Cybersecurity: To Government or not to Government

On May 29, 2009, President Obama held a press conference addressing the creation of the “National Security Staff” and the new White House office of the Cybersecurity Coordinator.  In his address, the President recognized the everyday dependence our country has on the cyberworld – from individuals on a personal level, the physical infrastructure of our country, the economic impact on our nation, to even the functions of the military.  The President also recognized “the great irony of our Information Age – the very technologies that empower us to create and to build also empower those who would disrupt and destroy.”

The risks of the cyberworld are not just a few stolen identities, but the fact that thousands of people literally have to turn their lives upside down to regain what they lost in single instant.  As the President stated in his speech, “in the past two years alone cyber crime has cost Americans more than $8 billion” and an estimated $1 trillion in intellectual property has also been stolen from businesses around the world.  This number is only going to increase as time goes on, with new attacks and new methods for cyber criminals to carry out their misdeeds.  Cyberworld risks also include hackers gaining access to government files and the ability to bring down government websites and crippling the physical infrastructure of a nation (ie: utilities, public transportation and air traffic control) with a few clicks of a button.

To quote the President, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”  As a nation we are essentially not prepared and we lack the necessary information infrastructure.  At one point in time the United States was a leader in the internet — the birthplace of the internet; however, the United States has been steadily losing steam as our information infrastructure (just like our roads and bridges) are becoming second rate in comparison to the international community where broadband speeds of 50 or 100 megabites are available as the norm in places like Tokyo.  In comparison, the United States does not have broadband readily available in all areas and even where available, speeds are at much lower levels and remain incomparable.

In the Metanomics discussion entitled, “The Age of Obama: Virtual Worlds, Open Government, and Policy,” it was highlighted that the U.S. currently has no real national internet policy and it is clear that there is a need to improve our national information infrastructure.

A thought regarding broadband connectivity comes from Kevin Werbach, Assistant Professor at the University of Pennsylvania, Wharton School, where he discusses universal broadband service – the idea that everyone in the United States should have the ability to access and afford internet service as broadband connections and accessibility are now more advanced and affordable in the rest of the developed world outside of the United States.  In essence, the idea for universal broadband connection is based on Universal Service in regards to telephone service, where the initiative was for every individual in the United States to have the ability to afford telephone service.  As technology becomes more advanced, the question becomes how do we evolve existing policy to promote the same intent and policy decisions with new technology.

As it stands, many aspects of our daily lives depend on internet connectivity – there are many government services available only by internet or at least at a much greater convenience via the internet.  (For example, try obtaining a certified copy of a birth certificate, or registering for government benefits.)  The bottom line today is that many government services, the news, healthcare information, and education is available more conveniently or only by internet, and without access, an individual (or even a nation) will be left behind.  So, what is the baseline for internet connectivity, and should not the United States provide the infrastructure behind such basic service needs as the internet since the internet is now the pulse behind much of everything occurring in the world?

The second guest on the discussion from Metanomics was Mitch Wagner who focused on anonymity of the internet culture.  The example used was in regards to Twitter and how such a “primitive” medium could have such power.  The idea was that readers were more likely to believe an unverified and anonymous Tweet regarding news reporting than an actual, verified news agency.  Wagner raises a good point, how do we actually know who we are talking to on the other side of the internet, and how do we really know these people are who they say they are?  This brings in the idea of whether the internet should ultimately be controlled by the government or allowed to be regularized by the free market.  The idea with market control is based on competition, with the best results coming from a large number competitors with small market shares, however, in reality we have the exact opposite, a small number competitors holding large portions of the market – essentially monopolizing the industry.  So, the question becomes is government control really the answer?

In the June 25, 2010 Draft of the “National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy” it is suggested that a national Identity Ecosystem be developed.  The idea is that the Federal Government would begin and essentially maintain a universal program for validating and securing identities in the cyber realm.  The idea behind this “Trusted Identities” strategy is to create identities in cyberspace in which people, organizations, businesses, and government can trust and authenticate.  These identities would supposedly reduce fraud, increase efficiency, create confidence, and protect a user’s information among other benefits.  On the most basic level, this “trusted identity” would essentially be a standardized profile of your information, stored on a physical device such as a cell phone or flash drive, that could provide to a “trusted” website the information requested (to check your bank records, access government aid, files taxes, make online purchases, etc) in a verified format so that the other party could be confident that you really are the individual you say you are.  The same idea applies to an individual’s protection, the user could be confident that the information is being provided to a valid source, the information would be secure, and only the bare minimum of information would be provided to the website in order for you to proceed with your desired request.

In order for the “Trusted Identities” platform to function in a meaningful way, the government would need the voluntary participation not only by individual users but also vendors who would accept this form of identity.  Not only that, but different technologies would need to be able to communicate and exchange the data provided by this medium, receivers would need to be able to “read” the transmitted data, and there would need to be a commonality in policies in regards to the indentifying information.

