National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties? – by DHS Fellows

On Thursday, March 24, 2011, two Department of Homeland Security Fellows at Syracuse University spoke on  National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties?  A PDF file of the slides that they used can be downloaded here.  Below is an outline of their presentation.

National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties?

 Disclaimers

This presentation was developed under a DHS Science and Technology Assistance Agreement awarded by the U.S. Department of Homeland Security. It has not been formally reviewed by DHS. The views and conclusions contained in this presentation are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The Department of Homeland Security does not endorse any products or commercial services mentioned in this presentation.

 This presentation is not intended to advocate for or against the NS-TIC but to provide an overview of the issues surrounding it and identity management in general.

 About Us

• Jeff Keesom – JD / MPA ’12 (Law / Maxwell)
  • BS – Computer Science; BA – Political Science
    University of Rochester (2008)
  • MS – Software Engineering
    Rochester Institute of Technology (2009)
  • 5 years software development experience for  various organizations, including the U.S. Department of Justice and Johnson & Johnson
• Macy Cronkrite – MS ’11, MS’12 (iSchool)
  • BS – Computer Science
    SUNY Brockport (2009)
  • C.A.S Information Security Management
  • 7 years software development and management experience

 Outline

• Cyber security in a nutshell
• Identity management problem overview
• NS-TIC
  • Goals / Key Aspects
  • Federated identity management
  • Issues
    • Legal / Policy
      • Civil liberties
  • Technical
• Criticisms

Cyber Security Challenge

• Multifaceted problem
• Decentralized
• Global in scope
• Transcends traditional geo-political boundaries and jurisdictions
• Technology changes faster than law and policy

Identity Management problem

•  Internet is inherently anonymous
• However, there are ways you can be identified:
  • IP addresses
  • Others:
    • Behavior patterns – tracking cookies
    • Computer information – given away by web browser
    • Socialized experiences – Facebook, Google, etc.
    • No standardized way to store users’ personal information

IP Addresses

• Looks like: 1.2.3.4
• Assigned to computers, not people
• Several computers can share an IP address
• Several people can share a computer
• IP addresses change
  • Internet Service Providers do not always keep track of which customer is assigned to which IP address
  • Can be spoofed or hacked
  • Anonymizers like TOR can render IP addresses useless
  • Useless for identifying entities responsible for Distributed Denial of Service (DDOS) attacks

Storing Users’ Information

• No standardized approach to storing users’ private information
• Result: data breaches and security flaws
• Example:
  • Amazon.com Password Flaw (January 2011)
    • For passwords over 8 characters, only the first 8 were checked.
    • Means the passwords ‘SyracuseRules’ and ‘SyracuseSucks’ would be treated as the same password

Lack of Identity Management Results

• E-Commerce
  • Widespread fraud in online transactions
  • According to the NS-TIC (page 5):
    • Internet Crime Complaint Center (IC3) web site received 336,655 complaint submissions in 2009: 22.3% increase from 2008. Total dollar loss was $559.7 million up from 264.6 million in 2008.
    • Congressional Research Service estimated in 2004 cyber theft resulted in over $46 billion in economic losses
    • Attribution – Ability to attribute a cyber attack to a particular entity
      • Currently no way to do this with 100% accuracy
      • Example:
        • U.S. electric grid is destroyed using a computer virus designed to destroy the power plant
        • If we could find them how do we respond?
          • Individual or criminal / terrorist group – prosecution
          • Nation state – military attack

 Attempts to Fix the Problem

• Certificates on client and servers
• Two-factor authentication
  • User name & password
  • Other form of authentication:
    • Security questions, RSA token*, One-Time Passwords, etc.
    • Credit report based verification
      • Asks questions about information contained in your credit report
      • Used by:
        • Banks for new accounts opened online
        • eBay ID Verify Service
        • Single sign-on
          • Example: Syracuse Net ID
            • One username and password for all systems
            • User information stored centrally
• Centralized identity management
  • Microsoft Passport
  • Facebook Connect
• First generation federated identity management
  • OpenID, Google, Yahoo

