The White House has released the draft of a comprehensive policy framework for securing identities online, outlining a broad set of recommendations for combating Internet fraud and calling for comments from the public.
The National Strategy for Trusted Initiatives in Cyberspace (NSTIC) describes an “identity ecosystem” that promotes security, privacy and a consolidation of the various login credentials users maintain to access online services.
“No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services,” White House Cybersecurity Coordinator Howard Schmidt wrote in a post to the White House blog.
“Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions.”
The draft framework comes in response to one of the recommendations of the broader cybersecurity overhaul President Obama unveiled last May. Schimidt’s position was also created as a result of that review.
Schmidt said the framework released today represents the product of a lengthy process of consulting with government agencies, industry leaders and public-interest groups.
The document describes a rising tide of Internet crimes, arguing the need for a more secure and federated approach to online identity management to assure that online transactions can be executed in a trusted environment.
“One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace,” the report reads. “Spoofed websites, stolen passwords, and compromised login accounts are all symptoms of an untrustworthy computing environment,” the report reads.”
The strategy is available to the public at the Department of Homeland Security’s website (PDF available here), where members of the public can submit comments. The site also offers a Digg-like voting system for users to register their opinion about the comments with a thumbs-up or thumbs-down.
The administration is accepting comments on NSTIC through July 19, and expects to issue the final version of the document this fall.
The identity ecosystem would entail a constellation of secure ID management programs administered variously by the government or private sector, with appropriate levels of security applied to different types of transactions. Sending an e-mail, for instance, would require a lower authentication threshold than accessing an online medical record.
The framework stresses that participation in the identity ecosystem would be voluntary for both businesses and individuals and calls for interoperability among the various identity providers, including the federal government.
The strategy outlines several policy recommendations for developing the identity ecosystem, including designating a federal agency to spearhead the coordination between the public and private sectors.
Once the government adopted an implementation plan, it would begin pilot testing of experimental identity-management trial programs, and ultimately develop interoperability standards.