The purpose of this identification system is to “preserve the positive privacy benefits of offline transactions, while mitigating some of the negative privacy aspects,” and much of the framework for evaluating and mitigating privacy impacts are in accordance to the eight Fair Information Practice Principles (FIPP): Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing.

To summarize, the goals of the National Strategy for Trusted Identities in Cyberspace are as follows:

1.      Develop a comprehensive Identity Ecosystem Framework

2.      Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework

3.      Enhance confidence and willingness to participate in the Identity Ecosystem

4.      Ensure the long-term success of the Identity Ecosystem

The crux of the strategy is government involvement and individual participation, however, in my opinion, the reality of this supposed possible “strategy” is one in which the idealistic goals are just plain impossible – not only logistically but practically as well.  As lofty of a goal as a streamlined, user friendly, and reliable cyber identification system sounds, realistically, there are a lot of problems the proposal fails to address.  For starters, participation is key but only voluntary, so there would be no use for a uniform system if not all users or vendors participated;  and the idea of condensing an individual’s numerous accounts and passwords into a single form would be defeated if the form was not universally accepted.

Second, the proposal claims the system would prevent different vendors from sharing information, or more simply, from allowing someone to “connect all the dots” of what an individual shares or does online.  I might not be a technology guru, and you may be skeptical, but the idea that the information originating under one account will not somehow be or always be connected seems to be an outright impossibility!  I just do not buy the fact that with the technological concerns already in play today, (where a photograph posted on the internet may contain personal information of the location the photo was taken and your personal email address) that it would be even feasible to somehow limit the connectivity internet and what the nature cyber culture provides.

Third, the system touts the efficiency of having all of your passwords and personal identification materials stored in one location.  As great as that sounds for the forgetful person or the lazy, it does not seem to be the greatest idea to put all of your eggs in one basket.  Now, since all your information is “conveniently” stored in one location, once stolen or accessed by an unauthorized user (no, I do not believe it will be possible to once and for all create a system that will be impossible to be penetrated by a cyber attacker) you have just given an unwanted predator access to everything and anything you own, have come in contact with, or merely browsed.

Another thought regarding this system is the fact that all your personal information would be stored in a key of some sort, possibly your cell phone or a flash drive.  We already know the dangers of connecting your cell phone to all sorts of personal applications (your Facebook account, banking information, e-mail, etc) and we all know that once you lose your phone you are in a load of trouble dealing with all the interconnected personal information you just lost with your cell phone.  So, why would we want to create some sort of application for a new verified identification system stored on a device such as your cell phone in order to lose or damage not only some of your personal information, but ALL of your personal information?

The National Strategy for Trusted Identities in Cyberspace states the following actions in order to facilitate its goals:

1.      Designate a Federal Agency to lead the public/private sector efforts associated with achieving the goals of the Strategy

2.      Develop a Shared, Comprehensive public/private sector implementation plan

3.      Accelerate the expansion of Federal services, pilots, and policies that align with the Identity Ecosystem

4.      Work among the public/private sectors to implement enhanced privacy protections

5.      Coordinate the development and refinement of risk models and interoperability standards

6.      Address the liability concerns of service providers and individuals

7.      Perform outreach and awareness across all stakeholders

8.      Continue collaborating in international efforts

9.      Identify other means to drive adoption of the Identity ecosystem across the nation

I am not going to lie and say that these goals and plan of actions suggested for the National Strategy for Trusted Identities in Cyberspace are a great idea.  Yes, it could be more convenient, and it would be nice to “verify” information to a website without providing all your personal information, but there are pitfalls (as I stated above) that I believe are unavoidable in creating this type of system – pitfalls that are so fundamental and basic that creating such a system would be just plain irresponsible.  So my final verdict: Nice try, but really?!?

Advertisements

~ by damsel1 on October 18, 2010.

10 Responses to “Cybersecurity: To Government or not to Government”

  1. With the Internet practically being its own living entity I am curious how Obama’s S.773 legislation would allow the President to disable networks I nthe case of a catastrophic cyber attack. It seems like it would take millions of taxdollars to initiate such an extreme response in the event of a “catastrophic attack.” Moreover, I am curious what events would qualify for this extreme response. I also feel that since so much of what occurs in the cyberworld goes through private corporations, how would a plan that would allow Obama to takeover without warning be affected by the Constitution? In essence, how is that different from the gov’t coming in and taking over a brick and mortar location of a business? Plus I also have another issue. It seems to me the cyberworld isn’t owned by the United States or any one entity so the mere suggestion that the gov’t could take over it in case of a “catastrophic event” does not sit well with me.

