate the user while conducting different types of online transactions, Schmidt said.
The plan does not advocate a national identification card, he noted, but rather "an ecosystem of interoperable identity service providers" that provide individuals with a choice of credentials that can be used to securely access electronic health records, conduct online banking, purchase items over the Internet, or send an e-mail, for example. Users will have more control of the private information used to authenticate themselves online, Schmidt said, and generally will not have to reveal more than is necessary to do so.
But the plan leaves unanswered some critical questions, federal information technology experts said. "The concern is the process associated [with] who is validating who," which is not clearly defined in the plan, said Karen Evans, former administrator for e-government and information technology at the Office of Management and Budget during the George W. Bush administration.
Evans said the same issue arose when the [public key infrastructure] emerged as a way to create, manage, distribute, revoke digital certificates, and when the Bush administration began implementing Homeland Security Presidential Directive 12, which established a common identification standard for federal employees and contractors to access government buildings and computers. Evans also is member of the Commission on Cybersecurity for the 44th Presidency, which the Center for Strategic and International Studies created in October 2007 to advise incoming presidents on cybersecurity issues.
Processes for validating identities must be clearly defined and effectively address privacy concerns, she said, referencing a lawsuit employees of the California Institute of Technology's Jet Propulsion Laboratory filed against NASA. They claimed background investigations required for HSPD-12 violated their constitutional right to privacy. The case is currently before the Supreme Court.
Evans agreed with public comments posted in response to the strategy that warned against centralization and reinventing the wheel. One person argued, "A single centralized identity is inherently less secure than a dozen identities, because it creates a single point of failure," and another advocated enforcing "existing open source initiatives that already are known to work, including the e-mail encryption standard [Pretty Good Privacy] and OpenID," the standard for authenticating users online.
According to the draft, the White House will designate a federal agency to lead public and private sector efforts to implement the national strategy, and expand federal services, pilots and policies that align with the plan. In addition, the organization will work with the public and private sectors to enhance privacy protections and define interoperability standards to ensure identity management solutions are compatible. The plan also will address the concerns of companies providing identity management solutions that they will be held liable if a breach occurred.
Some of the details might be provided in the final draft. "It's hard to comment on the report because there are so few details," said James Lewis, director of the technology and public policy program at CSIS. "There's a reference to PKI, to both hardware and software credentials, and to standards, but until we see the implementation document it is hard to predict how this will work. [It's] good that they are trying, but we have to wait and see."