Sequester hits NIST, spares active NSTIC pilots

31 March 2013 by Phil Wolff Leave a Comment

A few weeks ago, John Fontana at Identity Matters reported NIST’s sequestration budget cuts will affect the NSTIC program management office but spare awarded NSTIC pilots.

The Commerce Department official said, “The reductions required by sequestration will adversely affect all NIST cybersecurity related efforts through cutbacks on travel, contracts, grants, and other operational expenses. NIST currently does not anticipate eliminating or reducing NSTIC pilots or programs.”

Are new (not yet awarded) pilot funds still vulnerable? Will cut travel funds mean the IESG meetings must move to the Beltway to be near the NSTIC PMO staff? Will the PMO be able to staff up as the project grows?

Could the Fiscal Cliff Kill NSTIC? (pde.cc)
White Paper: What Could Kill NSTIC? A friendly threat assessment (pde.cc)
NSTIC-led ID plan earmarks $4 million to secure state government services (zdnet.com)
DMV driving Virginia’s next-gen identity system (zdnet.com)

Filed Under: PDEC's Blog Tagged With: NSTIC, US

White Paper: What Could Kill NSTIC? A friendly threat assessment

5 February 2013 by Phil Wolff 1 Comment

I shouted “Death to NSTIC!” and my session filled up. This was at the Spring 2011 Internet Identity Workshop and the National Strategy for Trusted Identity in Cyberspace program office was getting its act together, meeting the identerati in Mountain View, California. We took over a room and a whiteboard and imagined what could keep NSTIC’s vision from coming true. The dozen folks in the room were diverse. We were from startups and big companies, governments and NGOs. We were tech geeks, policy wonks, and executive suits. We dredged up failures we’ve known, obvious challenges and barriers unique to the notion of an “identity ecosystem.”

18 months later I did it again, with a different group, at the Fall 2012 IIW. Again, a whiteboard full of threats.

I sat down in December and correlated the two sets of findings. PDEC is putting this out as a whitepaper, full of the details. Read on Scribd or download the pdf. I have a presentation version on Slideshare or you can download the deck as a pdf too.

Two threats stood out. First, a user experience failure could destroy user adoption, ruin trust in the ecosystem, and twist user behavior counterproductively. Second, the ecosystem’s success depends on being strong in four areas (technology, economy, policy, and culture) and in having each of those areas balance the others. An imbalance could rip the ecosystem apart.

Something stayed constant between the two sessions: performance anxiety. Execution risk was the overarching concern. Few attempts at something this complex ever go live, let alone thrive.

Something changed between the two sessions, however. Where the first had many outside threats, the second session focused on internal risks. Less we-may-be-tackled-by-opponents and more we-may-fumble-without-interference. [Sorry for the US football metaphor.] Speculating, it may be that people had shown up to the program, light bureaucracy was being worked out, and it had all become more real.

It’s important to get digital identity right. It affects everyone, every business, every institution.

To that end, NSTIC’s Identity Ecosystem plenary (the people and companies that make up the ecosystem) is meeting this week in Phoenix, and PDEC’s Kaliya Hamlin is there to speak for our startups as part of her “Personal Data World Tour” taking her from Arizona, to D.C. to Austria (conference) to London (seminar) to Manhattan (seminar). Starting now, Kaliya is running to represent all small businesses and entrepreneurs on the IESG’s management council; sign up to vote for her by 14 February.

What do you think could kill NSTIC?

What could kill NSTIC? A friendly threat assessment in 3 parts. from Phil Wolff

PDEC Whitepaper – What Could Kill NSTIC 2013 by evanwolf on Scribd

Filed Under: NSTIC, PDEC's Blog, Publications Tagged With: Ecosystem, iesg, IIW, NSTIC, risks, Technology, threats

Could the Fiscal Cliff Kill NSTIC?

30 December 2012 by Phil Wolff Leave a Comment

montgomery burns explains the fiscal cliff

Cuts are coming to US federal government spending in the new year. Cuts will come by cleaver if a “fiscal cliff avoiding” budget is passed or with a chainsaw if Congress and the President fall over the “cliff.”

High hopes fly for an international identity system that works across industries, technologies, governments, regulatory schemes and still manages to be user centric. This is driven in the United States under a program initiated by the National Strategy for Trusted Identity in Cyberspace through the National Institute of Science and Technology (NIST).

Direct effects. Nobody knows if this will directly affect NIST and the NIST staff managing the NSTIC project. NIST DoC logo Could the stream of Department of Commerce funding for NSTIC innovation grants dry up and will existing projects be halted? Will NIST’s funding for the Identity Ecosystem’s Secretariat, that coördinates and supports the work of the IE, be sustained or cut? In a trillion dollar budget, today’s spending on NSTIC is a rounding error.

