The plan to "reduce cybersecurity vulnerabilities and improve online privacy protections" floated in June by Howard Schmidt, the Cybersecurity Coordinator and Special Assistant to the President, is comprehensive and an important step in the right direction.
To its credit, the administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC) as a draft, realizing that something this big and complex needs input.
The idea is to ensure online commerce continues to flourish by using trusted digital identities and authentication to address core security issues. The government will be the "primary enabler, first adopter and key supporter" of what it calls an Identity Ecosystem, but consumers would be able to use the tools to safeguard everything from online banking and shopping to accessing health records.
Instead of issuing its own "Internet license", the government wants identity service providers to come out with or make existing credentials interoperable so consumers have a choice when it comes to suppliers and can count on the fact that other merchants in the ecosystem will accept those credentials.
There are already many different types of credentials available, including digital certificates delivered to cell phones. Ideally, for example, I would be able to use my Bank of America SafePass card -- which generates a number used as a second factor when I log onto the bank's site -- to complete a transaction with a Web store.
As some have pointed out, there is little discussion in the proposal about how we would ensure the person applying for a credential is who they say they are. If you can game the system from the get-go that could be even more dangerous than the problems we face today. That said, use of existing credentials would help circumvent that concern. My bank knows who I am.
Others have taken issue with the idea of centralizing identities, saying that's putting all our eggs in one basket. Having multiple identities is inherently more secure, they argue. Perhaps, but that's what we have today and we still have these problems, so that argument doesn't seem to hold water.
Then there is the whole big brother thing, the fear of the government logging our activities. Here again, the fact that this is government sanctioned versus government issued, should help.
The point is that the proposal isn't fully baked, nor does it pretend to be. It will be interesting to see what comes out of this review period and see how the plan morphs. The authors also recognize that trusted digital identities address only one part of the layered security needed, but count us among those that think this is a good first step.