1 National Strategy for Trusted Identities in Cyberspace Identity in Cyberspace: Improving Trust and...

1National Strategy for Trusted Identities in Cyberspace

Identity in Cyberspace:Improving Trust and Driving Business via Public-Private Partnerships

Christopher Currens Deputy, National Strategy for Trusted Identities in Cyberspace (NSTIC)National Institute of Standards and Technology (NIST)


NIST: Bird’s eye view

Courtesy HDR Architecture, Inc./Steve Hall © Hedrich Blessing

G. Wheeler

The United States’ national measurement laboratory, NIST is where Nobel Prize-winning science meets real-world engineering.

With an extremely broad research portfolio, world-class facilities, national networks, and an international reach, NIST works to support industry innovation – our central mission.


NIST’s Mission

©R.

Rat

he

To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.


NIST: Basic Stats and Facts

FY 2012 Appropriations $750.8 M

©R.

Rat

he

Major assets ~ 3,000 employees

~ 2,800 associates and facilities users

~ 1,600 field staff in partner organizations (Manufacturing Extension Partnership)

Two locations: Gaithersburg, Md., and Boulder, Colo.

Four external collaborative institutes: basic physics, biotech, quantum, and marine science

Labs; 567

ITS; 128.4

CRF; 55.4


Imagine if…

Four years from now, 80% of your customers arrived at your website already holding a secure credential

for identification and authentication – and you could trust this credential in lieu of your existing

username/password system.

Interoperable with your login

system (you don’t have to

issue credentials)

Multi-factor authentication

(no more password

management)

Tied to a robust identity proofing

mechanism (you know if they are who they claim to

be)

With baked-in rules to limit liability and

protect privacy


What would this mean…

For Security and Loss Prevention?• 5 of the top 6 vectors of attack in 2011 data breaches tied to

passwords• The number of Americans impacted by data breaches rose 67%

from 2010 to 2011• Weak identity systems fuel online fraud, make it impossible to

know who is a “dog on the Internet”

For Reducing Friction in Online Commerce?• Today, 75% of customers will avoid creating new accounts. 54%

leave the site or do not return• Today, 45% of consumers will abandon a site rather than attempt to

reset their passwords or answer security questions


$2 Trillion

The total projected

online retail sales across

the G20 nations in

2016

$2.5 Trillion What this

number can grow to if

consumers believe the Internet is

more worthy of their trust

$1.5 Trillion

What this number will

fall to if Trust is eroded

Trust matters to online business

Source: Rethinking Personal Data: Strengthening Trust. World Economic Forum, May 2012.


The foundation of enhanced online trust, reduced fraud and better customer experiences.

A voluntary, public-private partnership is forming to create it – but voluntary models don’t succeed unless people volunteer

An “Identity Ecosystem”


Apply for mortgage online with e-signature

Trustworthy critical service delivery

Security ‘built-into’ system to reduce user error

Privately post location to her friends

Secure Sign-On to state website

Online shopping with minimal sharing of PII

January 1, 2016The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime.


The government is here to help…seriously


Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.”

Guiding Principles• Privacy-Enhancing and Voluntary• Secure and Resilient• Interoperable• Cost-Effective and Easy To Use

NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

What is NSTIC?


Usernames and passwords are broken

• Most people have 25 different passwords, or use the same one over and over

• Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom”

• Rising costs of identity theft– 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion – 67% increase in # of Americans impacted by data breaches in 2011

(Source: Javelin Strategy & Research)

• A common vector of attack– Sony Playstation, Zappos, Lulzsec, Infragard among dozens

of 2011-12 breaches tied to passwords.

The Problem Today


The Problem Today

Source: 2012 Data Breach Investigations Report, Verizon and USSS

2011: 5 of the top 6 attack vectors are tied to passwords2010: 4 of the top 10


Identities are difficult to verify over the internet

• Numerous government services still must be conducted in person or by mail,leading to continual rising costs for state, local and federal governments

• Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals

• Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks

The Problem Today

New Yorker, July 5, 1993New Yorker, September 12, 2005Rob Cottingham, June 23, 2007


Privacy remains a challenge

• Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction

– This data is often stored, creating “honey pots” of information for cybercriminals to pursue

• Individuals have few practical means to control use of their information

The Problem Today


Privacy: Increasingly Complex as Volumes of Personal Data Grow

Source: World Economic Forum, “Rethinking Personal Data: Strengthening Trust,” May 2012


Trusted Identities provide a foundation

Economic benefits

Improved privacy standards

Enhanced security

TRUSTED IDENTITIES

• Fight cybercrime and identity theft • Increased consumer confidence

• Offer citizens more control over when and how data is revealed• Share minimal amount of information

• Enable new types of transactions online• Reduce costs for sensitive transactions• Improve customer experiences


We've proven that Trusted Identities matter

DoD Led the Way• DoD network intrusions fell 46%

after it banned passwords for log-on and instead mandated use of the CAC with PKI.

But Barriers Exist• High assurance credentials come

with higher costs and burdens• They’ve been impractical for many

organizations, and most single-use applications.

• Metcalfe’s Law applies – but there are barriers (standards, liability, usability) today that the market has struggled to overcome.


Private sector will lead the effort

Not a government-run identity programPrivate sector is in the best position to drive technologies and solutions……and ensure the Identity Ecosystem offers improved online trust and better customer experiences

Help develop a private-sector led governance modelFacilitate and lead development of interoperable standardsProvide clarity on national policy and legal framework around liability and privacyFund pilots to stimulate the marketplaceAct as an early adopter to stimulate demand

What does NSTIC call for?


