Open Identity for Closed Government: NSTIC the Cybersecurity Answer?

From IIW

Issue/Topic: Open Identity for Closed Government: NSTIC the Cybersecurity Answer? (T3B)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Convener: Joshua Gruenspecht

Notes-taker(s): Heather West

Tags for the session - technology discussed/ideas considered:

Security, NSTIC, us-government, cybersecurity

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

NSTIC came out of the national cybersecurity review, in part in order to improve cybersecurity; however, the document that is circulated publically is largely for open governent and for consumer facing transaction. Can this “open identity” be useful for “closed government” – that is, for securing high level targets, etc.

Make this work for secure credentials with strong identity – anonymous, verified online voting? Secure electronic access is the same across sectors. What this example includes is the privacy requirements inherent in our voting system.

How can we solve the security problem? Without solving that, and moving beyond LOA 1, this won’t get anywhere. Now, most things are closed and black boxes for the consumers. NSTIC at least presents the challenge and is trying to put together a framework.

How do we manage liability and indemnity for the consumer, the business, the IdP, the government? How do we harmonize security and privacy in a secure, government system?

What is the similar model in government? Security clearances that will be mutually accepted at given LOAs are the key here.

Do we want a DoD credential to sign us into Gmail? There’s little hope in the near future of loggin in to secure DoD systems ith a gmail credential – and that’s not a bad t hing. Low assurance transactions need to be more friction free, and use that learning process to move towards easiler high level assurance.

What kinds of trust are involved in a transaction where the government is a RP at a high level of assurance?

Implementing agency shoudl ensur that NSTIC is not just about creating a universal set of credentials with the government as a viable RP, in soe cases the governmnet should be accepting third party credentials even at higher LOAs. This will seed third party LOA world with people that are doing this.

Also encourage more gov R&D – or SOME R&D - at the creation of hardware for use in abstracting identity from individuals. This needs to be trusted by government, but not necessarily government run/sponsored.