Return of the Guru

Feds Overreach Their Capabilities in the National Trusted Identities Program

Ara Trembly
Insurance Experts' Forum, June 28, 2010

President Obama’s new cyber-security chief is proposing to create an online “trusted identity system” with the goal of allowing individuals and organizations to “utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation.”

Like most federal trial balloons, this proposal is very short on details, but one can’t deny that the idea of being able to operate securely online with a minimum of passwords and other security measures is appealing. According to the Obama administration’s draft proposal, “the Strategy defines and promotes an Identity Ecosystem that supports trusted online environments. The Identity Ecosystem is an online environment where individuals,organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities.”

The proposal notes a key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. “While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities,” the document states. Certainly, any health insurer reading this will be nodding in complete agreement.

Unfortunately, as often happens with the government’s bright ideas to solve all our problems, this particular proposal is merely a tasty morsel of Swiss cheese, which is to say, full of holes. One particularly gaping aperture is the mindset behind this effort, as expressed in the proposal document: “Spoofed websites, stolen passwords and compromised login accounts are all symptoms of an untrustworthy computing environment.” No, actually those things are symptoms of a society and a world that is overrun with criminality. Merely creating a more “healthy” computing environment won’t stop criminal activity; in fact, it may even help to promote such skullduggery.

What do I mean? Simply that if I can now go to just one place to get all the passwords, logins, etc. that I want, then—as a cybercriminal—I need only concentrate on cracking the defenses wrought by the federal government to protect the “Identity Ecosystem.” In effect, by taking everyone’s private information and locking it into a single vault, I am inviting every safecracker out there to try their luck, with the prize being untold riches of ill-gotten information. Most of us know that there simply is no completely secure online computing environment (witness the feds’ own problems with hacking attacks on the Pentagon and other federal systems), so why make the bad guys’ jobs that much easier by putting so much juicy information in a single place?

In promoting the idea that it can create a safe cyberspace Nirvana, the federal government is overreaching not only its own limited capabilities in this area, but also the capabilities of any group of experts. The unassailable citadel against cyber-crime has yet to be built, and you can be sure this proposal will not result in its construction.

Instead, as I have mentioned before, the government needs to get much more serious about tracking down and punishing people who commit cyber-crimes. Guaranteed sentences at hard labor will do a lot more to dissuade criminals than yet another fruitless effort at universal protection. As it is, the Identity Ecosystem is merely a gathering of many information treasures behind a single wall that will inevitably be breached.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

What Can Insurers Learn from Home Depot?

The latest cyber-attack highlights the importance of helping policy holders defend themselves.

Not Your Father’s Insurance Company

Carriers need to look at new and impactful ways to be there for their customers.

Watch Out. Apple with Mayo is Heading Your Way

From a health care, health insurance and Internet-of-things perspective, questions still remain.

How to Attract Top Tech Talent

When it comes to rankings of the best places to work, insurers are few and far between. Here’s what those who make the lists do to appeal to IT professionals.

New Generation of Data and Analytics in Cloud

Cloud-based data and analytics products are becoming more common among technology companies, small and midsize businesses and departments.

Aligning People, Processes and Technology for Successful Data Governance

Before your data governance project turns into a nightmare, create a data governance team to help people understand and manage the big data challenge, not just their respective pieces.