What is National Strategy for Trusted Identities in Cyberspace (NSTIC)
1. What is the role of the Federal Government in developing the Identity Ecosystem?
- The role of the Federal Government is to:
- Advocate for and protect individuals;
- Support the private sector’s development and adoption of the Identity Ecosystem;
- Partner with the private sector to ensure that the Identity Ecosystem is interoperable, secure, and privacy enhancing;
- Provide and accept Identity Ecosystem services for which it is uniquely suited; and
- Lead by example and implement the Identity Ecosystem for the services it provides internally and externally.
- For an update on the role of the Federal Government and progress made since the Strategy launched, click here.
- For regular updates on progress and initiatives, follow the NSTIC Notes blog here.
2. How is the White House involved in NSTIC?
- In leading the development of the NSTIC, the White House recognizes the value of securing cyberspace through trusted identities, including by leveraging trusted third party credentials for access to government services and working closely with agencies to streamline redundant identity management systems by leveraging a common shared platform.
- Historic Involvement:
- In early 2009, the WH called for the Cyberspace Policy Review, a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. The review revealed the need for a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation, and prompting the development of the NSTIC.
- Then White House Cybersecurity Director Howard Schmidt led the development of the draft Strategy, and the White House designated the National Institute of Standards and Technology (NIST) to establish a National Program Office (NPO) to lead the implementation of the Strategy.
- After months of discussions and input from the private sector, the Strategy was released in April 2011 during an event held at the White House. For more on this event, click here.
- The White House hosted an event in May 2012, inviting more than sixty private sector leaders to sound the call for engagement to raise the level of trust online. For more on this event, click here.
- The White House convened a ‘tiger team’ co-chaired by the NSTIC NPO and the General Services Administration, to develop the design requirements for a Federal Cloud Credential Exchange (FCCX). In January 2013, the Unites States Postal Service put out an RFP for a supplier to provide the FCCX solution, and in August 2013, SecureKey was awarded the contract to develop a solution to enable individuals to securely access online services —such as health benefits, student loan information, and retirement benefit information—at multiple federal agencies without the need to use a different password or other digital identification for each service.
- Learn more about FCCX, the federal government service that demonstrates to the marketplace that the government not only supports the concept of a marketplace of accredited, privacy-enhancing, third party issued credentials, but also uses them-- here.
- In December of 2013, the White House encouraged input on the preliminary Cybersecurity Framework in a blog by Michael Daniels, available here. The Cybersecurity Framework, like the NSTIC, will result in flexible, voluntary guidelines for industry to implement better cybersecurity practices, with the private sector offering a marketplace of tools and technologies.
3. Why is private sector participation and leadership critical to successful development of the Identity Ecosystem?
- Only the private sector has the ability to build and operate the complete Identity Ecosystem (IE) as described in the NSTIC.
- Many of the IE’s key operational roles will be facilitated by private sector organizations, with key actors such as relying parties, identity providers, attribute providers, and accreditation authorities likely to be private-sector organizations.
- Further, the Strategy can only succeed if the Identity Ecosystem is self-sustaining, which will require the development of business models for each of the service provider roles in the ecosystem.
- The development of the Identity Ecosystem Framework and the ongoing work to maintain accountability to that framework will require a true public-private partnership. The private sector has the insight into the needs of the market that is necessary to develop effective technical and policy standards for the Identity Ecosystem.
- The private sector can help ensure that the Identity Ecosystem Framework provides sustainable business models and does not pose undue burdens.
- Advocacy groups and non-profits can magnify the voices of individuals and under-represented groups, and they can work to ensure the enhancement of privacy and to otherwise support civil liberties.
4. What is the overarching goal of the NSTIC pilot projects?
- The NSTIC pilot projects seek to catalyze a marketplace of online identity solutions that ensures the envisioned Identity Ecosystem is trustworthy and has the confidence of individuals. Using privacy-enhancing architectures in real-world environments, the pilots are testing new methods for identification online for consumers that increase usability, security, and interoperability to safeguard online transactions.
