Government, private sector and consumer groups all push for solutions

By Zack Martin, Editor, Avisian Publications

The old saying goes: On the Internet nobody knows you’re a dog.

But that may not be the case for much longer. Efforts from corporations, the U.S. government and others may provide a trusted and secure way to identify individuals on the Internet. Momentum seems to be building to stem the potential “identity crisis” in the U.S.

A White House review of U.S. cybersecurity, released in May, showed significant weaknesses in cybersecurity and making better use of identity management systems is one precaution that can be taken to improve the situation, according to the report.

“We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people,” the report states. “Authentication mechanisms also can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices.”

The report calls on the federal government to work with the private sector to create an online identity management system that uses privacy-enhancing technologies. As a starting point the report suggested using the National Science and Technology Council’s Subcommittee on Biometrics and Identity Management report that was released in 2008. (See Obama’s Plan, below.)

The report also states that the federal government should continue to fund the implementation of HSPD-12 and extend the availability of the credentials to operators of critical infrastructures and others. The release of the new PIV Interoperability specification will make it easier for non-federal entities to issue these cards.

Sources say there may also be plans for the U.S. to consider issuing a high-assurance credential to citizens on a voluntary basis.

In addition, there are projects in the private sector. Technology providers and associations have joined together to form the Kantara Initiative. The idea behind the program is to unite the various existing identity management schemes so the end user doesn’t have to sign up multiple times.

Improved credentials on the horizon

In the next five years 150 to 200 million high-assurance credentials will be issued to U.S. citizens, said Peter Alterman, former deputy associate administrator for technology strategy at the office of government-wide policy at the General Services Administration who is now with the U.S. Department of Health and Human services. Alterman made the comments at the CTST conference in New Orleans in May.

Alterman doesn’t know who will be issuing these credentials. But it’s most likely federal standards, such as FIPS 201, will be used by citizens as well as federal employees.

While he wouldn’t say which agency would issue the credentials or how they would be used, but he did say there are activities in store for the next year around health care, the IRS and Social Security Administration.

“We’re going to see more of an emphasis on communities of people demanding better means of identity as they move into the digital world,” says Neville Pattinson, vice president of government affairs and standards at Gemalto.

Health care is a market where the identification industry needs to focus. “There’s a great deal of concern about health care,” Pattinson says. “Money is heading in that direction and this may be the coattails we live off of to create an identity infrastructure.”

Doug Simmons, vice president of consulting at the Burton Group Consulting Services, says the U.S. government’s Personal Identity Verification specification has paved the way for non-government entities to deploy smart cards. “Enough people are getting fed up with the identity theft and saying enough is enough,” he says. “We’re smart people and we need to put the policies in place to take care of it.”

One of the major issues with the high-assurance credentials is who will issue them. The federal government may not be able to do it because it reeks of a national ID program, which many consider a poison pill in the U.S.

But Simmons suspects that states are in a perfect situation to issue the credentials, but Pattinson has concern. Who is liable if someone gets a fake credential and does something malicious? This liability may keep private companies from issuing them as well.

New Social Security card in the works?

But there are signs that the federal government is preparing to issue citizens some type of credential. The U.S. Senate Judiciary Committee is exploring the use of biometrics and smart cards for a new Social Security card. This could lead to as many as 300 million electronic credentials being issued in the next six to eight years.

Two different ideas are being floated when it comes to the Social Security number, sources say. One involves enrolling individuals, capturing the fingerprint biometric and then linking it to the Social Security number. The biometric data would be stored and checked against a database for official functions, such as verification of employment eligibility.

The other idea involves the issuance of a smart card with match-on-card biometric functionality. Cardholders could use this card for official functions and potentially as an authentication token for other transactions both in physical and virtual environments.

The primary purpose for using the new technologies would be to show employment eligibility for residents and non-resident aliens. Before being hired an individual would have to have the biometric checked to make sure he is eligible to work in the U.S.

The new card would not be mandatory. “It’s an upgraded Social Security card with the added benefit of authenticating the cardholder and protecting against identity theft,” says one source, stressing “it’s not a national ID.”

The biometrics industry is lobbying for its technology to be used solely, but the use of a smart card would enable other functionality, including protecting against identity theft, authentication for bank accounts and health records and other possibilities.

Studies suggest that U.S. citizens are overwhelmingly opposed to a national ID card. But at the same time when asked if they want protection from identity theft the answer is a resounding yes. “We don’t have any way of putting our identity out there in a trusted manner,” says a source. “I see the political indicators aligning and the Obama administration seeing the challenges.”

The Senate Judiciary Committee, particularly Sen. Chuck Schumer (D-N.Y.), chairman of Senate Judiciary Committee’s Subcommittee on Immigration, Border Security and Citizenship, has been the driving force behind the efforts. Schumer’s office did not return calls.

But a hearing in July has Schumer backing a biometric-only approach that would be used for verifying employment eligibility.

E-Verify is the system in place now and it verifies the Social Security number, date of birth and other demographic data. Schumer says the system is prone to errors and doesn’t work and wants to add additional identification, such as biometrics, to prevent fraud and increase security. He called for a “non-forgeable identification system to completely and accurately identify workers.”

The system would be mandatory and apply to citizens and non-citizens who would use the system to verify employment eligibility. The system would have no other purpose, Schumer says.

