Has a friend ever called you to say, “Hey, unless you are genuinely trying to sell me property in the Dominican Republic, your email is hacked”? Or received a call from your bank asking if you truly meant to donate $7,000 to some pasty kid in Ohio claiming to be a Nigerian prince? Internet security is broken, and we need to roll up our cyber-sleeves and fix it. That’s why the U.S. Chamber of Commerce announced this new proposal on April 15, designed to fight the steady increase in online crime. Entitled the National Strategy for Trusted Identities in Cyberspace, or NSTIC, it outlines the beginnings of an “identity ecosystem” to be created jointly by the private and public sector to spur more innovative and effective online authentication methods. Even if you’re not as immediately and easily swayed by snazzy, futuristic phrases like “identity ecosystem” as I am (and oh, how I am) there are still lots of other reasons to support increased Internet security.
And what exactly is an “identity ecosystem,” you might ask. The concept at this stage is a little nebulous, but it basically refers to an online environment that’s fundamentally different than the one we have now. Instead of an anonymous free-for-all, an identity ecosystem would allow people to use and prove their identities thanks to solid authoritative sources. That ecosystem, by necessity, would support a whole mess of security options that allow consumers to choose how to better protect their online identities. NSTIC is calling these security options “trusted credentials,” which is an umbrella term for any devices or methods considered to be more secure than passwords. Yes, it’s incredibly ambiguous, but give them a break: The bulk of the technology that might qualify as a trusted credential is still in development.
This is not a new idea – in fact, inventor/philosopher/Force Majeure Ted Nelson’s work with Project Xanadu, which he founded in 1960, predicted this problem decades before the Googlian Empire. The first rule of Project Xanadu? Every server is uniquely and securely identified. A little further down the list is a similar rule: Every user is uniquely and securely identified. Nelson even foresaw the problem of compensating people for their intellectual property online; with a unique ID, a micropayment could be debited from a user’s account every time they read an article or viewed an image on a webpage. Voila! Dramatic Chipmunk would be rich! But that idea fell out of favor as Xanadu’s sorta-competitor, the World Wide Web, achieved dominance.
Trusted credentials are needed to make up for the failings of passwords, which are not considered nearly secure enough to protect the sensitive information we’d like to start accessing online. “What’s wrong with passwords?” you might ask. Lots of things!
Passwords? More Like Past-words!
Passwords are awesome if you’re a child founding a secret club in your tree house. They’re becoming pretty useless everywhere else, however. Well, a) no offense, but as this New York Times article on popular passwords points out, yours might not be as sneaky as you think, and b) with the rise of phishing and keystroke logging, smart hackers don’t even have to guess anymore–they’re tricking you into spilling your Internet beans. Ari Schwartz, Senior Internet Policy Advisor at the NIST’s Information Technology Laboratory, thinks they have been outdated as an online security standard for several years. “This is actually the third attempt the federal government has made [to introduce a policy] in the last 10 years,” he says. “But this time there’s more support from the private sector,” referring to a public letter dated February 17th, 2011 signed by the advocacy groups Business Software Alliance, the Information Technology Industry Council, and TechAmerica, urging Congress to support NSTIC. So apparently, writing letters to Congress actually works sometimes!
Anyway, the envisioned “identity ecosystem” will provide Americans with a number of different options for “trusted credentials” that will step up the protection of their online identities without sacrificing their privacy. Microsoft, eTrade and PayPal, amongst several other major corporations, have already expressed their support and are working on contributing technology to the strategy.
‘What is a trusted credential?’ you may be asking. An example is the RSA SecurID, a token manufactured by the security division of the gargantuan information infrastructure producer EMC. It’s a small piece of hardware that provides numeric passwords from a unique key at set intervals, usually either every 30 or 60 seconds. That’s matched up with the code generated by the same unique key, which resides in RSA’s servers. Users have to enter the code that’s displayed on their little SecurID dongles at that very second. If used in conjunction with a password, the token is a major obstacle for hackers–many corporations rely on SecurID, which is why the company freaked out so thoroughly after a very rare hack exposed its clients to attack. Google has also jumped on this bandwagon, announcing in February 2011 that interested Gmail customers can enable an extra layer of security for their accounts. This tactic is called “two-factor authentication,” and can be used with tokens, smart cards, cell phones and digital certificates, amongst other emerging platforms.