    On another note, the gov’ts desire to create a secure global infrastructure is one that is very hard to fathom. Unless the plans are to subject all private individuals to strict regulation in use of the Internet, it seems very difficult to truly create a secure infrastructure. There are so many ways in and around cyberspace that it seems like a far-fetched possibility that you can regulate something that by definition is almost impossible to control. The only thoughts could be regulating what websites we could, as Americans, access and that would do little more than sever international ties and make it a near impossibility to conduct international commerce.

    On the other hand, I do feel that virtual worlds can increase security for gov’ts, such as easing communications between gov’t officials and hostile foreign leaders or contacts, allowing a forum where communication can be private, comfortable, and safe. This could even be used by intelligence agents in their communications with contacts and informants to maintain their identities safe.

    I think the best defense to the possibility of cyber terrorist attacks is to reduce the dependancy of our most vulnerable and imperative agencies and to have an independent system to safeguard things such as utilities. Once upon a time, none of these agencies depended on the Internet to conduct business and these utilities still existed without issue. In fact, in many areas of the country where the BIP and BTOP programs are not yet initiated, many people do not have the readily accessible services of broadband technology and they function fine… why not go back to that with our most vital agencies? Instead of creating a complex system to regulate a nearly-impossible-to-regulate forum, remove the potential problem altogether.

    As for the Identity Ecosystem and Trusted Identities. I have a huge problem with the notion of submitting all my private information to an online source, whose security I have no way of measuring and no ability to ensure that my information will not be hacked. Why is it more reasonable to provide, for example, an online vendor with more information about myself than I would if I walked into that vendor’s physical store just to ensure his peace of mind? I think that with the number of people who are already wary of the Internet and giving out of private information such a system would serve to create more problems than it would resolve, and would create a huge security issue as hackers would become more efficient at hacking websites, especially when all sites would essentially have the same protections and information databanks in place necessary to create a “commonality” of identifying information.

  2. The identity ecosystem sounds scary and like a very bad idea. On one hand, we’re supposed to be lagging behind the rest of the world with the internet, but on the other we are secure enough to protect all of our identities in one location? I can’t imagine that’s true.

    I have no interest in having all my information in one location so that if a criminal gets on he or she gets all. Aren’t we supposed to have different passwords for all the different things we sign up for on the internet because of that concern?

    Seems like we’re better off trying to figure out different ways to verify identities online.

    You gave Twitter as an example of something where we don’t know who we are actually reading material by. While that is true in most circumstances, Twitter does have its own system where certain Twitter users can be verified as the actual person the account is claiming to be. However, there is still no guaranteeing that when an account is verified that the person claiming to be making a particular Tweet is making that Tweet.

  3. NO WAY! I would never sign up for something like this. Like you said, what happens if I lose my information holding cell phone??

    This seems way, way too “1984”. We are expected to just hand over all our personal information to Big Brother, err, the United States government?

    No, thank you. This seems like it would create a hacker’s paradise with hacker’s attempting to hack and steal information off the servers every second of every day.

    I think a better strategy would be to continue to educate those using the internet about the various dangers of providing information online.

    By the way, I wish the Florida Board of Bar Examiners would join the 21st century and go online with their documentation. Why everything has to be done through snail mail is a mystery to me.

  4. The internet is amazing, and I can’t imagine life without it (weird to think about because half of my life was spent without it), but I think that the potential for damage is so great that it really makes me think twice before doing certain things online that involve my personal information. I agree with President Obama’s comment that “the very technologies that empower us to create and to build also empower those who would disrupt and destroy.” Something needs to be done, fast. That being said, I do not think that it should be a national Identity Ecosystem. It would make life a lot easier for criminals to gain access to a person’s personal identity. Also, what would happen if you lost or misplaced it? I must be misinterpreting this, because there is no way that this is what they meant by it. It just seems like a recipe for disaster, and as Christine said, irresponsible.

  5. As I read the proposal for the “Trusted Identities” plan, I had the same reaction you did. Although if it all came together and worked as described it would be great, there are just too many practicalities that scenario would have to overcome in order to reach fruition.

    Participation would likely be an issue in such a voluntary system, but I’m sure the government could figure out an incentive to make people want to participate, like some tax benefits or maybe you just don’t have to fill out the next census (wouldn’t that be nice?).

    But I think the real problem is, as you noted, that since all of the nation’s contact and personal information are in the same place, a giant e-target would be placed on the site from its inception. Hackers all over the world with chips on their shoulders would love nothing more than to be known as the one who toppled the US Trusted Identities database, and would consequently devote their lives to finding a way in. And since any man-made technology is by definition imperfect and subject to destruction by other people, it would be only a matter of time until some hacker spends enough time in his mom’s basement to figure it out. As a result, I agree that while the aims of the plan are admirable, the Trusted Identities program is infeasible the way it has been described.