Testifying at the hearing was Rep. Luis V. Gutierrez (D-Ill.), who has proposed using biometrics for employment verification before. “In my last comprehensive immigration reform bill, we included a requirement to better secure the Social Security card by making it a tamper-proof, biometric card,” he says. “Schumer’s proposal, to actually make the entire system biometric-based takes the system one step further.”

Gutierrez says using this type of system will provide workers with greater power and access to employment records, prevent pre-screening and misuses by employers and reduce fraud because an individual would have to swipe a card and authenticate a biometric in order to be verified.

The challenges for such a system did not go unnoticed. “A system that depends on a biometric card rather than a database query would require every American and legal foreign worker to obtain a card,” Gutierrez says. “This would place the bulk of the changes necessary at the front end of rolling out such a system, and Congress would need to commit sufficient resources.”

It would also require employers to have equipment to verify the card and biometric. “I think Congress and the American people will want to have a clear understanding of how such technology works, how their privacy will be protected, the process and cost of rolling out access to employers,” Gutierrez says.

One source says a mandatory, biometric-only approach won’t work. In order to get buy in from the public there has to be an upside for them, such as protection against identity theft. “It must be voluntary and be able to be used for other applications,” the source says.

Privacy groups will almost certainly come out against the credential and there will be some intense lobbying on both sides of the issue.

Still while the political will seems to exist now and legislation could be proposed this year there are still challenges. Exactly how the card will be used has to be determined. Political insiders say immigration reform may be the best political way to get a bill passed.

While there are still obstacles to hurdle, it appears as though there may be serious movement to offering citizens a way to secure their identity online. “This is going to be the beginning of a trusted credential in the U.S.,” a source says.

Private sector also seeking solution

Brett McDowell, executive director of the Liberty Alliance, says the market needs to come up with a solution so individuals will be able to get a credential if they want one.

The Liberty Alliance is one member of the Kantara Initiative, an organization working on technical interoperability for all the different electronic identity schemes, says McDowell. The group is working on solving the policy question around ID interoperability as well as the technical issues.

There are a number of different technical solutions for online identity. Open ID, PKI, SAML and Information Cards all serve to identify individuals online and they all do it in a different way. The goal of Kantara is for these different systems to become interoperable, McDowell says.

“We’re focused on interoperability at the protocol level. None of the solutions in the marketplace can solve the full Internet ID continuum,” he says. “The stakeholder on any one solution is focused on solving that problem on his own and we now realize we have to work together to solve the problem.”

Part of the process will be setting up four levels of assurance for different online transactions, McDowell says. Every network transaction will then be placed in one of the four levels of assurance and a user will have to authenticate to that level before the transaction is completed. For example, logging on to a social networking site may the lowest level while transferring money from a bank account will require a higher level of assurance.

“In the end the goal is for a person to assert their identity across the continuum,” he says. “From your banks to your social network and working with the government and your employer.”

Kantara aims to enable the individual to have different personas with separate attributes, McDowell says. An individual could have one persona on a social networking site and a different one when logging into the bank account even though they are using the same identity management system to log in to both.

But how does that identity get vetted for the first time? How is it trusted?

McDowell says financial services companies will likely have a role in this. “You look at the banks and they authenticate everyone,” he says. “They have an infrastructure and are regulated. Google and Yahoo have the users and they are authenticating people but they have no knowledge of who they are.”

No matter who issues the credentials it seems as though there may soon be some type of high-assurance credential available to the public. Between the federal government’s efforts and those from the private sector it will be interesting to see who comes up with a solution accepted by the public first to solve the identity crisis in the U.S.

---

Obama’s Plan for securing the Internet

President Barack Obama’s review of U.S. cybersecurity shows that there are a number of security challenges facing the country and its digital infrastructure.

News reports this spring showed that the nation’s electric grid was vulnerable to hackers and had been infiltrated, and attacks on various government sites in July further highlight the issues raised in the report.

“It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution,” the report states.

To tackle these issues Obama plans to appoint a cybersecurity official to ensure the country takes the necessary steps to secure networks. This individual will work with the private sector to come up with solutions. “The government, working with State and local partners, should identify procurement strategies that will incentivize the market to make more secure products and services available to the public,” the report states.

Recognizing that the Internet is a crucial component of everyday life for most U.S. citizens, the federal government needs to take steps to educate the public on online safety. “The United States should initiate a K-12 cybersecurity education program for digital safety, ethics, and security; expand university curricula; and set the conditions to create a competent workforce for the digital age,” the report states.

Securing identity was singled out in the report. “Identity management also has the potential to enhance privacy through additional protection against the inappropriate release of personal identifiable information,” the report states.

Initiatives the government should take include:

• The federal government should work with the private sector, civil liberty organizations and privacy advocates to create an identity management system.
• For high-value activities, such as the Smart Grid, the country should deploy an opt-in system of interoperable identity management systems to build trust for online transactions and to enhance privacy.
• The National Science and Technology Council’s Subcommittee on Biometrics and Identity Management in 2008 published a report that provides a vision for future federal identity management and a series of research and development recommendations. The government should use the report as a starting point for identity management strategies.
• The government should ensure that resources are made available so HSPD-12 is full implemented.

“The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies,” the report states.