White House cybersecurity plan needs Microsoft to work

Software company takes its lumps in public comments section

The White House is seeking public comment on a draft plan released Friday to secure cyberspace with a trusted identities solution. Some of the early comments focus on the inherent vulnerability of Microsoft’s software, although some also said end users need to be more security-conscious.

The draft National Strategy for Trusted Identities in Cyberspace (NSTIC) calls for the creation of an “identity ecosystem where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on,” according to a White House blog post by Howard Schmidt, cybersecurity coordinator and a special assistant to President Barack Obama.

Rather than having to remember a long list of usernames and passwords for each site that requires one, the NSTIC plan would create “a secure, interoperable, and privacy-enhancing credential ... [for people] to authenticate themselves online for different types of transactions.”

The White House is giving the public until July 19 to submit ideas or comments and to vote for or against the proposals of others. A few commentors have already pointed out that any solution to the plague of identity theft, fraud and other cybercrime is going to have to involve Microsoft with its ubiquitous Windows operating system and other software that is frequently the target of cyber attacks.

“This is a horrible idea,” wrote one commentor identified as Andrew S. “There is no such thing as ‘Trusted Identity’ as long as 25% of all computers running Windows are infected with malware that lets other people remotely control their computers. If your computer is compromised, it is impossible to do anything ‘trusted’ on it!”

Another commentor added, anonymously, that it’s up to end users to be diligent about following best security practices on their own, while not absolving software makers of their security responsibilities. “Companies responsible for code that allows massive exploits need to be held to some accountability (looking at you Microsoft and Adobe),” the person wrote.

And while the White House sought input from businesses as well as security experts and the general public on its draft plan, one writer expressed skepticism about the involvement of for-profit businesses in the solution.

“The system should not include any patented approaches, without including a waiver of fees for use of the patents,” wrote another anonymous poster. “Between Microsoft, RIAA, MPAA, and the growing mergers in the broadcast industries, we have too many monopolies abusing the American people.”

Still others recommended the government not “reinvent the wheel” by inventing a trusted identity solution when others are on the market already. Most often mentioned is OpenID, offered by the nonprofit OpenID Foundation, which invites the public to sign up to create one username and password that would work at any Web site that supports OpenID, including Google, Yahoo, Facebook and, of course, Microsoft.

True, OpenID is well known, but I don’t know how widely used it is. Even if it has millions of users, the volume of cyber attacks and other security breaches that continues today would indicate that it is not widely adopted.

But whether a solution is already out there or not, the NSTIC initiative’s greatest potential is to make the public more aware of the threats out there and of the need to take measures to protect themselves.

Some of them are obvious. When you get an e-mail from your bank and the sender apparently cut and pasted the company’s logo, but there are spelling errors in the text, it’s bogus. And, trust me on this, Gmail is not running out of mailboxes so you don’t have to enter your username and password to keep your account current.

C'mon, people. Some of this is as easy as don't leave your keys in your car.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.