Indirect effects. We don’t know how cuts in federal spending will affect the program indirectly as participating businesses and NGOs lose government contracts, experience greater risk, or enjoy new opportunities.

eGovernment as customer. Will the largest government agencies stay in the game? Constituent-facing services would be among the first implementors of these open, user-centric, identity frameworks. Having huge customers as “anchor tenants” provides strong incentives for the private sector to invest and make the identity ecosystem work. Will spending cuts affecting the these major clients throughout government interfere with their projects’ continuity? Will key personnel assigned to identity ecosystem governance, design, and engineering stay engaged? Stay employed?

Lots of unknowns.

And no strategy to respond to these risks from the Identity Ecosystem Steering Group. Yet.

Filed Under: News, NSTIC, PDEC's Blog Tagged With: Identity, NIST, NSTIC, risk

2011 Year in Review (Part 3 of 3)

6 December 2011 by JudiC Leave a Comment

PDEC Recent News

This is Part III, a review of PDEC news and specific issues in our work. PDEC folks and companies are highlighted in bold.

Scroll below for news on these topics:

Forrester Research Report covers Personal Identity Management
Startup Circle News
Startup Circle Company News
World Economic Forum update

Forrester Research Report covers Personal Identity Management
The Forrester Report releases a report on Personal Identity Management. PDEC was among 14 organizations/companies interviewed for the report including other Startup Circle members: Azigo, Singly/The Locker Project, Personal. Read the report here, or download it from Personal’s website.

[Read more...]

Filed Under: Newsletter, PDEC's Blog Tagged With: Connect.Me, Forrester, NSTIC, Personal, qiy, Sing.ly, startup circle, SWIFT, World Economic Forum

2011 Year in Review (Part 1)

21 November 2011 by JudiC 1 Comment

Part 1: We were busy!

Personal Data Ecosystem Consortium had a busy 12 months. Here we are at the end of the year, and we wanted to catch you up. This is Part I, a recap through the first half of 2011. PDEC people and Startup Circle companies are in bold.

PDEC Events, Publications and Speaking Activities

[Read more...]

Filed Under: Newsletter, PDEC's Blog Tagged With: conferences, Events, Governance, members, NSTIC, privacy, startup circle

The Identity Portability and Accountability Act of 2011

13 June 2011 by Ian Glazer

Last week, the NSTIC program office held the first of three outreach workshops. While a who’s who of the identerati (along with government and trade group representatives) discussed what kind of governance body NSTIC requires, there were a variety of productive hallway conversations. I was involved in once such conversation in which a well-respected chief security officer of a large identity company half-joked, “What we need to do is re-write HIPAA, word replacing it to talk about identity.” Not being the blogging type, this security officer said I ought to take this idea and run with it. Here goes nothing…

The Identity Portability and Accountability Act (IPAA) of 2011

Whereas identity is foundational to all transactions (financial, informational, etc.) on the interwebs, identity is poorly defined and protected by law. The Identity Portability and Accountability Act of 2011 seeks to:

Describe a minimal set of attributes deemed to be identifying
Establish the legal standing of identity and attribute providers
Define minimum standards for the protection of identity information
Codify individual’s rights with respect to their identity information

Whereas Congress has spent an enormous amount of time regarding portability and accountability of health information (and given that it is also almost the summer and who on earth wants to stick around DC in July and debate), this body shall simply word-replace the current contents of 45 CFR Parts 160, 162, and 164 to form IPAA. IPAA shall draw upon HIPAA’s two Rules: Security (45 CFR Part 160 and Subparts A and C of Part 164) and Privacy (45 CFR Part 160 and Subparts A and E of Part 164). The following substitutions shall be made:

HIPAA term	IPAA term
Health care provider	Attribute provider
Health care clearinghouse	Identity provider
Business associate	Relying party
Protected health information (PHI)	Identity information (II)

Whereas, after word-replacing as described above, the language within IPAA seems to still resemble English (at least as much as any bill resembles English), this body shall describe the rights and standing of identity and attribute providers…

And so on. There is some usefulness in such a ridiculous endeavor. Instead of discussing what happens when identity and identifying information is disclosed (a la a breach notification law), why not codify a minimal set of identity information and some basic rules of the road for identity and attribute providers. (If we are to have a thriving identity ecosystem as NSTIC hopes, I believe we are going to need some rule-making for identity and attribute providers, akin to credit agencies). Using HIPAA’s Privacy and Security rules as models, Congress could establish some basic data handling rules for such information, including safe harbor for the use of data encryption and relationship context metadata (my report on this will be release shortly). Most importantly, such a law could describe what rights people have to identity information about them. Following the recent rule changes to HIPAA, one could imagine that, by law, each of us could ask our IDPs for a log of both identity data use as well as disclosure.