    The whole net neutrality debate is picking up some steam now, especially with the election looming and the (hopefully temporary) popularity of the Tea Party. Furthermore, because countries like Finland are making broadband access a fundamental right (CITE: http://www.cnn.com/video/#/video/world/2010/07/01/intv.finland.internet.legal.right.cnn?iref=allsearch), I agree that it’s ironic that the US, where the internet was invented, is lagging behind on its regulation. I expect it will be a bigger topic in the next presidential election when hopefully more people are interested in the future of the most explosive change to human interaction in history.

  6. While there isn’t something exactly like “Trusted Identities” out there now, there are web sites that allow you to verify your ID. RelyID, for example, is used on a lot of dating sites so that you know the person you’re going to meet is the person they’ve been representing themselves to be. I’m not sure what the Trusted Identities program would add to these kinds of services except headache and the potential for some severe security threats.

    I currently file my taxes online. The federal government has had no issue determining that I am who I say I am (although if someone else wanted to pay my taxes for me, I’m not sure I would mind). If someone wants to verify that it’s me they’re talking to, there are a lot of ways to do that without accessing my bank accounts, finding out if I have government aid, and knowing every password from my facebook account to my blog password. There is a good argument for being able to verify identity on the internet – but lets not let this narrow need compel us into sharing all sorts of information the government and businesses have no need or right to know.

  7. I hate to be jumping on the bandwagon here, but my thoughts on this post pretty much echo the opinion of everyone else. This “Trusted Identities” strategy sounds awesome, Utopian, idealistic, and totally infeasible. A world that could get a program like this to go off without a hitch is probably the same kind of world that would not have cyber security issues in the first place.

    Aside from this proposal being as impractical as a solar powered flashlight, this also strikes me (and everyone else) as a huge liability. Isn’t the point of internet passwords for them to be obscure and different? Why would anyone ever think it’s a good idea to make the same information be applicable to everything we do online? It’s a gold mine for hackers. And, while I’m sure it might be more difficult under this proposal, I am confident that somewhere, someone is going to be able to figure out how to beat this system.

    So while I agree with everyone that the Trusted Identities strategy sounds great in theory, it seems like it would certainly fail in execution. Obviously, something needs to be done. If the country that created the internet (read: us, or US, however you want to read that) has a second rate infrastructure compared to other countries, I am all for something being done to get us at least on par with everyone else, I just don’t think that this proposal is the solution.

  8. I too am of the mindset that while the Internet provides a risk channel to the government, security, and citizens of the United States, systems such as those mentioned in this blog post seem to be even more risky to the First Amendment rights of US citizens.

    The Trusted Identities program sounds like it could quickly devolve into a system in which all online statements and activities are automatically bound to the real identities of the individuals making them. A similar requirement was temporarily considered in Australia during elections, when any political opinions submitted online were to be associated with a user’s real name and information. (http://www.heraldsun.com.au/news/national/outrage-as-south-australias-rann-government-opposition-unite-to-gag-internet-election-debate/story-e6frf7l6-1225826073800) This system was withdrawn in the face of fierce opposition. While Australia has no explicit First Amendment free speech rights, this system would severely offend such rights here in the United States.

    Similarly, granting the government the ability to “shutdown the Internet” at any time would also do much to reduce free speech and communication within this country. What is to stop the government from taking these halt measures when it feels that there is risk to its institution from its own populace instead of some outside force?

  9. I agree with you about your identification of REAL problems with this. It is like a hacker’s paradise. It reminds me of when someone hacked TJ MAXX and everyone who ever made a purchase got a letter explaining the situation. Apparently TJ MAXX stored all the CC info in one central location and that whole system was compromised. I see the same sort of thing happening here. If someone gets into the system (even a disgruntled employee with permission to enter the system?), we are all screwed.

    I agree with Obama that the internet can be used as a very powerful and destructive device. It may be our greatest asset, but it may very well be our greatest threat if our enemies use it against us. This program seems to be handing the enemies ammo on a silver platter.

    On the other hand, I could not think of any safe way to protect against cyber crime. Maybe we should think of it like real-world crimes (real meaning not internet). For example, we protect ourselves against being mugged by walking with our defenses up. We only disclose the last 4 of our social to verify identity. I think cyber crime will never go away, and perhaps protecting ourselves on an individual level is the best way to protect ourselves. I’m not saying that the government should not attempt to police the problem, but I am saying that they should figure out better ways of going about doing so.

    On another note, this “everyone should get internet” idea is interesting. There is no fundamental right to an education. Yes, every state offers a public education system, but they don’t have to. I think it would be nice if everyone got broadband, but I do not think everyone should be guaranteed access to such services. How would we do so? Tax dollars? That means raising taxes or reducing spending in other areas, which is a whole other discussion.

    There are a host of issues raised by these discussions, and I think it will be interesting to watch this area of our economy, law, and lives develop.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: