1 National Strategy for Trusted Identities in Cyberspace Identity in Cyberspace: Improving Trust and...
-
Upload
ophelia-iris-burke -
Category
Documents
-
view
215 -
download
1
Transcript of 1 National Strategy for Trusted Identities in Cyberspace Identity in Cyberspace: Improving Trust and...
1National Strategy for Trusted Identities in Cyberspace
Identity in Cyberspace:Improving Trust and Driving Business via Public-Private Partnerships
Christopher Currens Deputy, National Strategy for Trusted Identities in Cyberspace (NSTIC)National Institute of Standards and Technology (NIST)
2National Strategy for Trusted Identities in Cyberspace
NIST: Bird’s eye view
Courtesy HDR Architecture, Inc./Steve Hall © Hedrich Blessing
G. Wheeler
The United States’ national measurement laboratory, NIST is where Nobel Prize-winning science meets real-world engineering.
With an extremely broad research portfolio, world-class facilities, national networks, and an international reach, NIST works to support industry innovation – our central mission.
3National Strategy for Trusted Identities in Cyberspace
NIST’s Mission
©R.
Rat
he
To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
4National Strategy for Trusted Identities in Cyberspace
NIST: Basic Stats and Facts
FY 2012 Appropriations $750.8 M
©R.
Rat
he
Major assets ~ 3,000 employees
~ 2,800 associates and facilities users
~ 1,600 field staff in partner organizations (Manufacturing Extension Partnership)
Two locations: Gaithersburg, Md., and Boulder, Colo.
Four external collaborative institutes: basic physics, biotech, quantum, and marine science
Labs; 567
ITS; 128.4
CRF; 55.4
5National Strategy for Trusted Identities in Cyberspace
Imagine if…
Four years from now, 80% of your customers arrived at your website already holding a secure credential
for identification and authentication – and you could trust this credential in lieu of your existing
username/password system.
Interoperable with your login
system (you don’t have to
issue credentials)
Multi-factor authentication
(no more password
management)
Tied to a robust identity proofing
mechanism (you know if they are who they claim to
be)
With baked-in rules to limit liability and
protect privacy
6National Strategy for Trusted Identities in Cyberspace
What would this mean…
For Security and Loss Prevention?• 5 of the top 6 vectors of attack in 2011 data breaches tied to
passwords• The number of Americans impacted by data breaches rose 67%
from 2010 to 2011• Weak identity systems fuel online fraud, make it impossible to
know who is a “dog on the Internet”
For Reducing Friction in Online Commerce?• Today, 75% of customers will avoid creating new accounts. 54%
leave the site or do not return• Today, 45% of consumers will abandon a site rather than attempt to
reset their passwords or answer security questions
7National Strategy for Trusted Identities in Cyberspace
$2 Trillion
The total projected
online retail sales across
the G20 nations in
2016
$2.5 Trillion What this
number can grow to if
consumers believe the Internet is
more worthy of their trust
$1.5 Trillion
What this number will
fall to if Trust is eroded
Trust matters to online business
Source: Rethinking Personal Data: Strengthening Trust. World Economic Forum, May 2012.
8National Strategy for Trusted Identities in Cyberspace
The foundation of enhanced online trust, reduced fraud and better customer experiences.
A voluntary, public-private partnership is forming to create it – but voluntary models don’t succeed unless people volunteer
An “Identity Ecosystem”
9National Strategy for Trusted Identities in Cyberspace
Apply for mortgage online with e-signature
Trustworthy critical service delivery
Security ‘built-into’ system to reduce user error
Privately post location to her friends
Secure Sign-On to state website
Online shopping with minimal sharing of PII
January 1, 2016The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime.
10National Strategy for Trusted Identities in Cyberspace
The government is here to help…seriously
11National Strategy for Trusted Identities in Cyberspace
Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.”
Guiding Principles• Privacy-Enhancing and Voluntary• Secure and Resilient• Interoperable• Cost-Effective and Easy To Use
NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”
What is NSTIC?