I know that the security officer who gave me the idea for this post was only half kidding. But the other half isn’t a bad idea.

It is seven weeks to Catalyst. Seven weeks to great sessions, productive hallway conversations (like the one that spawned this post), and ample opportunities to network with peers. Relevant to this post, we have:

Deb Gallagher, chair of the Federal Identity and Credential Access Management (FICAM) sub-committee, discussing the governments role in identity assurance
Me discussing relationship context metadata and protecting privacy by using data labels

If you’ve got a half-joking, half-brilliant idea, bring it to San Diego, schedule a 1-on-1 with an analyst, and see where the discussion leads.

Filed Under: News Tagged With: #cat11, hipaa, IAM, ipaa, NSTIC

PDEC at IIW: An NSTIC Project Risk Analysis

12 May 2011 by Phil Wolff Leave a Comment

At last week’s Internet Identity Workshop in Mountain View, California, I led a brainstorming session to identify risks to the success of the new National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “EN-stick”). The strategy is to encourage many non-government organizations to provide digital identity and personal data services in a way that meets the needs of individuals, identity providers (“yes, person is who she claims to be”), attribute providers (“she is registered at our school”), and those who rely on digital identity. What could go wrong with a project like this? What can be done to avoid these threats and risks? To mitigate them when they show up? Meeting notes…

Risks

Lack of adoption. NSTIC relies on the private sector to invest and build identity infrastructure. There’s a real chance that this could happen slowly or unevenly. We’ve seen great technologies wither when they don’t reach critical mass.

Impatience for learning curve. We learn by doing and we learn more from problems and failures. NSTIC as a whole could be unfairly discredited after some projects or products fail for technical or business reasons.

Usability failures. Great products fail on even minor user experience defects. We know very little about what great user experience looks like for this next generation of personal data control.

Interop failures. Systems that should work together in theory may not in practice. Sometimes this is technical philosophy, ego, fuzzy specs, culture gaps, or regulatory differences, and local optimization.

Overscope. We’ve all seen protocols that work at first, become burdened as new features pile on, and lose their clarity and momentum as a result.

Phishing and Malware ($). We know that bad actors will follow the money, as they have from email to search to social media. Stakeholders could lose faith and abandon trust frameworks.

Perversion of principles ($). NSTIC lists core principles. Those principles will be eroded, if not attacked, unless monitored and defended.

Overpromising (by Tech to Policy). Silicon Valley has a tendency to tell Washington that technology offers silver bullets to huge problems.

Dystopian fear. Maybe your government really is out to get you, but dark overwhelming fears could slow or stop the project.

Waiting for winners. One strategy for risk is to wait for a handful of leaders to emerge before joining. This stifles investment, experimentation, and deep learning. The ecosystem needs pioneers and early adopters before winners can emerge.

Regulatory blocks. National and local laws and regulations may interfere with the ability of the ecosystem to grow. Privacy laws, liability, and antitrust rules could stall engineering, investment and adoption.

Uncertainty over liability. However the ecosystem works out liability, uncertainty about the resolution threatens investment.

Short attention span. This is not a weekend project. Will the ecosystem persist until it becomes mainstream?

Hype cycle. Many technologies don’t survive the hype cycle’s peak of inflated expectations or the trough of disillusionment.

Chicken vs. Egg. The system needs governance, startups, large corporate and government users, and the public to buy in. Nobody wants to jump in first.

Prevention and Mitigation Actions

Highlight small successes. We should celebrate small, incremental successes more than big-bang moments. Don’t oversell or overpromise.

Industry Marketing and PR. The ecosystem needs its own media and voice to respond to concerns, to put forth a common vision, to reach out to newbies and decision makers, to evangelize the benefits of the approach.

Share community UX experience. We could plan and pool knowledge and experiments as a community of practice. Where a Google might not be able to try different login UIs , variation being perceived as phishing, smaller companies can experiment and share results, leading to convergence and adoption.

Cultivate Engineering Focus. Keeping designers and engineers focused on current release cycles helps a developer community avoid feature creep and intriguing digressions.

Foster Interop Testing. Other industries develop standards for testing interop, hold interop workshops and set up backchannels for feedback. We just need a convening body to coordinate tests.