How is NSTIC different?

• We’re in a different time.

• Needed technologies are more mature.

• Realization that government working alone is not in the best position to define business models.

• Window of opportunityo Companies and industry organizations say we need something better. o The White House provides a thoughtful strategy that emphasizes ownership

by the private sector. o Our role is to convene and help address existing barriers.


Our Implementation Strategy


We don’t want to boil the ocean.


Let’s go surfing where the waves are…

NSTIC


Next Steps....updates

Convene the Private Sector

• Awarded a 2-year grant to fund a privately-led Steering Group to convene stakeholders and craft standards and policies to create an Identity Ecosystem Framework

• Held first meeting of the Identity Ecosystem Steering Group

Select Pilots

• FFO published in early 2012 for $9-10M NSTIC pilots grant program• Awards expected by mid-September 2012• Challenge-based approach focused on addressing barriers the marketplace has not yet overcome

Government as an early adopter to stimulate demand

• Ensure government-wide alignment with the Federal Identity, Credential, and Access Management (FICAM) Roadmap• New White House initiated effort to create a Federal Cloud Credential Exchange (FCCX)


The Secretariat: Trusted Federal Systems

•On July 12, NIST announced Trusted Federal Systems or TFS as the awardee of a two-year grant to convene the private sector-led Identity Ecosystem Steering Group (IESG) and serve as the group’s administrative arm as it tackles the wide range of policy and technical challenges associated with crafting an Identity Ecosystem Framework.

•Additionally, TFS will facilitate collaboration among multiple stakeholders to help drive the creation of consensus standards and best practices that can advance national priorities.

•Learn more about the Identity Ecosystem Steering Group, including how you can participate:

http://www.idecosystem.org/(next meeting in Washington, D.C. on October 29-30, 2012)

http://www.idecosystem.org/


It Now Exists!

Source: Phil Wolff, http://www.flickr.com/photos/philwolff/7789263898/in/photostream

Identity Ecosystem Steering Group


The Identity Ecosystem Steering Group


• Nearly 400 participants; more than 800 signed up for future participation. Over 300 different companies and organizations. Representatives from UK, Australia, EU, NZ, Canada, Japan.

• Elected Plenary Chair (Bob Blakley/Citi) and Management Council Chair (Brett McDowell/PayPal); Elected 16 delegates to Management Council

• Approved draft charter and bylaws for a 90-day provisional period; established a tiger team to perfect them.

• Stood up working groups and/or committees on topics including:

Highlights of Initial IDESG Meeting (August 15-16)

o Standardso Policyo Privacyo Usabilityo Securityo Accreditation

o Health Careo Financial Sectoro International Coordination


• Most of the work will be done in the IDESG standing committees/working groups.

• Now that private-sector leadership has been elected, NPO is just one of many stakeholders.

• NPO will look to encourage and facilitate progress in the private sector."

• NPO will still play a large role with the NSTIC pilot programo In mid-September, the office will announce the winners for the first round

of NSTIC pilot grantso The federal funding opportunity NIST issued in February received 186

applications, which were whittled down to 27 finalists.

NSTIC National Program Office (NPO)


• Great response186 abbreviated proposals received27 finalists selected to submit full proposals• NIST will soon announce approx. $10M in grant awards• Awardees will pilot solutions that increase confidence in online

transactions, prevent identity theft, and provide individuals with more control over how they share their personal information• Pilots advance NSTIC vision that individuals adopt secure,

efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation• The pilots seek to catalyze a new marketplace, spanning multiple

sectors, and demonstrate new solutions, models or frameworks that do not exist today

NSTIC Pilot Projects


• American Association of Motor Vehicle Administrators (AAMVA) (Va.) o Partner with the Virginia Department of Motor Vehicles to allow state

residents to access online services• Criterion Systems (Va.) o Allow consumers to selectively share shopping and other preferences and

information to both reduce fraud and enhance the user experience• Daon, Inc. (Va.) o Employ user-friendly identity solutions that leverage smart mobile devices

(smartphones/tablets) to maximize consumer choice and usability• Resilient Network Systems, Inc. (Calif.) o Demonstrate that sensitive health and education transactions on the

Internet can earn patient and parent trust by using a Trust Network• University Corporation for Advanced Internet Development

(Va.)o Partner with multiple universities to develop a consistent and robust privacy

infrastructure and to encourage the use of multifactor authentication and other technologies

NSTIC Pilot Projects


What Your Firms Can Do

• TALK: about the value of NSTIC to leaders in your firm• SUPPORT: NSTIC Pilots by volunteering to be a relying party• JOIN: the Identity Ecosystem Steering Group…next meeting in

Washington, D.C. on October 29-30, 2012• (www.idecosystem.org)

Participate

•Leverage trusted identities to move more services online•Consider ways to support identity and credentialing in partnership with trusted third parties

Be early adopters

•You are a key partner, we want to hear from you

Give us your ideas!

http://www.idecosystem.org/


Questions?

Christopher [email protected]/nstic

Identity Ecosystem Steering [email protected]

mailto:[email protected]

http://www.idecosytem.org/

mailto:[email protected]

1 National Strategy for Trusted Identities in Cyberspace Identity in Cyberspace: Improving Trust and...

Documents

Transcript of 1 National Strategy for Trusted Identities in Cyberspace Identity in Cyberspace: Improving Trust and...