NSTIC 101 (wtf?)

From IIW

Issue/Topic: NSTIC 101 (wtf?) (F1D)

Convener: Heather West & Jay Unger

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Notes-taker(s): Joshua Gruenspecht

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Initial Discussion: Heather, Jay, Aaron Titus describe the process of the creation of the document to date. Created out of a White House policy review, intended to have the force of an executive directive. Authority derives from the executive order that created the review.

<Lots of cross-discussion about the probability that this is placed on the desk of the President and signed – general consensus from the parties to the talks to date that this will be done this year.>

What is the content?

Heather/Jay: Unclear. May include government access using third-party credentials, may include third-party access using government credentials. It’s a very objectives-level document.

Will they be continuing to revise the document?

Aaron/Jim/Heather: Yes, although continued comment may not be welcome. They’ve been burned by the first round of comments through Ideascale. A lot of useless feedback, plus a lot of pushback from civil liberties groups.

Who’s responsible for this document (and why aren’t they here)?

Aaron/Heather: The Cybersecurity Office in the White House (and we tried!).

What changes can we expect?

Heather/Aaron: Probably fewer questionable examples full of hand-waving. Everything else is unclear.

What agency is likely to end up with the responsibility for this?

<Cross discussion about how none of the obvious choices (Justice, Homeland Security, Defense, the Post Office) look appetizing.> Jens: I hear three possibilities: Homeland Security, GSA, Commerce (NIST). Third parties and their responsibility

Aaron: Problem with third-party IdPs and data custodians as well – namely, ensuring that if third parties are used as parties in the transactions between citizens and government, that they don’t then sell that data to others. Jim/Heather: According to NSTIC, players in the ecosystem will be responsible for ensuring some (presumably low) level of privacy protection.

Is this a useful thing? What one change could make this more successful?

Nathan: There isn’t one! Jay: If this is a step toward the government taking an “encouragement” role, then that, at least, is a positive thing. Heather: If the government is agreeing to be a relying party in transactions, that may be the very best thing that it can do. Myisha: Just agreeing upon rules of the road to satisfy all the lawyers everywhere would be a big step. <Cross-talk about liability for breach and allocation of risk> Jim: Liability doesn’t need to be limited, it needs to be allocated in the first place. <Cross-talk between people who believe that NSTIC is at least a first step toward government reliance on a standardized ID system vs. those who believe that even if it is a first step, government moves so slowly that adoption is, at the least, years away>

More about liability

Jens: One real problem that this doesn’t address is reputation loss – FDIC model for identity may not cut it. <Cross-talk about assigning liaibility within the NSTIC framework> Myisha: We may need multiple levels of reliability in ID provision so that we can have multiple levels of reliance, risk, and liability. <Discussion of a “credit services” model (like Equifax, etc.) – liability of IdPs restricted to safe and secure storage and distribution of data – no liability for inaccuracies. This is popular with several attendees, and is proposed as one possibility that should be explored by the NSTIC authors> <Discussion of what an IdP can do to prevent breach and what its liability would be in the event of breach. IdPs as the equivalent of banks vs. IdPs as credit services> Jay: In order for this to work, there must be a business model that does not rely on the resale of people’s information. <Discussion of how to get such a model into the NSTIC>

Where is the money going to come from?

Nathan/Myisha/Jim/etc.: The key questions for government money are – Will this get into the 2012 budget? Will all, some, or none of the money requested make it in? Jim/Jay: Then, we’d need to get into the business model questions – Can we tier by LOA?

What changes should we, the identity-interested community, request?

Jay: A clearer, shorter document with more participation. Barb: Why don’t we act as an advisory group? Heather/Aaron: We can’t, because of ethics rules, and they’re receiving so much information anyway that they can’t distinguish signal and noise. Plus, we’re rushing toward their October deadline.