The Obama Administration is throwing its weight behind two federal efforts to increase the use of so-called “trusted identities” online as a way to combat consumer fraud and threats to critical infrastructure.
Writing on the White House blog on Monday, Michael Daniel, the Obama Administration’s cyber security coordinator said that the current system for managing online identities (user IDs and passwords) is “hopelessly broken,” and that the stakes are getting ever higher for breaches. “While today it might be a social media website, tomorrow it could be your bank, health services providers, or even public utilities,” he wrote.
Daniel said two federal initiatives aim to tip the scales in the direction of stronger and more secure online identities, but that more public engagement is needed to ensure that what is produced by those projects gets adopted.
Specifically: Daniel highlighted two NIST-led efforts: the National Strategy for Trusted Identities in Cyberspace (NSTIC), a private-public effort to improve online privacy and the security of Internet transactions. That initiative has inspired a cross industry working group: the Identity Ecosystem Steering Group, which includes around 200 non profit and for profit firms and government agencies working to develop a private identity marketplace comprising offerings from a wide range of identity providers and credentials.
The other piece is NIST’s efforts to develop standards for securing critical infrastructure. A draft of the Institute’s first swing at a Cybersecurity Framework was released in October, and the 45 day comment period is due to expire on Thursday.
Daniel said that public feedback is needed on both plans to “ensure that the Cybersecurity Framework takes full advantage of the trusted identity solutions marketplace.”
A spate of high profile data breaches, and the theft of user names and passwords for tens of millions of Americans has prompted hand-wringing both in the federal government and the private sector. Last week, the security firm Trustwave reported the discovery of millions of stolen credentials from prominent web sites including Facebook, Twitter, Yahoo and other sites.
Damaging to the companies affected, such thefts have a second life given the high rate of password reuse between sites that can be even more damaging.