NSTIC and the feds HUA problem

Gibbs ponders the National Strategy for Trusted Identities in Cyberspace program and thinks its crazy

If you're going to name something and expect its TLA (Three Letter Acronym) to be used then you really need to make it a memorable and "sayable" acronym. Of course, if the acronym has more than three letters, then it would be an ETLA: An Extended Three Letter Acronym.

For example, the Digital Millennium Copyright Act is the "DMCA." Not bad. It's short, to the point, memorable, and it can be pronounced ("dee-em-cee-ay").

On the other hand the Combating Online Infringement and Counterfeits Act is "COICA". Even the act's full name is unmemorable while the acronym is useless to anyone other than a bureaucrat.

Here's a pretty new acronym for you, "NSTIC" which stands for the "National Strategy for Trusted Identities in Cyberspace." How would you pronounce that? "Nus-tick"? "Nostick"? Who knows? Any way you say it, it is totally unmemorable and, perhaps, therein lays its genius; it sounds so opaque and boring, how important could NSTIC be?

The answer, my friend, is it's hugely important – because it is a totally ridiculous idea.  A great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness.

NSTIC is a program fostered by NIST, the National Institute of Standards and Technology, an agency of the U.S. Commerce Department. According to the NSTIC Web site, the concept "is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure - such as routers and servers."

The hype continues: "The NSTIC envisions a cyber world - the Identity Ecosystem - that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they're doing sensitive transactions (like banking) and lets them stay anonymous when they're not (like blogging). The Identity Ecosystem will enhance individuals' privacy by minimizing the information they must disclose to authenticate themselves."

OK, all good in theory but, in practice, not so much. And notice how they switch tense: "Will provide" becomes "enables" as if the functionality of the proposal is already proven!

So what's wrongheaded with this? To begin with, let's look at the government's record for the security of its own services. A November 2010 report by the Government Accountability Office (GAO) concluded that the Internal Revenue Service (IRS) allowed employees too great a level of access to sensitive information than was needed to perform their jobs and its procurement system allowed users to bypass application controls. Wow.

Now, if only that was the extent of the government's online services mismanagement. There was also the Department of Homeland Security's (DHS) failure to complete a system intended to control U.S.-Mexico border security, the Transport Security Administration's (TSA) failure to implement "a risk management framework to make sound decisions regarding the allocation of security resources across transportation modes", and dozens of other SNAFUs that defy belief.

In short, the government, at the heart of its most sensitive public and administrative services, is incompetent on a biblical scale. And now they propose to provide what is, in essence, the management of a single sign-on system that would impact tens of millions of its citizens.

Just imagine if security mismanagement such as that encountered at the DHS or the TSA was to impact the NSTIC; one serious data breach would provide a field day for the bad guys. And should that happen, imagine the chaos while the problem was addressed … clients of any of the government's social services would find themselves locked out, services like the Department of Motor Vehicles would grind to a halt (OK, make that more of a halt), and companies that deal with the government could see their businesses hit a brick wall.

And all of this would be because the wonks at NIST think they can do what enterprises with far more experience in hardcore IT have learned the hard way; that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizen, it would be effectively impossible!

There has to be a TLA for this ridiculous idea.  Let's see.  Yes, I'd go with HUA, that's Head Up ... er, well you can guess.

Gibbs, in Ventura, Calif., is totally unconvinced that the feds can do security. Your beliefs to backspin@gibbs.com.


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022