Formulate, publish and update a Clear/Graded Roadmap. Short term plans with long term visions. Plans to reach specific business and technology milestones. Long term visions for where those protocols and practices should go. Clearly communicated and widely agreed upon so the industry avoids forking, surprises, and hype.

Industry association outreach. The NSTIC strategy depends on achieving a critical mass of adoption within various communities. Many are represented by industry associations or professional organizations. Outreach services could provide education, evangelism, engagement and help with rough spots in adoption.

Recruit legacy identity authentication communities. NSTIC is not the first attempt to solve these problems. A look at NIST SP 800-63 shows existing identity and security standards have communities of their own, including tens of thousands of implementers. Outreach can smooth the way for education and adoption.

Security Council. It’s not too early to start a security conversation within the NSTIC ecosystem. At a minimum, we could start a working group to prepare for the first wave of phishing and identity theft.

Government Affairs. Governments are huge stakeholders in NSTIC. Not just US federal government agencies but US state and local governments. There is every reason to expect this program to be transnational so governments around the world are also stakeholders. They will want to understand the policy implications of the rapidly changing technologies, and the effect rules, regulations, directives and laws will have on the ecosystem. Effective communication and advocacy on behalf of the industry, especially for the many small startups and the interests of individuals who lack a voice, could keep government perspectives and actions cordial and supportive.

OIX Risk Wiki. OIX has an active security thread on its wiki.

Risk, Response, Community and PDEC

So this brings to mind three roles for PDEC, the Personal Data Ecosystem Consortium: Communicate, Convene, and Community.

Many of these responses involve marketing communication functions on behalf of the community’s stakeholders. As listed above, industry marketing and public relations, government affairs, highlighting small accomplishments, publishing a roadmap, are the kinds of things a consortium can do well. Speakers bureau, anyone?

Similarly, bringing people together to talk and work is another role for PDEC. We can serve some of our outreach goals by inviting people and organizations to join in projects and conversations. For example we could invite identity providers and relying parties to interop workshops. We might host security roundtables and mailing lists.

Last, today’s identity ecosystem doesn’t have a real voice for individuals, a way for people to talk about this topic. PDEC might offer community services to help people talk to each other, with the industry, and with other stakeholders.

The “Death to NSTIC!” motto, all in fun, reminds us bad things happen and preparedness is part of planning.

I want to thank the IIW folks who crowded into room E for their work, as reported here. I also want to thank the Identity Commons for creating an environment where IIW and PDEC can emerge.

Filed Under: Events, News, NSTIC, PDEC's Blog Tagged With: IIW, NSTIC

National! Identity! Cyberspace!: Why we shouldn't freak out about NSTIC.

10 January 2011 by Kaliya Hamlin

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.

I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Internet Identity Workshop Logo Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities' efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away "who you are"), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.

Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.

The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding. In the process of doing so, it interacts with 100,000's of people and does many of those interactions online. Many of those people are based at institutions of higher learning. These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions they are affiliated with. NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems. In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.

The NIH also has a vast library of research and information it shares with the general public via the internet. Government sites are prohibited from using cookie technology (putting a unique number in your browser cookie store to remember who you are) and this is a challenge because cookies are part of what helps make Web 2.o interactive experiences. So say that your mom just was diagnosed with breast cancer and you want to do a bunch of in-depth research on breast cancer treatment studies. You go to the NIH and do some research on it, but it really requires more then one sitting, so if you close your browser and come back tomorrow, they don't have a way to help you get back to the place you were.

The NIH doesn't want to use a cookie and doesn't want to know who you are. They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don't have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn't link users of the same account across government websites (see my earlier post on Fast Company). They proactively DID NOT want to know who users of their library were.

One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc. It wants to be able to accept claims issued by third parties about the people applying to be part of studies. It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.

These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee of the Information Security & Identity Management Committee established by the Federal CIO Council). They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.

Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.

So let’s think about how one might be able to solve this problem.

One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition. With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies. This is untenable from a end-user perspective and very expensive for the agencies.

Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.

So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.

Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.

What does a private sector service provider use case look like in this ecosystem?

When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.

The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring. All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.

What does is a public service provider look like in this ecosystem?

The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy. To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.

There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words "National" "Identity" and "Cyberspace" being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.

I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.

Filed Under: News, NSTIC Tagged With: Government, ID Protocol, IIW, Industry Developments, Media Coverage, National ID, NSTIC, Trust, Uncategorized, What is Identity?

PDEC Recent News

Part 2: The Second Half

PDEC Events, Publications and Speaking Activities: Through November 2011

Part 1: We were busy!

PDEC Events, Publications and Speaking Activities