Schwartz is a major proponent of two-stage authentication, hoping that NSTIC’s embracing of security features like it will “spur innovation, not interrupt it.” By moving past the ineffectiveness of passwords to something more secure, NSTIC could allow folks to perform tasks usually seen as too potentially risky to be done online, including storing healthcare records and tax records. He uses the advent of the Internet itself as an analog for this effort towards cyber security: after all, the Internet was originally a federal tool handed off to the private sector where it flourished into the cornucopia of kitten videos it is today.
Privacy Will Be Enhanced, Not Eroded
Listen, I get it: Americans love freedom. Americans often have a knee jerk reaction to plans like NSTIC because they think it might erode their personal liberty.
That’s not the case here. Commerce Secretary Gary Locke has repeatedly stated that the participation in NSTIC’s strategy will be voluntary and that private companies are taking the lead, not the government. Yes, there has been a great deal of backlash anyway, with critics claiming it is an overreach of federal power and comparing NSTIC to the Chinese national internet ID system. That’s just not true. It’s like comparing apple pie to Mandarin oranges.
You need more assurance? Jeremy Grant, Senior Executive Advisor for Identity Management at NSTIC, counters these rumors, explaining that “Many other countries have chosen to rely on national ID cards. We don’t think that’s a good model. Having a single issuer of identities creates unacceptable privacy and civil liberties issues.” Schwartz elaborated on Grant’s statement by explaining that the role of the government in this initiative is limited to convening private companies to discuss practical answers, supporting their research, and making sure they abide by the Fair Information Practice Principles. The government will play no role beyond these considerations.
All About the Benjamins
I hope thus far we’ve made it clear that as cyber crimes become more and more prevalent, online security reform is essential in and of itself. But there will be another bonus: money! NSTIC’s plan has the potential to save the nation a lot of it. For example, President Obama has long supported an entirely digital health care system. In January 2009, he stated that computerizing medical records would “cut waste, eliminate red tape, and reduce the need to repeat expensive medical tests […] It won’t just save billions of dollars and thousands of jobs — it will save lives by reducing the deadly but preventable medical errors that pervade our health care system.” Indeed, Dr. David Brailer, who served as President Bush’s health information czar from 2004-2006, estimates that a digital record system could save the health care industry as much as $300 billion per year. That’s a thousand dollars per American citizen! How are you going to spend yours?
Well, not so fast–if the U.S. goes ahead with mass digitization of records, especially when it comes to sensitive material such as medical information, there has to be an extremely secure authentication infrastructure already in place. Otherwise, everyone is going to know that you were patient one of the zombie apocalypse. That’s yet another advantage a comprehensive protective policy will provide in the coming years.
Voluntary Versus Mandatory Systems
While many believe NSTIC overreaches federal boundaries, some think it doesn’t go far enough. Cyber security expert Stephen Spoonamore has long advocated a mandatory computer licensing system not unlike that of the automobile industry. “When the automobile was introduced in 1890, anyone could buy one and just drive it away. It was only after car-crashes had finally shocked everyone into submission [30 years later] that people were required to learn the basic rules of the road before using a car. All of this is directly parallel with the computer. Introduced in the late 80s, it has taken 30 years to understand you are driving a dangerous machine that can hurt people, and systems.”
Spoonamore considers the NSTIC strategy to be a “non-starter” because it is voluntary. He thinks it’s a mistake to shy away from national ID systems, which are used in Germany, Belgium, China and several other countries. “Computer crime inside of Germany and China is miniscule compared to U.S.,” he explains. “I worked on some of the fraud detection systems in Germany [and it’s much] easier to find credit card thieves, child porn hucksters, etc., than in the U.S..” While he doesn’t support the Chinese model because of its privacy infringements, he sees more resemblance between the current American system and China’s than he does between the U.S. and Germany. “Law enforcement in Germany has rules and needs probable cause to look at what you are doing. In the U.S. and China, the government can spy on anyone, at anytime via computer and never tell you. And they do.”
That’s why Spoonamore advocates a solely federal system, requiring registration fees, an IP address linked inexorably to the computer’s owner (it’s currently legal to blank an IP address, which makes you all but anonymous–madness!) and courses developed to obtain different classes of licenses. “The computer is a vehicle (or weapon) which takes you places, allows you to do things, and if it’s misused, can hurt people. Same as any other vehicle or weapon.”
The Internet is wonderful, and yes, America, so is freedom. But we are in the middle of a giant information revolution. With unparalleled ability to create new industries and culture came unparalleled opportunity to exploit one another. Sort of a Spider-Man “great power, great responsibility” dilemma. Online criminals are shooting us like phish in a barrel. Ultimately, the question is not whether or not the government should take steps to increase online security, it’s how far should they go in the effort to protect citizens from cyber-criminals.