Identity Management Improving, but Public Needs to Buy In
Momentum is building toward identity management solutions, but it will be at least four years before they really become prominent for the general public, said panelists at a TechAmerica briefing Tuesday. One of the first things that might be done is to stop talking about “identity management,” which rubs Americans the wrong way, and start talking about “authentication,” said Bruce McConnell, cybersecurity counselor to the Department of Homeland Security’s National Protection & Programs Directorate deputy under secretary. Selling “identity management” won’t work, said Guy Copeland, vice president of CSC. Instead, there should be emphasis that having strong identity protects citizens and allows them to ensure their personal health data, financial data and other information are protected from prying eyes, he said. There also need to be identifiable metrics, McConnell said, so decisions can be made based on fact rather than on today’s hodgepodge of anecdote, myth and lore.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Any successful digital authentication system will need to be voluntary, McConnell said. That doesn’t mean some privileges wouldn’t be denied based on refusal to participate, he said. Digital authentication systems must also be easy to use, able to support the multiple roles that people fill in their lives, adhere to the fair information practices and provide for anonymity, he said.
Ease of use is important, Copeland said. There’s a pilot program in Georgia for credentialing workers who respond to disaster scenes to restore power or communications and need to get past federal, state and local law enforcement. The program is showing that if people don’t use the credentialing system every day they forget how to use it, new people come on board who aren’t told of the system and system use becomes clumsy, he said. Instead, he noted, a system should be used every day so the only difference during an emergency is physical location and rate of use.
But no one seems to want to get out front with an identity management system, the panelists said. Copeland said there’s pent-up demand among large businesses, particularly online retailers, for identity vetting. Companies don’t want to do it themselves because they don’t want the liability if they're wrong, he said; nor do they want to contract the responsibility to small companies, which don’t have the resources to withstand the liability. Copeland said many companies want the government to be the trusted vetter. But McConnell said he doesn’t see how privacy and government vetting would co-exist. Instead, he said, it could be that states become vetters, as most people are accustomed to being vetted by their state government, or that a quasi-governmental agency like the post office could take on the role. The OpenID and Information Card pilot undertaken by some agencies is a glass half full-half empty situation, said Randy Sabett of Sonnenschein Nath. It’s introducing the concept of authentication to the general public, but the authentication provided is at the most basic level, he said.
Audience member Mike Nelson, a visiting professor at Georgetown University, asked whether there was a strategy for including state and local governments or incentivizing them to implement vetting. After all, he said, most people interact with their local governments far more than they interact with the federal government. But no one wants to be first, McConnell said, and especially in this fiscal environment state and local governments are hard-pressed to move forward. It seems that everyone was waiting for the killer app for a while, but it no longer appears that app is going to materialize, he said.
In addition to involving state and local governments, the U.S. must get involved in international discussions, panelists said. The U.S. doesn’t have enough representation in international talks, Copeland said. The entire life cycle of identity management must be considered, said Sonya Smith, deputy, Information Assurance & Critical Infrastructure Protection Team in the Department of the Navy Chief Information Office.