Source: Smart Card Alliance
The Smart Card Alliance endorses the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC), developed under the auspices of the President's Cyberspace Policy Review by the National Security Staff and an interagency writing team.
The NSTIC initiative correctly recognizes that there are very real problems of identity management, privacy and security in our society today, and brings a much needed focus on solving the problems. Although its scope is limited to cyberspace, the Framework it outlines would also establish essential foundational elements that can help to strengthen identity, privacy and security in healthcare, social security administration, immigration reform and other programs in the physical world.
The NSTIC Framework draft is well conceived and written. It is intentionally broad in scope, providing a wide range of trusted identity constructs and identity protection technologies. The Framework is very pragmatic and practical in its approach, because it limits its role to being an enabler, facilitator and accelerator of the Identity Ecosystem development. There is a clear recognition that many different public and private stakeholders will be involved in working out the specifics of the Framework and ultimately, using it.
The Healthcare and Identity Councils of the Smart Card Alliance, a non-profit public/private partnership organization whose members include healthcare providers, financial institutions, payment brands, enterprises, government users and technology providers, prepared specific comments on the NSTIC Framework draft. Some top-level points are:
* The Alliance strongly agrees with the ideas of using federal, state and local government and academia programs to accelerate development of the Identity Ecosystem, while leveraging existing procedures, standards and technologies such as FIPS 201 and the Federal Identity, Credentialing and Access Management Roadmap used to achieve Personal Identity Verification (PIV) and interoperability (PIV-I) in Homeland Security Presidential Directive (HSPD)-12.
* The highest priority should be first defining the Identity Ecosystem for the most trusted digital transactions based on an identity medium, because this part of thee of thee this part of the Identity Ecosystem can have the greatest positive impact on identity, security and privacy and it is also the least developed commercially and therefore needs the greatest attention and leadership.
* A suggested idea to make high-value identity transactions both secure and easy to use is the familiar approach of a card and PIN as an identity medium; however, to achieve high levels of security, the card must include smart card technology to carry PKI credentials, biometrics and other security features; other important advantages are that this would create a portable identity medium, and it provides a secure environment that is independent from the PC, thereby side-stepping issues involved with PC, website and service provider hacker threats.
The NSTIC document explains that the need for such a strategy is due to the rising tide of identity theft, online fraud and cyber intrusions, the proliferation of usernames and passwords that individuals must remember, and the need to deliver online services more securely and efficiently. The Framework mentions smart card technology as the kind of technology appropriate for an identity medium, or a personal security device to protect identities in online transactions, and prevent others from stealing or misusing identities.
An Identity Ecosystem that includes smart card technology as an identity medium for high-assurance online identity transactions will provide a very strong and proven foundation for protecting identities in cyberspace in a secure, privacy sensitive way. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to this initiative.
What is the advantage of using smart card technology?
A smart card is a card with a small computer in it. Unlike magnetic stripe or RFID cards, the smart card's computer provides high levels of security and privacy protection. Unlike PCs and other open systems, smart cards are designed for security and are virtually impervious to malware, forgery and other fraudulent efforts to extract information.
Smart cards can provide a secure tamperproof container for PKI digital identity credentials and biometric identifiers. In addition, they can be delivered in a familiar card format, making them both portable and easy for broad public distribution and use.
These capabilities make smart card technology ideal for protecting identities and privacy, and for preventing fraud. Smart cards are readily used online and across networks and deliver very high levels of security over the Internet.
Many readers of the NSTIC Framework may not be aware that all U.S. federal government employees have a smart card-based ID card, the Personal Identity Verification (PIV) card, which can be used to access government facilities and information systems, and to digitally sign documents or online transactions. The new electronic passports in the U.S. and many other countries are based on smart card technology. The SIM cards used in 80 percent of the world's cell phones are smart cards. Nearly one billion credit and debit cards worldwide are smart cards, based on an interoperable global standard called EMV, named for its original sponsors Europay, MasterCard and Visa.
More information is available at http://www.smartcardalliance.org/pages/activities-councils-identity including the following white papers:
* Healthcare Identity Management: The Foundation for a Secure and Trusted National Health Information Network
* Assurance Levels Overview and Recommendations
* Identifiers and Authentication -- Smart Credential Choices to Protect Digital Identity
* Identity Management Systems, Smart Cards and Privacy
* Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology
* Secure Identification Systems: Building a Chain of Trust
The current final draft is posted on www.nstic.ideascale.com for public review and input. The Department of Homeland Security is supporting the NSS in this public review period and is providing NSS with the use of an Open Government tool called IdeaScale to collect and prioritize comments. The document will be posted until July 19th, 2010.