A National Strategy for Trusted Identities in Cyberspace

The White House has issued a draft for comment of a new National Strategy for Trusted Identities in Cyberspace. The strategy draft was introduced by Howard Schmidt in a White House blog: A National Strategy for Trusted Identities in Cyberspace

Howard's introduction included:

"Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities."

In a terrific move, the government is using the online social commenting structure of Ideascale.com to help enhance the dialog and comments on this draft.  You can see the way these comments are shaping up at:  www.nstic.ideascale.com I can tell this document has already been well staffed and according to the White House release over 4000 comments were received on previous versions.  I'm sorry to say I have not provided any input to date.  I'm not sure how many other techie types did either.  Maybe some of my heros did and I hope I don't say anything below that offends them if I did.

I also offer some CTO-type context below.

One thing I noted right away was that the first seven pages were little more than justification. This is clear indication that the drafters understand not all see a need for significant action here.

After those seven pages, the core of the document dives into:

  • Guiding Principles – Establishes the tenets that this Strategy must uphold in order to be successful. The Guiding Principles are necessary characteristics of the Identity Ecosystem.
  • Vision and Benefits – Presents the overarching vision the Strategy seeks to achieve along with the details of the Identity Ecosystem and the benefits for individuals, private sector, and Government.
  • Goals and Objectives – Defines what this Strategy intends to accomplish.
  • High Priority Action Plan – Introduces critical tasks that form the basis for realization of the Strategy Goals and Objectives.
  • Conclusion – Provides a high-level summary of the Strategy and a call to action for the public and private sectors.

The following are some personal opinions on those elements of the strategy:

Guiding Principles: This is perhaps the most important part of the document. I could certainly suggest re-wording a few, but that is not what is important here. What is important is capturing the key principles, and I don't disagree with any of these. It is good to read them and clearly lots of thought was put into them.  I bet since this document has been widely staffed there is widespread agreement on these, but it is good to re-look principles, especially at the beginning of an effort like this. I hope dialog with citizens and academia and industry result in widespread acceptance. Perhaps there will be other principles captured in this interaction with the populace, but I personally cannot think of any.

Vision and Benefits: I'm sure onboard with the vision, which is: "Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation." I'm sorry to report, however, the entire rest of this section is not so impressive, at least from the standpoint of someone who likes to see progress on big issues like this. After introducing a vision the drafters immediately do a bit of a "bait and switch" and present ideas they seem to assert must be part of the solution, including a very detailed new vocabulary and a new approach for framing the future solution. This might be a solution. But there might be an infinite number of others. So how do we know this is the optimal one? What other options were considered? Is this option based on science of any sort? As a computer scientist I would like to know.

The strategy asserts that the vision will be accomplished by an ecosystem of three layers: one for execution, one for management, and one for governance. Each are then defined and new terms are proposed for each. But my sense is their are many other possible frameworks and I don't see the level of academic rigor or practitioner's sense I would expect in a framework like this. I want to see a framework written by masters of the art like the Carnegie- Mellon University's Software Engineering Institute or the standard's body OASIS. Then I'll feel that serious thought has been put into optimizing a workable way to implement the vision.

There is certainly thought and serious attention paid to use-cases in this section, but this is supposed to be a section on vision.

But the section was titled "vision and benefits," which underscores again that the drafters are making a point of underscoring why action is required. Three pages of solid benefits I think most of us would like to see are captured in this section. This is very useful to articulate and I hope the open dialog and comment period results in even more being captured. But it seems to be a logical flaw to suggest that the only way these benefits will be obtained is by accepting the drafter's assertion that we must define an identify ecosystem the way it is written there.

Goals and Objectives: In a logically flowing strategy, a vision will be an endstate and the goals will be those things that must be accomplished to ensure success in reaching that endstate. Objectives contribute to achieving goals and will normally have responsible parties assigned and dates associated with when they must be completed. I've already mentioned the long assertion in the vision section regarding a particular approach to an ecosystem and that throws off the logic flow a bit. If that section were removed then it would probably help with the logic flow better and these goals would be in much better context. So pretend you didn't read that part. Here are the four goals:

  • Goal 1: Develop a comprehensive Identity Ecosystem Framework.
  • Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.
  • Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.
  • Goal 4: Ensure the long-term success of the Identity Ecosystem.