- Learn more about the NSTIC pilots here.
5. What is the NPO’s role in the IDESG?
- The NPO is one stakeholder working within the IDESG to collaborate on solutions to enable the Identity Ecosystem.
- Participation in the IDESG is free and open to all stakeholders—industry experts, advocates, individuals, and any others—interested in crafting a framework for identity solutions.
- The director of the NPO serves as the Vice Chair of the IDESG’s Management Council to help provide guidance on the broad objectives envisioned by the NSTIC and ensure that IDESG work activities align with the NSTIC Guiding Principles:
- Identity solutions will be privacy-enhancing and voluntary.
- Identity solutions will be secure and resilient.
- Identity solutions will be interoperable.
- Identity solutions will be cost-effective and easy to use.
- Learn more about the IDESG here.
- For more on the NSTIC Guiding Principles, click here.
6. Why now? Why is the National Strategy for Trusted IDs in Cyberspace needed?
Cyber crime is growing and has become more organized and sophisticated. As we increasingly perform high-value transactions online such as mortgage applications, buying stocks, or reviewing health care information, our vulnerability to theft, fraud, and privacy violations increases proportionately.
Sixty years ago, before the invention of the credit card, people simply accepted the danger inherent in carrying cash with them to make a large payment. Today we accept the dangers of using easy-to-break passwords and providing personal information to dozens of different Web sites as the cost of doing business on the Internet. But we don't have to.
The technologies exist now to make online transactions more secure, private, and more convenient. NSTIC offers a vision of the future where the private sector, civil societies, and the public sector collaborate to create the standards and policies needed for interoperable trusted credentials that would dramatically reduce ID theft and fraud online. In addition, by acting now and creating a more trusted environment for online transactions, we will ensure that the Internet continues to support innovation and the creation of new jobs.
7. Is NSTIC a plan to introduce a national ID card or an internet driver's license? Do I have to get one?
No. The government will not require that you get a trusted ID. If you want to get one, you will be able to choose among multiple identity providers — both private and public — and among multiple digital credentials. Such a marketplace will ensure that no single credential or centralized database can emerge. Even if you do choose to get a credential from an ID provider, you would still be able to surf the Web, write a blog, visit chat rooms, or do other things online anonymously or under a pseudonym. The new Identity Ecosystem is meant for sensitive transactions — banking, shopping, accessing health records, etc. It is designed to protect your privacy by helping online providers verify your identity before accepting or providing sensitive information to you. It is also intended to help you verify that the Web sites you use are legitimate and not fake sites designed to steal your credit card or other personal information.
8. Will the government run the Identity Ecosystem?
No. The Identity Ecosystem will be created and run primarily by the private sector. Leadership by the private sector is critical to the success of the proposed strategy. Private companies have the incentives as well as the market experience to build, promote, and operate the Identity Ecosystem. While some government agencies, such as those that provide health care or other benefits may provide trusted IDs directly, the majority of service providers will be private-sector organizations. Federal, state, and local government agencies are also expected to accept trusted credentials provided by these private-sector organizations.
9. Why should the government be involved at all?
The role of the federal government is to facilitate and help jump start the private sector's efforts by convening workshops and bringing together the many different stakeholders important for establishing the Identity Ecosystem. The government will also protect individuals by ensuring that the Identity Ecosystem meets these four guiding principles: (1) privacy-enhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy to use. Lastly, the government can help drive the market by accepting Identity Ecosystem credentials for its online services.
10. How will implementation of NSTIC enhance privacy and support civil liberties?
NSTIC requires that service providers abide by the Fair Information Practice Principles (FIPPs) to ensure that people will be able to trust that their personal data are handled fairly, that they are informed about how their data will be used, have meaningful choices, and that checks and balances are in place to hold providers accountable for following a standard set of best practices. As is made clear in the subsequent White House report "Consumer Data Privacy in A Networked World" these FIPPs are completely consistent with the Consumer Privacy Bill of Rights (see Appendix B).
