Recently, Matthew Lasar wrote an article for Ars Technica talking about the potential for a new national cybersecurity plan. United States Secretary of Commerce Gary Locke is taking up the Obama administration’s efforts to enhance online security and privacy and the next steps in meeting the challenges of a growing cyber world according to a press statement.
Lasar’s article goes on to say that the plan is to launch a National Strategy for Trusted Identities in Cyberspace (NSTIC) – a bid to support private-sector solutions to make the online environment more secure. Lasar infuses his sentiment saying that the timing couldn’t be better as the Zeus Trojan has struck again – this time amongst government employees.
Has there been a growing trend of convergence of cyber-crime and cyber-espionage activities as Alex Ross of Netwitness contends in the article? Or have the recent WikiLeaks scandal and Zeus malware gangs hit close enough to home to warrant some real ammunition behind the government’s initiatives toward the creation of increasingly impactful cybersecurity policy?
My take is that the Federal Government’s potential entry into the arena of Internet identity management is a disaster in the making with little to no chance of any benefits for its citizens. The assertion that citizen identity verification would provide any protection against the likes of the Zeus attacks or Wikileaks is a red herring if there ever was one. In the case of Zeus, the machine itself is compromised to trick users into providing their identities which are then redirected behind the scenes for a criminal’s benefit. Any government provided identity would provide no protection in this scenario. As for Wikileaks, it defies any stretch of the imagination how as to how a government run identity system would circumvent the scenario of an insider sharing secrets to unauthorized parties.
Lasar penned a follow up article, “Identity Ecosystem? Inside Uncle Sam’s “trusted identity” plan”, that sheds further light on the NSTIC initiative. According to Locke, the “Identity Ecosystem” for cyberspace would be a place where individuals and organizations can complete online transactions with greater confidence – putting increased trust in the online identities of each other and greater trust in the infrastructure that the transactions run across.
My only guess as to the source of this bizarre suggestion of the Federal Government getting into identity management, would be that the credit card issuers are still trying to distract Federal regulators from doing the job of enforcing worldwide credit card standards. Perhaps the credit card issuers believe that by dangling a bright and shiny hammer that would create a police state where the Federal Government could monitor all citizens’ actions on the Internet (no more anonymous transactions), they will be let off the hook for not upgrading their USA networks and cards. The existing Internet architecture already provides pretty good tracking of identity all the way to specific workstations. There is little need to go much further to identify who is doing what and with whom (the use of Federal subpoenas can do wonders in determining identities when handed over to ISPs).
Basically, there is already a trusted identity system and it is being run by the credit card issuers. They need to clean up their act by updating their technology and stop distracting the Federal Government from their responsibilities. Perhaps the government would accomplish more by reviewing the liability and responsibilities of ISPs for turning a blind eye to obvious criminal activity on their networks.