1. NSTIC
Update: What has been happening
since
The June 25th
2010 Announcement
Convener: Jay Unger
National Strategy for Trusted Identities in Cyberspace
Action: What should the Internet
Identity Community do to
contribute / get ready?
2. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC – Update & Action
What is NSTIC ?
National Strategy for Trusted
Identities in Cyberspace
● Blog post and link to draft
document on White House blog
on June 25th
2010
http://www.whitehouse.gov/blog/2010/06/25/
national-strategy-trusted-identities-cyberspace
● by Howard Schmidt
Cybersecurity Coordinator and
Special Assistant to the President
● Document still available at
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
● Public comments were accepted
at http://www.nstic.ideascale.com
From June 25th
to January 19th
2010
No new comment are being accepted but existing
comments can still be viewed
3. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
The NSTIC Document
● Document Summary
36 Pages
Written primarily by a contractor (Deloitte) with input from various government
agencies and some information technology organizations and business.
High-level document – mostly vision, examples, and goals and objectives.
Very little technical detail or technology specifics.
No specific implementation plan or schedule.
Fairly repetitive. Not very well written or presented.
Examples are generally poor.
● Document Spirit
Does recognize the need for a general identity mechanism on the internet.
–To support and enhance both public and private interaction between citizens and
government, businesses, organizations etc.
–To reduce risks associated with identity theft and fraud for all citizens.
–Recognizes the need to work with both the information industry and citizens.
–Views government leadership as
4. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
The NSTIC Document
● Reading between the lines
Talks about present problems and limitations
– “ … the online environment today is not user-centric; individuals tend to have little control over their own
personal information. They have limited ability to utilize a single digital identity across multiple applications
…”
– “Over 10 million Americans are … victims of identity theft each year.”
– “… victims of identity theft can spend up to 130 hours reconstructing their identities (e.g., credit rating, bank
accounts, reputation, etc.) following an identity crime.”
– “The collection of identity-related information across multiple providers and accounts, coupled with the
sharing of personal information through the growth of social media, increases opportunities for data
compromise.”
Discusses a vision of a “user centric identity ecosystem”
– “The Identity Ecosystem is an online environment where individuals, organizations, services, and devices
can trust one another through proper identification and authentication.”
– “… a world where individuals can seamlessly access information and services online from a variety of
sources …”
– “… and without the need to manage many accounts and passwords.”
– “ … eliminate redundant processes associated with collecting, managing, authenticating, authorizing, and
validating identity data … “
5. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
The NSTIC Document
● Reading between the lines
Reference to well established concepts:
– Identity Provider - “ … responsible for the processes associated with enrolling a subject, and establishing
and maintaining the digital identity associated with an individual … “
– User Centric – “ … allow individuals to select the interoperable credential appropriate for the transaction.”
– Relying Party – “ … makes transaction decisions based upon its receipt, validation, and acceptance of a
subject’s authenticated credentials (sic) and attributes.
– Attributes – “Trusted and validated attributes provide a basis for organizations that offer online services to
make authorization decisions.
– Anonymity / Pseudonym – “An individual has the choice to … authenticate to a transaction anonymously
or a pseudonym without uniquely identifying himself.”
6. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
The NSTIC Process
“The Federal government - in collaboration with industry and the civil
liberties and privacy communities - should build a cyber security-based
identity management vision and strategy for the Nation.”
Goals
– Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
– Enhance confidence and willingness to participate in the Identity Ecosystem
– Ensure the long-term success of the Identity Ecosystem
Actions
– Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of
the Strategy
– Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
– Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
– Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
– Coordinate the Development and Refinement of Risk Models and Interoperability Standards
7. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
NSTIC Feedback after June 25th
2010
● IdeaScale Comments
Comment period was very short (6/25-7/19).
Over 500 comments were posted and voted on.
Many “knee-jerk” comments from the fringes.
– “Hands off my Internet”, “No National ID”, “Government Power Grab”, etc.
Most frequent (non knee-jerk) comment:
– Extend Public Comment Opportunity
Several thoughtful and technically insightful comments and threads
– Various authentication methods, process for public engagement, leadership agency,
how government should participate, existing standards etc.
No public follow-up response, communication or Announcements
● Press Coverage
Lots of trade press coverage - Mostly favorable.
Some general press coverage - Neutral.
8. Internet Identity Workshop #11 - Mountain, CA, November 2-4, 2010
NSTIC Update & Action
NSTIC Feedback after June 25th
2010 (continued)
● Open Letter to Howard Schmidt at the White House on July 16th
2010
From: Center for Democracy in Technology (CDT), Electronic Frontier Foundation
(EFF), Liberty Coalition http://www.cdt.org/files/pdfs/20100716_nstic_extend_ltr.pdf
Requesting:
– “… that the public comment period be extended for at least 30 days to facilitate more robust
public discussion … that subsequent public comment periods on this topic extend for at
least 90 days”
– “… clarification on the agency's proposed timeline and process”
– “… an opportunity to convene an in-person discussion with an appropriate White House or
DHS official to discuss this important matter and engage in further public discussion.”
Results:
– No extension of public comment period (IdeaScale was closed to new posts on 7/19/2010)
– CDT has had at least two follow-up meetings with the cyber-security staff at the
White House between mid-July and the present.
– CDT has had the opportunity to review and comment on new document drafts being
developed including an implementation plan and schedule.
– CDT has been informed that work is ongoing, internal agency reviews are being conducted,
and no announcements are expected before the beginning of next year