I don't see any huge problem with the goals as stated. But the lens we will just those goals are on how well they help us accomplish the vision. Remember the vision: "Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation." Keep that in mind as you think of those goals. Some of my comments are below:

Goal 1: Develop a comprehensive Identity Ecosystem Framework.

Wait a minute! An identity ecosystem framework was already asserted in the vision section. I think the goal can stand as it is but key objectives should include working with academia and the internet technology community (including standards boards) to coordinate enhanced identity management frameworks. The goal should not be to just develop and build the framework asserted by the drafters of this strategy, in my opinion. They have simply not provided any justification that their way has been thought out well enough. And with no justification they are not going to be able to compel the action required. The internet standards community works in a way where logic, trust and compelling arguments are key and collaboration is the preferred means to developing standards. I've seen no evidence of this occurring yet (although I have to admit it could have been, I can't be everywhere at once!).   I have seen evidence of coordination with industry and industry bodies, but not with standards groups or academia.  I wonder about that.

So my issue is not the goal, but the means to get to it. I want to see objectives that focus on the great centers of computer science in America, like our universities and standards bodies.

Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.

This is a call for an infrastructure. I have to support this. I believe the nation needs to serve its citizens this way, like it did in serving us with canals, roads, interstate highways and other transportation systems. I can't say the objectives listed will guarantee success. There are only three objectives presented: one on continuing government leadership, one on promoting speed in deployment, and one on promoting broad use of solutions. If we accomplish all three objectives do we have guaranteed success in the goal? I don't think so. Seems like more work is required in this area.

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.

It is hard to argue with this goal. Government is about service to citizens. If this system is not for the use of citizens and if they do not trust it to enhance their privacy and economic and personal freedoms then it is doomed. I'll reserve judgement on the objectives for these goals. They seem ok on their surface.

Goal 4: Ensure the long-term success of the Identity Ecosystem.

Finally we get into a goal and objectives which give a hat tip to the standards community. This goal brings up very important points about the fact that the Internet is global and not owned by any one provider or commanded by any one country. An objective is listed that calls for enhancing US participation in technical standards bodies. This is a great goal. I would only say that participation requires engagement by very smart, educated participants because the way these bodies work is by people injective good ideas and contributing to broadly understood goals. They do not work by groups or even countries coming in and thinking they can command. Every once in a while great corporations are able to muster the technical talent required to sway a standards body their way, but even then that is not a cake walk. You must build compelling arguments.

Following the goals and objectives section is a section titled "Commitment to Action" which provides a list of nine high priority actions. I think it would have been more sound and build a stronger argument if these had been in the goals and objectives section of the plan. This reads like it is "goals and objectives part two." What was that goals and objective section I just read? Was that supposed to be just warming me up for the real actions?

Anyway, we seem to be finally getting into the meat of the document. The nine actions seem like good things to do. Who is against DNSSEC, IPSEC and PKI? And who is against enhancing privacy? This whole list is full of smart things like that.

The conclusion of the document says: "This Strategy provides a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions." As for me, I didn't see that. I saw a good vision, but the document really lacks in the "how" department. I also saw many good actions and some terrific context. But seems like much more work is needed before we can say this strategy provides a vision for "how" we can improve use of digital identities. I think we can get there. We can get there by tapping into the great thinkers who really know identity management. The great computer science thought leaders from American academia and the standard's bodies that make the Internet work.

Maybe the way ahead is to have the government coordinate the vision and principles and let the standards community come back with goals and objectives. The government could facilitate that interaction and keep it on track. But my sense is from reading this document the government's role should not be to assert they know the answer, yet.

I'm not asking that the government go back to the drawing board.  In fact, I'd like to see things move faster and would like to see some new ideas injected into the process.

Here is one that might help.  Since many folks (like me) can criticize but few can truly produce workable ideas that scale, why not pull together a venue of the greatest minds in technology and issue the challenge to them.  If the government has a compelling vision I think this could be done.   I would start with the list of Turing award winners, then add in the dean's of computer science from our greatest academic institutions.  The result: a body who knows technology will be informing and guiding the strategy.  When combined with the great leadership of professionals from government and the continued contributions from industry, this could be the winning approach.

About Bob Gourley

Bob Gourley is a co-founder and Partner at Cognitio, the publisher of CTOvision.com and ThreatBrief.com . Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley