A National Strategy for Trusted Identities in Cyberspace

The White House has issued a draft for comment of a new National Strategy for Trusted Identities in Cyberspace. The strategy draft was introduced by Howard Schmidt in a White House blog: A National Strategy for Trusted Identities in Cyberspace

Howard's introduction included:

"Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities."

In a terrific move, the government is using the online social commenting structure of Ideascale.com to help enhance the dialog and comments on this draft.  You can see the way these comments are shaping up at:  www.nstic.ideascale.com I can tell this document has already been well staffed and according to the White House release over 4000 comments were received on previous versions.  I'm sorry to say I have not provided any input to date.  I'm not sure how many other techie types did either.  Maybe some of my heros did and I hope I don't say anything below that offends them if I did.

I also offer some CTO-type context below.

One thing I noted right away was that the first seven pages were little more than justification. This is clear indication that the drafters understand not all see a need for significant action here.

After those seven pages, the core of the document dives into:

  • Guiding Principles – Establishes the tenets that this Strategy must uphold in order to be successful. The Guiding Principles are necessary characteristics of the Identity Ecosystem.
  • Vision and Benefits – Presents the overarching vision the Strategy seeks to achieve along with the details of the Identity Ecosystem and the benefits for individuals, private sector, and Government.
  • Goals and Objectives – Defines what this Strategy intends to accomplish.
  • High Priority Action Plan – Introduces critical tasks that form the basis for realization of the Strategy Goals and Objectives.
  • Conclusion – Provides a high-level summary of the Strategy and a call to action for the public and private sectors.

The following are some personal opinions on those elements of the strategy:

Guiding Principles: This is perhaps the most important part of the document. I could certainly suggest re-wording a few, but that is not what is important here. What is important is capturing the key principles, and I don't disagree with any of these. It is good to read them and clearly lots of thought was put into them.  I bet since this document has been widely staffed there is widespread agreement on these, but it is good to re-look principles, especially at the beginning of an effort like this. I hope dialog with citizens and academia and industry result in widespread acceptance. Perhaps there will be other principles captured in this interaction with the populace, but I personally cannot think of any.

Vision and Benefits: I'm sure onboard with the vision, which is: "Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation." I'm sorry to report, however, the entire rest of this section is not so impressive, at least from the standpoint of someone who likes to see progress on big issues like this. After introducing a vision the drafters immediately do a bit of a "bait and switch" and present ideas they seem to assert must be part of the solution, including a very detailed new vocabulary and a new approach for framing the future solution. This might be a solution. But there might be an infinite number of others. So how do we know this is the optimal one? What other options were considered? Is this option based on science of any sort? As a computer scientist I would like to know.

The strategy asserts that the vision will be accomplished by an ecosystem of three layers: one for execution, one for management, and one for governance. Each are then defined and new terms are proposed for each. But my sense is their are many other possible frameworks and I don't see the level of academic rigor or practitioner's sense I would expect in a framework like this. I want to see a framework written by masters of the art like the Carnegie- Mellon University's Software Engineering Institute or the standard's body OASIS. Then I'll feel that serious thought has been put into optimizing a workable way to implement the vision.

There is certainly thought and serious attention paid to use-cases in this section, but this is supposed to be a section on vision.

But the section was titled "vision and benefits," which underscores again that the drafters are making a point of underscoring why action is required. Three pages of solid benefits I think most of us would like to see are captured in this section. This is very useful to articulate and I hope the open dialog and comment period results in even more being captured. But it seems to be a logical flaw to suggest that the only way these benefits will be obtained is by accepting the drafter's assertion that we must define an identify ecosystem the way it is written there.

Goals and Objectives: In a logically flowing strategy, a vision will be an endstate and the goals will be those things that must be accomplished to ensure success in reaching that endstate. Objectives contribute to achieving goals and will normally have responsible parties assigned and dates associated with when they must be completed. I've already mentioned the long assertion in the vision section regarding a particular approach to an ecosystem and that throws off the logic flow a bit. If that section were removed then it would probably help with the logic flow better and these goals would be in much better context. So pretend you didn't read that part. Here are the four goals:

  • Goal 1: Develop a comprehensive Identity Ecosystem Framework.
  • Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.
  • Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.
  • Goal 4: Ensure the long-term success of the Identity Ecosystem.

I don't see any huge problem with the goals as stated. But the lens we will just those goals are on how well they help us accomplish the vision. Remember the vision: "Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation." Keep that in mind as you think of those goals. Some of my comments are below:

Goal 1: Develop a comprehensive Identity Ecosystem Framework.

Wait a minute! An identity ecosystem framework was already asserted in the vision section. I think the goal can stand as it is but key objectives should include working with academia and the internet technology community (including standards boards) to coordinate enhanced identity management frameworks. The goal should not be to just develop and build the framework asserted by the drafters of this strategy, in my opinion. They have simply not provided any justification that their way has been thought out well enough. And with no justification they are not going to be able to compel the action required. The internet standards community works in a way where logic, trust and compelling arguments are key and collaboration is the preferred means to developing standards. I've seen no evidence of this occurring yet (although I have to admit it could have been, I can't be everywhere at once!).   I have seen evidence of coordination with industry and industry bodies, but not with standards groups or academia.  I wonder about that.

So my issue is not the goal, but the means to get to it. I want to see objectives that focus on the great centers of computer science in America, like our universities and standards bodies.

Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.

This is a call for an infrastructure. I have to support this. I believe the nation needs to serve its citizens this way, like it did in serving us with canals, roads, interstate highways and other transportation systems. I can't say the objectives listed will guarantee success. There are only three objectives presented: one on continuing government leadership, one on promoting speed in deployment, and one on promoting broad use of solutions. If we accomplish all three objectives do we have guaranteed success in the goal? I don't think so. Seems like more work is required in this area.

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.

It is hard to argue with this goal. Government is about service to citizens. If this system is not for the use of citizens and if they do not trust it to enhance their privacy and economic and personal freedoms then it is doomed. I'll reserve judgement on the objectives for these goals. They seem ok on their surface.

Goal 4: Ensure the long-term success of the Identity Ecosystem.

Finally we get into a goal and objectives which give a hat tip to the standards community. This goal brings up very important points about the fact that the Internet is global and not owned by any one provider or commanded by any one country. An objective is listed that calls for enhancing US participation in technical standards bodies. This is a great goal. I would only say that participation requires engagement by very smart, educated participants because the way these bodies work is by people injective good ideas and contributing to broadly understood goals. They do not work by groups or even countries coming in and thinking they can command. Every once in a while great corporations are able to muster the technical talent required to sway a standards body their way, but even then that is not a cake walk. You must build compelling arguments.

Following the goals and objectives section is a section titled "Commitment to Action" which provides a list of nine high priority actions. I think it would have been more sound and build a stronger argument if these had been in the goals and objectives section of the plan. This reads like it is "goals and objectives part two." What was that goals and objective section I just read? Was that supposed to be just warming me up for the real actions?

Anyway, we seem to be finally getting into the meat of the document. The nine actions seem like good things to do. Who is against DNSSEC, IPSEC and PKI? And who is against enhancing privacy? This whole list is full of smart things like that.

The conclusion of the document says: "This Strategy provides a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions." As for me, I didn't see that. I saw a good vision, but the document really lacks in the "how" department. I also saw many good actions and some terrific context. But seems like much more work is needed before we can say this strategy provides a vision for "how" we can improve use of digital identities. I think we can get there. We can get there by tapping into the great thinkers who really know identity management. The great computer science thought leaders from American academia and the standard's bodies that make the Internet work.

Maybe the way ahead is to have the government coordinate the vision and principles and let the standards community come back with goals and objectives. The government could facilitate that interaction and keep it on track. But my sense is from reading this document the government's role should not be to assert they know the answer, yet.

I'm not asking that the government go back to the drawing board.  In fact, I'd like to see things move faster and would like to see some new ideas injected into the process.

Here is one that might help.  Since many folks (like me) can criticize but few can truly produce workable ideas that scale, why not pull together a venue of the greatest minds in technology and issue the challenge to them.  If the government has a compelling vision I think this could be done.   I would start with the list of Turing award winners, then add in the dean's of computer science from our greatest academic institutions.  The result: a body who knows technology will be informing and guiding the strategy.  When combined with the great leadership of professionals from government and the continued contributions from industry, this could be the winning approach.

Connect Here

Bob Gourley

Partner at Cognitio Corp
Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com andThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley
Connect Here
About Bob Gourley

Bob Gourley is a Co-founder and Partner at Cognitio and the publisher of CTOvision.com and ThreatBrief.com. Bob's background is as an all source intelligence analyst and an enterprise CTO. Find him on Twitter at @BobGourley


  1. Donn Parker says:

    Trusted Identities in Cyberspace
    June 25, 2010 Draft
    Donn B. Parker, CISSP Retired
    July 25, 2010

    As usual, the fundamentals of security are quite deficient in this draft resulting in dangerously incomplete, incorrect, and inconsistent strategy. A report such as this should be based on a valid and complete definition and content of security. See my article on Fundamental Conceptual Information Security Model in the ISSA Journal, July, 2010.

    On page 8 “Security ensures the confidentiality, integrity, and availability of identity solutions.” Is incomplete and inconsistent. The problem starts with the definitions of these terms in the Glossary (see below). And the Glossary incorrectly defines many of the terms by how to achieve them rather than the meanings of the terms. The statement should be that “security ensures the confidentiality, possession, integrity, authenticity, availability, and utility of identity solutions.”

    On Page 36: FIPPS “Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.”

    This is an example of the shortcomings of security using present models and definitions. Security should be stated in a way that it explicitly includes all possible adversities, not just examples of a few. This cannot be accomplished with CIA and using incorrect meanings different from dictionary meanings. In this FIPPS “unauthorized” is too restrictive. “Unintended” should be used. “Disclosure” is only part of the complete adversity of lost confidentiality. Confidentiality is also lost from observation or viewing (sometimes called shoulder surfing) that is equally a serious act. Without including observation explicitly confidentiality can be lost from reading or observing PII displayed for intended participants only. “…unauthorized access or use” as stated is inadequate to include observation. Endangerment (Putting PII in harms way) is probably the most common risk and never appears in security lists. ”Access” is too obscure and shouldn’t be used. Misrepresentation should be included to address repudiation and deception that are both missing. Here is a complete model of PII security using words that should be defined correctly in the Glossary (see comments below:

    Glossary “Confidentiality: Preserving authorized restrictions on information access and disclosure to prevent disclosure to unauthorized individuals, entities or processes, including means for protecting personal privacy and proprietary information.”

    This statement of how to achieve confidentiality omits preserving restrictions on observation or viewing, and access doesn’t cover this most common violation of confidentiality. “Access” in the definition comes before the act of observing. Disclosure and observation are different violations and require different kinds of controls. Also proprietary information may not be confidential, yet its possession must be protected. Possession must be added to the Glossary and in the text as a separate state of information that must be preserved in the definition of security.

    Glossary “Integrity: Assurance that data has not been modified or deleted in an unauthorized or undetected

    This definition on how to achieve integrity is incorrect. All dictionaries define it to mean in good condition that doesn’t include “modified or deleted.” Also “or undetected” is incorrect and redundant because as an alternative, undetected modification could be authorized. Why does the definition of confidentiality refer to information and integrity refer to data? Stick to either data or information for consistancy. Security must also preserve the authenticity of information that is different from integrity.

    Glossary “Availability: Ensuring timely and reliable access to and use of information.”

    Availability means information is usable. But it doesn’t include information being useful. Therefore, utility must also be preserved. Reliability of information is not a responsibility of security. It is a separate need.

    Glossary “Identity assurance: Means to ensure the integrity and authenticity of identity information.”

    This is incomplete and confusing: assurance means to ensure? What about ensuring identity confidentiality, possession, availability, and utility?

    Glossary :secure: Online transactions are secure if the implementation mechanisms meet their predefined
    security objectives of correctly authenticating the parties to the transaction, prevent
    unauthorized access and release of data, assure availability, faithfully conduct and record any
    negotiation, and preserve confidentiality and integrity of information. Pre-defined security
    objectives vary widely depending on the need.”

    This is a mish-mash of unneeded complexity and secure doesn’t pertain to online transactions alone. Secure simply means information has intended confidentiality, possession, integrity, authenticity, availability, and utility.

    Page 13: “A Trustmark is a badge, seal, image or logo that indicates a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. To maintain trustmark integrity, the trustmark itself must be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity.”

    This is incorrect. Integrity is not violated by forgery. Forgery only violates authenticity. And participants should be able to both validate its integrity and its authenticity that are two different security states of information requiring quite different controls.

    Page 23: This Strategy will promote confidence via mechanisms that address privacy protection, data integrity, and data confidentiality associated with identity solutions.

    This is wrong. Privacy protection is a personal right not addressed by mechanisms. The mechanisms address information confidentiality, possession, integrity, authenticity, availability, and utility that helps to achieve privacy protection.

    For your use and reference, the following definitions of security and the elements are the relevant abstractions taken from Webster's Third New International Dictionary.

    Security: Freedom from danger, fear, anxiety, care, uncertainty, doubt; basis for confidence; measures taken to ensure against surprise attack, espionage, observation, sabotage; protection against economic vicissitudes (old age guarantees); penal custody; resistance of a cryptogram to cryptanalysis usually measured by the time and effort needed to solve it.
    Confidentiality: Quality or state of being private or secret; known only to a limited few.
    Possession: Act or condition of having in or taking into one's control or holding at one's disposal; actual physical control of property by one who holds for himself, as distinguished from custody; something owned or controlled.
    Integrity: Unimpaired or unmarred condition; soundness; entire correspondence with an original condition; adherence to a code of moral, artistic or other values; the quality or state of being complete or undivided; material wholeness.
    Authenticity: Quality of being authoritative, valid, true, real, genuine, worthy of acceptance or belief by reason of conformity to fact and reality.
    Availability: Capable of use for the accomplishment of a purpose, immediately usable, accessible, may be obtained.
    Utility: Useful, fitness for some purpose, capacity to satisfy human wants or desires.

    Definitions of the Six Security States of Information
    Confidentiality: Limited observation and disclosure of information
    Possession: Hold, control, and ability to use information
    Integrity: Complete, whole, good condition, and readability of information and being unchanged from a previous state
    Authenticity: Validity, conformance, and genuineness of information
    Availability: Usability of information for a purpose
    Utility: Usefulness of information for a purpose

    • Donn,

      Thank you very much for the comments. I found them informative and helpful context. I'm hoping the drafters of the document also come across these and I'll drop them a note to bring their attention to this.

      Your comments also have me hoping you will look around other places on this site and weigh in on other posting here regarding security.

      Thanks much,

  2. Even as I like a physical keyboard, after handling the Samsung Captivate for about quarter-hour, it is hard to move back. Presently I'm debating whether or not to go to Verizon for the Droid X, go to Dash for the EVO, or stick with AT&T for the Captivate…decisions, decisions.

  3. The whole idea is just big brother gone insane
    It is well known that ID does not combat terrorism, this whole plot is just to allow major companies, especially major media companies such as google,, to spy on everyone,
    Street view was just the start of a massive infringement of privacy by both media and governments combined

Leave a Reply