Dept. of Commerce Unveils the National Strategy for Trusted Identities in Cyberspace

ID THREATPOST:470215347ABA40BB82525E9D71A8EE10
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:08:54


The U.S. Chamber of Commerce held a press conference this morning to unveil details surrounding a National Strategy for Trusted Identities in Cyberspace, or NSTIC as they are calling it.

While the press conference was somewhat vague in terms of specifics, the initiative appears to be designed to build a voluntary transactional ecosystem of trust between businesses and individuals online, or, more generally between anyone or thing attempting to transmit money, goods, or ideas online.

The government is spearheading the movement only in thought and initial direction, and they expect the private sector to really lead the charge here.

Commerce Secretary Gary Lock claimed the need for the initiative is driven by the fact that nearly $10 trillion dollars worth of online commerce takes place every year, not to mention that some 8.1 million people suffered collective losses of roughly $37 billion in 2010. From this there comes a need to ensure that internet security features keep up with the different kinds of transactions people are involved in.

On that note, a recent FBI study quoted on the NSTIC website stated, “identity theft has emerged as a dominant and pervasive financial crime that exposes individuals and businesses to significant losses and undermines the credibility and operation of the entire U.S. financial system.”

The NSTIC website also goes into some detail about the benefits of the program. For one, they claim much of the identity theft problem around the world stems from sloppy password management. This initiative strives to improve upon the current password system by creating an “Identity Ecosystem,” or a marketplace of sorts where the consumer can choose between a number of different, and at time over-lapping online identity providers (Facebook was mentioned as a possible provider in the press conference).

The website uses Jane Smith as an example. Jane, a fictional student, could get a digital credential from both her university and her cell phone provider. There would be no need for multiple usernames or passwords, her cell phone or her computer, in this case validated by her cell phone provider and school respectively, would act as her credentials to log into email, online banking, and social media among other services. They claim such a system would make online transactions faster, safer, private and voluntary.

Another fringe benefit so to speak would be giving public schools the authority to validate the ages and online identities of their students so as to effectively enforce specific parental restrictions and website age regulations. You can read a number of other examples, with hypothetical names included, by following this link.

NSTIC is also concerned with creating data accountability, forcing businesses to adhere to their own privacy policies, or at least making them accountable if they do not by allowing data and information flows to be traced.Department of Homeland Deputy Security Secretary Jane Lute boiled the entire issue of online security down to two key areas of importance, securing our information and our identities. She wants industry to build the tools, saying NSTIC is designed to allow the market to move at its own pace. The goal here, she emphasized, is to enable trust, not centralize control.

Members of the panel tried to bring relief to a common concern, one which ended up being validated during the question and answer section, saying the goal is not to do away with Web anonymity between Internet users, but to build an ecosystem of trust between users and their service providers. The panel admitted that NSTIC as it is does a poor job of addressing the issue of real ID vs. Web ID, levels of association or the relation of devices to actual people, but they were confident that such issues will be resolved as the initiatie moves forward.