Last Friday the Obama Administration released its National Strategy for Trusted Identities in Cyberspace (NSTIC), a plan to leverage private sector tools to make it easier for some kinds of transactions to happen online. This would include both consumer and government transactions, and attempt to establish a system where identity can be confirmed online in a way that is much more certain than what is commonly done online.
The strategy outlines the establishment of an Identity Ecosystem that would “securely support transactions that range from anonymous to fully-authenticated and from low- to high-value.” This statement recognizes that some aspects of the Internet not only do not need identities to be confirmed to the same extent desired for something like a mortgage contract, but can thrive on anonymity. As the Strategy envisions this Ecosystem, various credentials and other means of authenticating or authorizing a person for certain activities or transactions would be established (likely evolving from some of what’s currently available). These items could then be used when a person seeks to access a number of different goods and services online. One of the selling points to consumers would be that this Ecosystem would reduce the need to maintain a number of different identities and/or passwords to operate on the web.
While NSTIC envisions the private sector doing a fair amount of work, the government will proceed with establishing an implementation plan and a national program office to coordinate efforts. Arguably it is in the implementation plan, and how well it is followed, that will determine the success or failure of the strategy. In order for there to be trusted identities online, there must be trust in the tools used and in the entities charged with operating those tools. As this usually has required nudging to take place in other parts of the online landscape, it seems unlikely that this strategy will not be successfully implemented without trust.
Last summer USACM issued comments on a draft of NSTIC. Those comments reflect the concerns expressed above concerning successful implementation and management of this strategy. They still make good sense moving forward with implementation of the Strategy. Issuing this document is the first step in what will likely be a long, multi-year process. It’s not too late to read the Strategy and follow the issue as the implementation plan is developed.