NS-TIC

Timeline

• June 2010 – White House releases NS-TIC draft
• July 2010 – Department of Commerce’s Internet Policy Task Force publishes request for comment on “Cybersecurity, Innovation, and the Internet Economy”
• September 2010
  • Syracuse Panel sponsored by INSCT and CISAT on NS-TIC
  • Syracuse files official comments on NS-TIC in response to DoC’s request for comment
  • January 2011 – White House announces NS-TIC National Program Office will be opened inside Department of Commerce within NIST (nist.gov/nstic)
  • March 2011 – Final NS-TIC still not released….

NS-TIC Goals

• Develop “identity ecosystem”
  • Elimination of personal information “silos”
  • Adhere to eight Fair  Information Practice Principles (FIPPs)
    • Transparency
    • Individual Participation
    • Purpose Specification
    • Data Minimization
    • Use Limitation
    • Data Quality and Integrity
    • Security
    • Accountability and Auditing

NS-TIC Key Aspects

• Federated Identity Management Systems
• Not a national ID
• Voluntary – you will not need ID to access Internet
  • As the system is adopted, it will become de-facto mandatory
  • Privately run with standards set by the federal government in consultation with private sector

Federated Identity Management

• Instead of centralized identity management, distributed identity management
• Key Actors:
  • Identity providers: Issue, manage, and store identity credentials. Control how much of an end-user’s information a relying party is able to see
  • Relying parties: Subscribe to various federations and then use identity providers to authenticate their users
  • End-users:  Acquire credentials from identity providers and use them to authenticate with relying parties. Tell the identity providers what information to share with relying parties.
  • Federation: Sets system standards and enforces them
  • Like a credit card system for identities:
    • Credit card networks = Federations
    • Banks = Identity providers
    • Merchants = Relying parties
    • Customers = End-users

Possible Applications

• E-commerce
  • Both parties have assurance that the other’s identity has been verified
    • Reduce identity theft
    • Reduce “fly by night” merchants
    • E-government
    • Social networks
    • All Internet sites that require user accounts

Issues

• Legal  / Policy
  • Liability – Who bears the cost when something goes wrong?
  • Civil liberties
    • Prevent abuse of personal information
      • Privately run system will create a buffer between the government and the data
  • Protect privacy
    • Private companies like to sell personal information
• Implementation – How do we encourage entities to use the system if it is voluntary?
• How do we pay for the system?
  • NS-TIC calls for federal funding of pilot systems but says nothing about how to fund the systems in general
  • Technical
    • Open vs. proprietary federation standards
    • Infrastructure
    • Implementation / Changeover
    • Database Security
    • Software Practices
    • Does nothing to improve attribution capability

Criticisms

• Prof. Steven Bellovin of Columbia University – It's been tried before. If the system is voluntary, why does the federal government think it will be successful when others, attempting almost the exact same thing, have failed?
  -http://www.cs.columbia.edu/~smb/blog//2010-07/2010-07-11.html
• Heritage Foundation – "Decreasing the security risks associated with multiple credentials may well be an important and worthwhile endeavor for the private sector. However, a government-run or government-directed Internet ID system presents a risk to liberty that simply outweighs the potential security benefits.”
  -http://www.heritage.org/Research/Reports/2011/01/National-Internet-ID-Calls-for-Caution
• Electronic Frontier Foundation – "[W]hile the draft NSTIC ‘does not advocate for the establishment of a national identification card’ . . . , it’s far from clear that it won’t take us dangerously far down that road”
  -https://www.eff.org/deeplinks/2010/07/real-id-online-new-federal-online-identity-plan
• ACLU – "[I]t's possible that if all the stars lined up perfectly, this ‘online identity ecosystem’ could be a good thing." However, national security interests will likely take over and the system will end up violating users' civil liberties.
  -http://www.aclu.org/blog/technology-and-liberty/dont-put-your-trust-trusted-identities/-