Who Are We Online, and How Do Others Know That? The National Strategy for Trusted Identities in Cyberspace
A majority of the country, and virtually the entire Federal Government, now uses the Internet to do business, learn about programs, shop, talk to friends, and engage in a host of other activities. Some 2 billion people around the world engage in online commerce that will soon exceed $10 trillion; individuals place their information and trust in the many large and small businesses that provide services over the web. In order to operate online, both the sender and the recipient have to trust what each other is doing.
In the physical world, a shopkeeper can trust a customer to make a sale without knowing their name, while an airline needs to know a lot about a traveler in order to sell that person a ticket. How we translate these relationships to the virtual world is still evolving, but much confusion has arisen about using the Internet over the past 20 years due to the complexity of how we identify ourselves online. For example, we use passwords for many websites that are often easy for a hacker to guess, or we give more information than is necessary to do simple things electronically (like access a website for information).
Until now, Federal policy has primarily focused on how citizens and businesses interact with government programs and agencies online. But an average citizen or small business operates in the commercial world most of the time. Government-led solutions don’t translate to how people function day to day. Government policy is best when it leverages and supports activities of the broad cross-section of Americans for whom the public sector is a small part of the set of activities they engage in.
This is the stage that the Obama Administration entered when embarking on a plan to help the Nation conduct business online across government and the private sector. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is that plan, and was released to much fanfare on Friday, April 15 at the US Chamber of Commerce. One participant of the NSTIC program with the National Institute for Standards and Technology (NIST) at the US Department of Commerce, observed that Friday was “like Woodstock” for the Identity industry.
What’s in the NSTIC?
The promise of NSTIC goes far beyond a single industry. The Strategy is based on the premise that the private sector, who operates most of the internet activities that we all interact with every day, must lead in establishing a secure and reliable path for everyone to operate securely – based on a set of principles articulated by the Government following private sector consultation. These principles hold that technology and processes that support identifying people and computers online must be:
- privacy-enhancing and voluntary
- secure, and resilient in recovering if there is a security problem
- interoperable across many government and industry applications
- cost-effective and easy-to-use.
Implemented across the broad range of online activities, these common-sense principles promise to make the virtual world more safe and understandable – key to supporting greater efficiency and effectiveness for consumers and businesses. Imagine the reduced burden and increased ease if, instead of having to remember multiple passwords and having to give up lots of information for each password, businesses and governments agreed to a set of standards that built trust to individuals could provide information online once, and only revalidate a subset of data about themselves for a particular transaction.
The Strategy refers to this collection of businesses and governments, as well as the individuals who access their applications, as an “Identity Ecosystem,” in which all players have an individual stake in the successful operation of the whole. Interestingly, the Administration has also promoted the ecosystem metaphor for cybersecurity activities across government and industry. The metaphor is apt in its understanding that no one player – including the Federal Government – can create a path for success in a complex, global online commons. At the same time, only Government can define what the commons entails and how we should operate within its boundaries – which the NSTIC sets out to do, through continued industry collaboration.
Implications for Government Managers and Stakeholders
For two decades, Federal identity policy has been a “conversation among believers” – a technical discussion of how to develop Federal approaches by and for agencies. I’ve participated in many of these discussions over the years, at OMB and in the private sector where I Chair the Federal Information Security and Privacy Advisory Board. The NSTIC shows the Federal community that in order to maximize value for citizen and businesses who contact agencies online. Government-unique solutions will create additional burdens and require greater cost than would interoperable and secure paths based on common standards.
Federal employees and contractors are also citizens. The NSTIC tells all of us in the Federal community that when we put programs online, we should do so in a way that mirrors how citizens function online, and that works with the private sector to ensure that online identities are based on voluntary standards that are promote safety, security, and ease. As the Nation’s standards body, NIST is well-suited to lead this government-industry collaborative effort.