Microsoft Security chief pleads for “collective defense” of the Internet

At RSA, Microsoft's Scott Charney chief laments Commerce Dept. protection plan dismissed as ‘government ID’

Scott Charney, corporate vice president for Microsoft’s Trustworthy Computing initiative, today promoted the idea of a “collective defense” of the Internet at the RSA Conference 2011 going on in San Francisco. In his keynote, he said collective defenses include a combination of security measures by individuals, corporations, Internet service providers and, yes, government. Yet such government proposals have prompted knee-jerk cynicism at which I just have to shake my head in dismay.

Charney (in photo at left)

Scott Charney
mentioned a U.S. Department of Commerce launch of the National Strategy for Trusted Identities in Cyberspace (NSTIC) to better protect the Internet and, especially, the citizens who use it. The program creates an “identity ecosystem” where users can validate their identities securely, but with minimal disclosure of information when they’re doing sensitive transactions such as banking, while simultaneously letting them stay anonymous when they choose to be, such as when they’re blogging. This could be an improvement over the status quo, in which individuals have to remember multiple passwords for different sites but end up using the same username and password, kind of defeating the purpose.

Under the Commerce proposal, multiple accredited identity providers – both private and public – would offer these credentials, according to Howard Schmidt, a cybersecurity special assistant to President Obama, in a post on the White House blog. Charney displayed an image of the post during his RSA speech.

But Charney laments that the proposal has been viewed as somehow sinister: “Some people report that there's going to be a national ID card. Where did that come from? It's not true,” he said.


Sure enough, The Washington Times editorialized that readers should “run as far away as they can from this purported assistance,” which it says will “centralize personal information and credentials.”

“Put another way, [Commerce Secretary Gary] Locke is saying, ‘Trust us, we’re from the government, and we’re here to help,’” the editorial read, which is the knee-jerk reaction from certain quarters to every initiative the government undertakes.

The paper also cited instances where government hard drives were lost with sensitive data on them, which has nothing to do with online security.

Well, I’m not buying it, Washington Times.

Charney explained that the online credentials would be just one of the many identities people already carry already with no qualms, such as a corporate ID to get into their office, a drivers license to board an airplane or a passport to travel abroad. Furthermore, Charney showed a video of a program just launched in Germany, which delivers EID cards for citizens to protect their online identity. The video showed a woman at risk of hypertension given a blood pressure monitor. When she uses it, she can see a secured view of her results, which she can choose to share with her doctor. Charney also showed how a bank Web site can scan a customer’s computer and recommend a security upgrade before connecting the customer to its site.

This is the fundamental difference between a secure online identity that the German government, Microsoft or the Commerce Department envision and the “government ID” its ill-informed critics deride. Said Charney: “In these models you'll notice that the user always retains control of the data that they choose to pass.”

Bill Conner has heard the “national ID” wail before and says it’s why the U.S. falls behind other nations in Internet security. Conner is the CEO of Entrust, a provider of identity-based security solutions, who says secure online ID technology is available in most "Just about every country" in which Entrust does business. “We’re just not there.”

When Conner was previously on the board of online travel site Travelocity, whenever the question of a “national ID” came up in a user survey related to security, it faced strong opposition.

“You’re asking the wrong question,” he said. “If you ask ‘Would you give up some of your personal information to put on a card if it was going to be protected, and if it would speed you through the airport,’ you know what? I think you’d get a very different answer.”

Here’s to asking the right questions and making informed decisions.

Other coverage of Charney's remarks can be found here.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT