Update: At the recent Internet Identity Workshop (IIW), the private sector is moving forward with NSTIC ideas and "is self-organizing" at a higher speed than the wheels of government can turn - especially funding. IT in the federal government is starting to align with NSTIC regardless of funding. See this update from John Fontana for more details.
Over the past five years, our use of the web for sensitive transactions has grown dramatically. I clearly remember my early orders at Amazon, hesitating at the thought of typing my credit card information on a payment page, worrying that there'd be some technical glitch somewhere between me and the server during processing. (I still have my early-adopter Amazon Bookstore customer gift to prove it!) We've all gotten much more comfortable with e-commerce since then, of course, but there's a very sharp line between what kinds of sensitive transactions you can do online and what kinds you can't (or shouldn't). Many transactions that fall into the “shouldn’t” category are there because of the question of identity. It’s the essence of the phishing malware attack: Is this person who he says he is? This anonymity, for better or worse, was pointed out in a famous New Yorker cartoon in 1993, in which the canine protagonist sitting in front of a computer says to his companion, “On the Internet, nobody knows you’re a dog.”
If you're reading this column, you're already acutely aware of what's safe to enter and what's not safe. But you’re also in the tiny minority. According to the “2011 Identity Fraud Survey Report” by Javelin Strategy and Research, 8.1 million adults were victims of identity theft or fraud, with total costs of $37 billion. Research from Trusteer in 2010 found that phishing attacks continue to increase, and an amazing 50 percent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received.
And passwords just can’t cope with the boom. Back in 2004, an RSA working paper found that a small business of 500 employees spends about $110,000 per year on internal password management alone. That’s $220 per user per year, and it doesn’t account for the costs and risks associated with the explosion in SaaS services since then, most of which require their own user ID and password. We badly need an alternative to passwords. As Jeremy Grant, manager of the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “en-stick” by the cool kids) program office, likes to say, “We think the password is fundamentally insecure and needs to be shot.”
Jeremy doesn't just want to make it easier for us to put sensitive information on the Internet. After all, that's the same goal of the phishing messages we're bombarded with on a daily basis. No, Jeremy also wants to make it far more secure for US citizens to conduct all kinds of transactions on the Internet.
NSTIC Vision
The NSTIC program office is part of the National Institute for Standards and Technology (NIST), the people who do everything from keeping track of the fundamental constants of nature to improving diamond machine polishing techniques. NSTIC describes “a vision of the future—an Identity Ecosystem—where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely support transactions ranging from anonymous to fully authenticated and from low to high value. Key attributes of the Identity Ecosystem include privacy, convenience, efficiency, ease-of-use, security, confidence, innovation, and choice.”
NSTIC isn’t a national ID system like the one India is planning; in fact, it’s exactly the opposite. No, it's not a devious attempt by the federal government to discover who has assault weapons and take them away in the middle of the night. NSTIC is an acknowledgment that what's needed for secure transactions on the Internet is a common framework that both identity providers (e.g., Google, Facebook, the Department of Defense—DoD) and service providers (aka relying parties, such as ADP and Dropbox) agree to work within. Since this kind of "co-opitition" can be difficult and time-consuming to achieve, the federal government wants to jumpstart and assist this process as a neutral—but stakeholder—third party. (The government is a stakeholder in this because it is itself one of the world's largest collections of identity providers.) The leaders in developing a national identity ecosystem must be in the private sector, if for no other reason than we wouldn’t trust a government system and thus never use it.
NSTIC’s envisioned identity ecosystem wouldn’t be run by a single identity provider. First, here in the United States, everyone would be suspicious of just one identity provider. Second, consumers want choices and are already associated with a wide variety of identity providers. Unless you’re one of the 15 consumers in the United States that hasn’t either bought anything from Amazon, logged on to Facebook, or created a webmail account, you already have an identity with a consumer identity provider. You don’t need another for a national identity ecosystem.
Instead, NSTIC’s vision is to have an online environment where identity providers (both public and private), service providers, and consumers share a set of agreed-upon technologies and standards that create a network supporting trusted IDs that can be used by all parties.
Here’s an important point: NSTIC isn’t getting into new technology. Secure technologies already exist (e.g., smart cards, digital certificates), so NSTIC is instead focused on policy and standards to ensure that everyone can interoperate with these technologies.