ID Management Suffers from ‘Immature Market,’ DHS Official Says
The government can’t sell businesses and consumers on identity management without explaining how it will benefit privacy and simplify the sometimes difficult process of “vetting” users’ identities and privileges, a Department of Homeland Security official said on a Digital Government Institute webcast Tuesday. Bruce McConnell, cybersecurity counselor to National Protection & Programs Directorate Deputy Undersecretary Phil Reitinger, partly blamed the lack of interoperability standards for what he called the “immature market” for ID management products and services. “Everybody can log on to Facebook” without much hassle, and that’s the direction the government is going in, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The shift toward electronic health records probably will spur work on ID management, since strict security and access controls are needed before digitized records can be made available, said Guy Copeland, vice president of information infrastructure advisory programs at tech company CSC. He was on the President’s National Security Telecommunications Advisory Committee to develop recommendations for speeding the adoption of ID management technology. Defining a “socially acceptable” government role in ID management -- what access it would have to personal data and how data are handled -- will help determine the reception that a system gets, and so will outreach to privacy and civil liberties groups, he said. A system must be “economically attractive” to an organization enterprisewide and per person, but business cases for adopting ID management don’t yet exist, and neither do sales cases for retail-level users, Copeland said.
There’s no common way in government and business to establish “trust” between ID management systems, Copeland said, and competing “certificate authorities” abound. The committee recommended that President Barack Obama, with his “unique ability” to make a public case for new programs, exert leadership, he said. The committee recommended that the White House become home to a national ID management office that handles government organization, public-private programs, policy and legislative coordination, and privacy “culture.”
McConnell said “general policy outlines” for ID management are emerging. He said the tests are: (1) “Voluntary opt-in,” so the system wouldn’t be forced on users except for access to things like critical infrastructure. (2) Built-in security that “lowers the risk of compromise” rather than making systems so secure they're unusable. (3) Affordability. “We face a little bit of a chicken and egg situation” because the value of an ID management network rises with more users, but the startup costs are considerable, and existing initiatives aren’t coordinated. (4) Ease of use, as with Facebook. (5) Enhanced privacy, making users less vulnerable to ID theft and controlling what information about them is shared in a transaction. A system should be interoperable with others and should run on a distributed architecture like the Internet itself, McConnell said. It should also make it possible to track down the source of unauthorized intrusions, a capability that “reduces the noise in the system,” he said. “Today in most places we don’t have that ability.”
“The market is still fairly immature,” in that ID management systems don’t interoperate and can’t “cross-certify” each other, McConnell said. The government can act as a “convener” with businesses to develop standards. There are already many private collaborative solutions and effort put into developing standards, Copeland said. But the key is developing standards that can be adopted around the world, and the U.S. of late has been active in the ID management circles specifically regarding the initial “vetting” that certifies a person’s identity and privileges, he said.
One of the biggest problems for making a public case is that ID management sounds “scary,” McConnell said. He prefers to call it “authentication,” which is “less scary sounding.” The U.S. also lacks data that would help businesses “make good investment decisions” in cybersecurity, he said: Program managers don’t know where money will be best spent, such as better firewalls or network monitoring. “Until we get those kind of metrics through data” and pilot programs to test them, “we're going to continue to have an uphill fight,” McConnell said. Copeland disagreed that “authentication” was a more helpful term, because for certain applications like those involving national security, “you can’t vet yourself.” There’s also a need for a third party to continually vet a user’s access and privileges, and separately authenticate the hardware and software, given the risk of counterfeit and vulnerable systems from abroad, Copeland said.
“We're off to a good start” with ID management but the government must bring together companies who are “trying to husband their advantages” as first movers in the market, McConnell said. The White House wants to develop a clear cybersecurity strategy so investors and developers have confidence to put time and resources into ID management systems, he said. Copeland said “big ticket items” such as digitized health record systems and the network connectivity they'll need could be the “catalyst” for an expanding market. It’s “almost a new world of automated solutions and possibilities,” he said.
“I don’t think this is a highly political area,” McConnell said, downplaying the chances of conflict between Congress and the administration. In two years there will be a clear and coherent strategy in place and “at least four times as many people” enrolled in strong authentication programs, he said. But Copeland saw another threat. An “outrageous identity theft story” could trigger “regrettable” legislation that’s focused on a particular activity and misunderstands the underlying security problems, adding constraints that “exacerbate” problems and hold back innovations in ID management, he said. Fortunately the White House has an acting director for cybersecurity as it looks for a permanent director, and that team is already working on Obama’s ten near-term action items, Copeland said. “It’s not marking time waiting for a body to come in.”