12National Strategy for Trusted Identities in Cyberspace
Usernames and passwords are broken
• Most people have 25 different passwords, or use the same one over and over
• Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom”
• Rising costs of identity theft– 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion – 67% increase in # of Americans impacted by data breaches in 2011
(Source: Javelin Strategy & Research)
• A common vector of attack– Sony Playstation, Zappos, Lulzsec, Infragard among dozens
of 2011-12 breaches tied to passwords.
The Problem Today
13National Strategy for Trusted Identities in Cyberspace
The Problem Today
Source: 2012 Data Breach Investigations Report, Verizon and USSS
2011: 5 of the top 6 attack vectors are tied to passwords2010: 4 of the top 10
14National Strategy for Trusted Identities in Cyberspace
Identities are difficult to verify over the internet
• Numerous government services still must be conducted in person or by mail,leading to continual rising costs for state, local and federal governments
• Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals
• Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks
The Problem Today
New Yorker, July 5, 1993New Yorker, September 12, 2005Rob Cottingham, June 23, 2007
15National Strategy for Trusted Identities in Cyberspace
Privacy remains a challenge
• Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction
– This data is often stored, creating “honey pots” of information for cybercriminals to pursue
• Individuals have few practical means to control use of their information
The Problem Today
16National Strategy for Trusted Identities in Cyberspace
Privacy: Increasingly Complex as Volumes of Personal Data Grow
Source: World Economic Forum, “Rethinking Personal Data: Strengthening Trust,” May 2012
17National Strategy for Trusted Identities in Cyberspace
Trusted Identities provide a foundation
Economic benefits
Improved privacy standards
Enhanced security
TRUSTED IDENTITIES
• Fight cybercrime and identity theft • Increased consumer confidence
• Offer citizens more control over when and how data is revealed• Share minimal amount of information
• Enable new types of transactions online• Reduce costs for sensitive transactions• Improve customer experiences
18National Strategy for Trusted Identities in Cyberspace
We've proven that Trusted Identities matter
DoD Led the Way• DoD network intrusions fell 46%
after it banned passwords for log-on and instead mandated use of the CAC with PKI.
But Barriers Exist• High assurance credentials come
with higher costs and burdens• They’ve been impractical for many
organizations, and most single-use applications.
• Metcalfe’s Law applies – but there are barriers (standards, liability, usability) today that the market has struggled to overcome.
19National Strategy for Trusted Identities in Cyberspace
Private sector will lead the effort
Not a government-run identity programPrivate sector is in the best position to drive technologies and solutions……and ensure the Identity Ecosystem offers improved online trust and better customer experiences
Help develop a private-sector led governance modelFacilitate and lead development of interoperable standardsProvide clarity on national policy and legal framework around liability and privacyFund pilots to stimulate the marketplaceAct as an early adopter to stimulate demand
What does NSTIC call for?
20National Strategy for Trusted Identities in Cyberspace
How is NSTIC different?
• We’re in a different time.
• Needed technologies are more mature.
• Realization that government working alone is not in the best position to define business models.
• Window of opportunityo Companies and industry organizations say we need something better. o The White House provides a thoughtful strategy that emphasizes ownership
by the private sector. o Our role is to convene and help address existing barriers.
21National Strategy for Trusted Identities in Cyberspace
Our Implementation Strategy
22National Strategy for Trusted Identities in Cyberspace
We don’t want to boil the ocean.
23National Strategy for Trusted Identities in Cyberspace
Let’s go surfing where the waves are…
NSTIC
24National Strategy for Trusted Identities in Cyberspace
Next Steps....updates
Convene the Private Sector
• Awarded a 2-year grant to fund a privately-led Steering Group to convene stakeholders and craft standards and policies to create an Identity Ecosystem Framework
• Held first meeting of the Identity Ecosystem Steering Group
Select Pilots
• FFO published in early 2012 for $9-10M NSTIC pilots grant program• Awards expected by mid-September 2012• Challenge-based approach focused on addressing barriers the marketplace has not yet overcome
Government as an early adopter to stimulate demand
• Ensure government-wide alignment with the Federal Identity, Credential, and Access Management (FICAM) Roadmap• New White House initiated effort to create a Federal Cloud Credential Exchange (FCCX)
25National Strategy for Trusted Identities in Cyberspace
The Secretariat: Trusted Federal Systems
•On July 12, NIST announced Trusted Federal Systems or TFS as the awardee of a two-year grant to convene the private sector-led Identity Ecosystem Steering Group (IESG) and serve as the group’s administrative arm as it tackles the wide range of policy and technical challenges associated with crafting an Identity Ecosystem Framework.
