Executive Summary A secure cyberspace is critical to our prosperity 1 We use the Internet and other online environments to increase our productivity, as a platform for innovation, and as a venue in which to create new businesses “Our digital infrastructure, therefore, is a strategic national asset, and protecting it—while safeguarding privacy and civil liberties—is a national security priority” and an economic necessity 2 By addressing threats in this environment, we will help individuals protect themselves in cyberspace and enable both the private sector and government to offer more services online As a Nation, we are addressing many of the technical and policy shortcomings that have led to inse- curity in cyberspace Among these shortcomings is the online authentication of people and devices: the President’s Cyberspace Policy Review established trusted identities as a cornerstone of improved cybersecurity 3 In the current online environment, individuals are asked to maintain dozens of different usernames and passwords, one for each website with which they interact The complexity of this approach is a burden to individuals, and it encourages behavior—like the reuse of passwords—that makes online fraud and identity theft easier At the same time, online businesses are faced with ever-increasing costs for man- aging customer accounts, the consequences of online fraud, and the loss of business that results from individuals’unwillingnesstocreateyetanotheraccount Moreover,bothbusinessesandgovernments are unable to offer many services online, because they cannot effectively identify the individuals with whomtheyinteract Spoofedwebsites,stolenpasswords,andcompromisedaccountsareallsymptoms of inadequate authentication mechanisms Just as there is a need for methods to reliably authenticate individuals, there are many Internet transac- tions for which identification and authentication is not needed, or the information needed is limited It is vital to maintain the capacity for anonymity and pseudonymity in Internet transactions in order to enhance individuals’ privacy and otherwise support civil liberties Nonetheless, individuals and busi- nesses need to be able to check each other’s identity for certain types of sensitive transactions, such as online banking or accessing electronic health records The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. The realization of this vision is the user-centric “Identity Ecosystem” described in this Strategy It is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital iden- tities of devices The Identity Ecosystem is designed to securely support transactions that range from anonymous to fully-authenticated and from low- to high-value The Identity Ecosystem, as envisioned here, will increase the following: • Privacy protections for individuals, who will be able trust that their personal data is handled fairly and transparently; • Convenience for individuals, who may choose to manage fewer passwords or accounts than they do today; • Efficiency for organizations, which will benefit from a reduction in paper-based and account management processes; • Ease-of-use, by automating identity solutions whenever possible and basing them on technol- ogy that is simple to operate; • Security, by making it more difficult for criminals to compromise online transactions; • Confidence that digital identities are adequately protected, thereby promoting the use of online services; • Innovation, by lowering the risk associated with sensitive services and by enabling service providers to develop or expand their online presence; • Choice, as service providers offer individuals different—yet interoperable—identity credentials and media Examples that illustrate some potential benefits of the Identity Ecosystem can be found throughout the Strategy within the “Envision It!” callout boxes The enhancement of privacy and support of civil liberties is a guiding principle of the envisioned Identity Ecosystem The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider cangainacompletepictureofanindividual’slifeincyberspace Bydefault,onlytheminimumnecessary information will be shared in a transaction For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data In addition to privacy protections, the Identity Ecosystem will preserve online anonymity and pseud- onymity, including anonymous browsing These efforts to enhance privacy and otherwise support civil liberties will be part of, and informed by, broader privacy policy development efforts occurring throughout the Administration Equally important, participation in the Identity Ecosystem will be vol- untary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them The second guiding principle is that identity solutions must be secure and resilient Trusted digital identities are only one part of layered security, and online security will not be achieved through the establishmentofanIdentityEcosystemalone However,moresecureidentificationandauthentication will both ameliorate existing security failures and provide a critical tool with which to improve other areas of online security The Identity Ecosystem must therefore continue to develop in parallel with ongoing national efforts to improve platform, network, and software security—and efforts to raise awareness of the steps, both technical and non-technical, that individuals and organizations can take to improve their security The third guiding principle of the Identity Ecosystem is to ensure policy and technology interoperability among identity solutions, which will enable individuals to choose between and manage multiple differ- entinteroperablecredentials Interoperabilitywillalsosupportidentityportabilityandwillenableservice providers within the Identity Ecosystem to accept a variety of credential and identification media types The fourth guiding principal is that the Identity Ecosystem must be built from identity solutions that are cost-effective and easy to use History and common sense tell us that privacy and security technology is most effective when it exhibits both of these characteristics The Strategy will only be a success—and the ideal of the Identity Ecosystem will only be fulfilled—if the guiding principles of privacy, security, interoperability, and ease-of-use are achieved Achieving them separately will not only lead to an inadequate solution but could serve as a hindrance to the broader evolution of cyberspace Specifically, achieving interoperability without the appropriate security and privacy measures could encourage abuses of personal and proprietary information beyond those that occur today However, this risk is more likely to be realized if we take no action: identity solutions in cyberspace are already evolving One key role for the Federal Government in the implementation of this Strategy is to partner with the private sector to ensure that the Identity Ecosystem implements all of the guiding principles The Federal Government’s role is also to coordinate a whole-of-government approach to implementation, including fostering cooperation across all levels of government, to deliver integrated, constituent-centric services The Strategy emphasizes that some parts of the Identity Ecosystem exist today but recognizes that there is much work still to be done The Strategy seeks to promote the existing marketplace, encourage new solutions where none exist, and establish a baseline of privacy, security, interoperability, and ease of use that will enable the market to flourish Central to the Strategy’s approach is the conviction that the role of government in achieving the Identity Ecosystem is critical and must be carefully calibrated On the one hand, government should not over-define or over-regulate the existing and growing market for identity and authentication services If government were to choose a single approach to develop theIdentityEcosystem,itcouldinhibitinnovationandlimitprivate-sectoropportunities Ontheother hand, the current market for interoperable and privacy-enhancing solutions remains fragmented and incomplete, and its pace of evolution does not match the Nation’s needs The private sector will lead the development and implementation of this Identity Ecosystem, and it will own and operate the vast majority of the services within it The Identity Ecosystem should be market- driven, and it should provide a foundation for the development of new and innovative services The Strategy’s approach is for the Federal Government to promote the emergence of an integrated land- scape of solutions, building on a number of existing or new public and private initiatives to facilitate the creation of the Identity Ecosystem The role of the Federal Government is to support and enable the private sector; lead by example in utilizing and offering these services; enhance the protection of individuals; and ensure the guiding principles of privacy, security, interoperability, and ease of use are implemented and maintained in the Identity Ecosystem The Federal Government is initiating two short-term actions to implement the Strategy These are to: • Develop an Implementation Roadmap that identifies and assigns responsibility for actions that the Federal Government can perform itself or by which the Federal Government can facilitate private-sector efforts • Establish a National Program Office (NPO) for coordinating the activities of the Federal Government and its private-sector partners The NPO will be hosted at the Department of Commerce and accountable to the President, through the Secretary of Commerce The complete Identity Ecosystem will take many years to develop, and achieving this vision will require the dedicated efforts of both the public and private sectors The Federal Government commits to collaborate with the private sector; state, local, tribal, and territorial governments; and international governments–and to provide the support and action necessary to make the Identity Ecosystem a reality With a concerted, cooperative effort from all of these parties, individuals will realize the benefits of the Identity Ecosystem through the conduct of their daily transactions in cyberspace
| Org | Common People |
|---|---|
| National Institute of Standards and Technology | Naomi Lefkovitz |
| ID2020 Summit 2018 | Naomi Lefkovitz |
| Types | Organization |