No More Passwords? Trusted Identities to Secure Critical Infrastructure

By

Posted: Dec 11, 2013

Supporting ImageEvery week seems to bring news of yet another website hacked, user accounts compromised, or personal data stolen or misused. Just recently, many Facebook users were required to change their passwords because of hacks at Adobe, a completely different company. Why? Because hackers know that users frequently re-use the same password at multiple websites. This is just one of many reasons that the system of passwords as it exists today is hopelessly broken. And while today it might be a social media website, tomorrow it could be your bank, health services providers, or even public utilities. Two complementary national initiatives aim to do better before the impacts of this problem grow even worse.

Developed in 2011, the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a key Administration initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions. NSTIC calls for the creation of an Identity Ecosystem – an online environment in which individuals can trust each other because they follow agreed-upon standards to authenticate their digital identities. What this means for individual users is that they will be able to choose from a variety of more secure, privacy-enhancing identity solutions that they can use in lieu of passwords for safer, more convenient experiences everywhere they go online.

The NSTIC also helps multiple sectors in the online marketplace, because trusted identities provide a variety of benefits: enhanced security, improved privacy, new types of transactions, reduced costs, and better customer service. The National Institute of Standards and Technology (NIST) is leading implementation of the NSTIC.

NIST is also leading the development of a voluntary framework for reducing cyber risks to critical infrastructure. This latter work is being done in response to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” which President Obama issued in recognition of the fact that the national and economic security of the United States depends on the reliable functioning of critical infrastructure. On October 29, NIST released a preliminary version of the Cybersecurity Framework, developed using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013, a series of public workshops, and other discussions.

How are these two national cybersecurity efforts related? While the Executive Order focuses on critical infrastructure, managing identities is a foundational enabler for cybersecurity efforts across all sectors. The NSTIC complements the goals and objectives of President Obama’s Executive Order by promoting the use of trusted identity solutions in lieu of passwords, which will help strengthen the cybersecurity of critical infrastructure. Trusted identities offer owners and operators of critical infrastructure more secure, privacy-enhancing, and easy-to-use solutions to help secure IT systems from potential attack.

A key NSTIC initiative is facilitating the work of a private sector-led Identity Ecosystem steering group, which is working to develop an Identity Ecosystem Framework in which different market sectors can implement convenient, interoperable, secure, and privacy-enhancing trusted solutions for digital identity, including within critical infrastructure. This group currently has more than 200 members, including many from critical infrastructure sectors; membership is currently free and we encourage all stakeholders to get involved. Like the NSTIC, the Cybersecurity Framework will result in flexible, voluntary guidelines for industry to implement better cybersecurity practices, with the private sector offering a marketplace of tools and technologies. A key element of success for both the NSTIC and the Cybersecurity Executive Order will be market adoption of their primary deliverables; accordingly, implementation activities around both initiatives include the development of mutually beneficial legal, economic, and other incentives to promote deployment.

To ensure that the Cybersecurity Framework takes full advantage of the trusted identity solutions marketplace, we strongly encourage input on the preliminary Cybersecurity Framework.

On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. Comments are due no later than 5pm EST on December 13, 2013. (Click below for more information on how to submit comments.)

For more information:

Tags: cybersecurity, NIST, cyber risk, risk management