Feds Overreach Their Capabilities in the National Trusted Identities Program
Insurance Experts' Forum, June 28, 2010
President Obama’s new cyber-security chief is proposing to create an online “trusted identity system” with the goal of allowing individuals and organizations to “utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation.”
Like most federal trial balloons, this proposal is very short on details, but one can’t deny that the idea of being able to operate securely online with a minimum of passwords and other security measures is appealing. According to the Obama administration’s draft proposal, “the Strategy defines and promotes an Identity Ecosystem that supports trusted online environments. The Identity Ecosystem is an online environment where individuals,organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities.”
The proposal notes a key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. “While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities,” the document states. Certainly, any health insurer reading this will be nodding in complete agreement.
Unfortunately, as often happens with the government’s bright ideas to solve all our problems, this particular proposal is merely a tasty morsel of Swiss cheese, which is to say, full of holes. One particularly gaping aperture is the mindset behind this effort, as expressed in the proposal document: “Spoofed websites, stolen passwords and compromised login accounts are all symptoms of an untrustworthy computing environment.” No, actually those things are symptoms of a society and a world that is overrun with criminality. Merely creating a more “healthy” computing environment won’t stop criminal activity; in fact, it may even help to promote such skullduggery.
What do I mean? Simply that if I can now go to just one place to get all the passwords, logins, etc. that I want, then—as a cybercriminal—I need only concentrate on cracking the defenses wrought by the federal government to protect the “Identity Ecosystem.” In effect, by taking everyone’s private information and locking it into a single vault, I am inviting every safecracker out there to try their luck, with the prize being untold riches of ill-gotten information. Most of us know that there simply is no completely secure online computing environment (witness the feds’ own problems with hacking attacks on the Pentagon and other federal systems), so why make the bad guys’ jobs that much easier by putting so much juicy information in a single place?
In promoting the idea that it can create a safe cyberspace Nirvana, the federal government is overreaching not only its own limited capabilities in this area, but also the capabilities of any group of experts. The unassailable citadel against cyber-crime has yet to be built, and you can be sure this proposal will not result in its construction.
Instead, as I have mentioned before, the government needs to get much more serious about tracking down and punishing people who commit cyber-crimes. Guaranteed sentences at hard labor will do a lot more to dissuade criminals than yet another fruitless effort at universal protection. As it is, the Identity Ecosystem is merely a gathering of many information treasures behind a single wall that will inevitably be breached.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.