•Additionally, TFS will facilitate collaboration among multiple stakeholders to help drive the creation of consensus standards and best practices that can advance national priorities.
•Learn more about the Identity Ecosystem Steering Group, including how you can participate:
http://www.idecosystem.org/(next meeting in Washington, D.C. on October 29-30, 2012)
26National Strategy for Trusted Identities in Cyberspace
It Now Exists!
Source: Phil Wolff, http://www.flickr.com/photos/philwolff/7789263898/in/photostream
Identity Ecosystem Steering Group
27National Strategy for Trusted Identities in Cyberspace
The Identity Ecosystem Steering Group
28National Strategy for Trusted Identities in Cyberspace
• Nearly 400 participants; more than 800 signed up for future participation. Over 300 different companies and organizations. Representatives from UK, Australia, EU, NZ, Canada, Japan.
• Elected Plenary Chair (Bob Blakley/Citi) and Management Council Chair (Brett McDowell/PayPal); Elected 16 delegates to Management Council
• Approved draft charter and bylaws for a 90-day provisional period; established a tiger team to perfect them.
• Stood up working groups and/or committees on topics including:
Highlights of Initial IDESG Meeting (August 15-16)
o Standardso Policyo Privacyo Usabilityo Securityo Accreditation
o Health Careo Financial Sectoro International Coordination
29National Strategy for Trusted Identities in Cyberspace
• Most of the work will be done in the IDESG standing committees/working groups.
• Now that private-sector leadership has been elected, NPO is just one of many stakeholders.
• NPO will look to encourage and facilitate progress in the private sector."
• NPO will still play a large role with the NSTIC pilot programo In mid-September, the office will announce the winners for the first round
of NSTIC pilot grantso The federal funding opportunity NIST issued in February received 186
applications, which were whittled down to 27 finalists.
NSTIC National Program Office (NPO)
30National Strategy for Trusted Identities in Cyberspace
• Great response186 abbreviated proposals received27 finalists selected to submit full proposals• NIST will soon announce approx. $10M in grant awards• Awardees will pilot solutions that increase confidence in online
transactions, prevent identity theft, and provide individuals with more control over how they share their personal information• Pilots advance NSTIC vision that individuals adopt secure,
efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation• The pilots seek to catalyze a new marketplace, spanning multiple
sectors, and demonstrate new solutions, models or frameworks that do not exist today
NSTIC Pilot Projects
31National Strategy for Trusted Identities in Cyberspace
• American Association of Motor Vehicle Administrators (AAMVA) (Va.) o Partner with the Virginia Department of Motor Vehicles to allow state
residents to access online services• Criterion Systems (Va.) o Allow consumers to selectively share shopping and other preferences and
information to both reduce fraud and enhance the user experience• Daon, Inc. (Va.) o Employ user-friendly identity solutions that leverage smart mobile devices
(smartphones/tablets) to maximize consumer choice and usability• Resilient Network Systems, Inc. (Calif.) o Demonstrate that sensitive health and education transactions on the
Internet can earn patient and parent trust by using a Trust Network• University Corporation for Advanced Internet Development
(Va.)o Partner with multiple universities to develop a consistent and robust privacy
infrastructure and to encourage the use of multifactor authentication and other technologies
NSTIC Pilot Projects
32National Strategy for Trusted Identities in Cyberspace
What Your Firms Can Do
• TALK: about the value of NSTIC to leaders in your firm• SUPPORT: NSTIC Pilots by volunteering to be a relying party• JOIN: the Identity Ecosystem Steering Group…next meeting in
Washington, D.C. on October 29-30, 2012• (www.idecosystem.org)
Participate
•Leverage trusted identities to move more services online•Consider ways to support identity and credentialing in partnership with trusted third parties
Be early adopters
•You are a key partner, we want to hear from you
Give us your ideas!
33National Strategy for Trusted Identities in Cyberspace
Questions?
Christopher [email protected]/nstic
Identity Ecosystem Steering [email protected]