For example, service providers would be required to collect and share the minimum amount of information necessary for authentication. In the physical world, when people show a driver's license to prove their age, they also reveal all of the other information on the license. In the Identity Ecosystem, your credential could be used to prove you were a minimum age to allow a purchase without revealing your birth date or other information.
In addition, an approach grounded in recognized privacy principles will promote the creation and adoption of privacy-enhancing technologies. Such technologies will inhibit the linkage of credential use information among multiple service providers, thereby preventing those providers from developing a complete picture of an individual's activities online. Equally important, the Identity Ecosystem allows you to continue to use the Internet anonymously, which supports civil liberties like free speech and freedom of association.
11. Where can I get a trusted credential? Is the Identity Ecosystem built yet?
While some private and public identity providers do exist, the Identity Ecosystem, the system of technical and policy standards described by NSTIC, is not established yet. The purpose of NSTIC is to encourage public and private efforts to build upon current services in ways that enhance privacy, security, and convenience, but it will likely be some years before the full promise of the Identity Ecosystem is in place.
12. Won't having a single password and credential be less secure and private than having many usernames and passwords?
No. Like the bank card and PIN you use to obtain money from an ATM, having a password and a credential in physical form such as a cell phone, token, or smart card is much more secure than passwords alone. In addition, you may choose to have multiple credentials from different identity providers. However, even a single Identity Ecosystem credential is privacy-enhancing, because it can send different types of information to different service providers. For example, you could use your credential to log in to your online magazine subscription as "Jane457," because the magazine doesn't need to know your real name. But if you want to access your medical records, the same credential could prove that you are truly "Jane Smith."
NSTIC does not specify exactly how the technology behind credentials should verify identity; that should be left up to the private sector. However, past experience has shown that "multi-factor authentication" is much more secure than passwords alone. For example, a bank could issue you both a physical device, such as a key fob (something you have), combined with a short PIN number (something you know) to access your accounts. This two-factor method would make it much more difficult for thieves to break into your accounts. Your cell phone could also carry a digital certificate (something you have) that requires a password (something you know).
The key is that you can have multiple trusted identity credentials, and even if you lose the physical device, a cyber criminal still can't assume your identity without your PIN or password. Having even a few PIN numbers or passwords - should you choose to use multiple credentials - would be much more convenient than the dozens of passwords most people are forced to remember now. Also, should a credential be lost, you can more easily notify all necessary parties to secure accounts through the credential provider, rather than having to notify each individually. The ID provider would then discontinue that credential and issue you a new one, helping to minimize the likelihood of unauthorized activity.
No solution, of course, is a magic fix for all possible cybersecurity risks, and NSTIC does not claim to have answers to all threats associated with online transactions. It is, however, a major step forward in making the growing number of online transactions more convenient, more secure and more private.
13. Should I get a credential if I don't use the Internet very much?
Even if you don't use the Internet for lots of high-value transactions you will probably still benefit from having a trusted ID. Having a credential makes it easier to shop without having to open multiple accounts and it makes it harder for identity thieves to hack into your social networking accounts to get your personal information. Just as you probably routinely lock your car when you leave it in the parking lot, you should have a "lock and key" for your identity, even if you don't need to use it on the Internet very often.
14. Who will make sure that companies follow the rules?
One of the first actions for the National Program Office once it is established will be to convene a workshop for companies, privacy advocates, and other stakeholders to develop a steering group for the Identity Ecosystem. This group would administer the process for developing the technical standards and policies needed for the Identity Ecosystem. A community of members with similar goals and perspectives — known as a trust framework — can hold its members accountable to follow specific standards and policies. An accreditation authority would assure that individual service providers adhered to accepted Identity Ecosystem practices. Those who violate the rules would lose their trustmark status. Furthermore, the role of the government in the Identity Ecosystem is to ensure that individuals are protected from serious harm.
15. Will new laws be needed to create the Identity Ecosystem?
New ways of conducting business in the marketplace sometimes create uncertainty. If the marketplace does not respond in a timely way to that uncertainty with ways to ensure that privacy is protected and limits on liability are described then changes to current federal laws may be necessary.