twitter facebook rss

NSTIC – it will prove our identity but will it protect our privacy?

Posted by on May 4, 2015.

NSTIC, the National Strategy for Trusted Identities in Cyberspace, is an Obama initiative designed to make internet usage more secure for everyday users. It will do this by allowing third parties to vouch for our identity. In theory, this will allow us to stop using multiple passwords – instead, the third party will confirm our identity. The question, however, is whether NSTIC will also protect our privacy.

Surprisingly for a presidential initiative that has already been in process for a number of years, NSTIC is still little understood. This was admitted by a number of the Wisegate CISOs who attended a roundtable discussion led by the Chair of one of the NSTIC program committees.

He started by saying that ‘passwords are broken’. It’s a common enough view among security professionals, but frankly not one that I support. The password theory is as strong today as it has ever been – rather it is our use of passwords that has become sloppy and broken. The real problem is that passwords are no longer enough for the modern cyberspace that expects and requires that more and more of our daily transactions are done online.

“The issue,” said the NSTIC man, “isn’t trust in the credential [that is, the password] but trusting the person behind the credential is the person you think they are. Without strong registration there’s no trust. And without strong credentials (or trust that the credential hasn’t been compromised) there’s no trusted transactions. One-time passwords or 2 factor authentication deal with compromise but still don’t fix trust.”

The trust in identity is to be provided by trusted third parties. We shall have to register with one of those third parties and prove our identity. But once we have done that, the third party will confirm, wherever and to whomever necessary, that we are who we say we are. In theory, that third party confirms not just that we know a password, but that we are the real deal and not an identity thief who has stolen or guessed our password.

But following Snowden’s revelations there is a deep distrust in government – particularly where our identities (and the privacy that goes with our identities) are concerned. In fairness, Obama seems to have recognized this distrust – NSTIC is primarily a private rather than government project.

“Only the private sector has the ability to build and operate the complete Identity Ecosystem, and the final success of the Strategy depends upon private-sector leadership and innovation,” notes the NSTIC documentation. While NSTIC itself is designed to provide trust in identities, the hands-off approach by government is designed to provide trust in NSTIC.

Technically, NSTIC will work. Whether it will be trusted by its users is another matter. The problem is that it or something similar is necessary because more and more of our high-value and government-centric transactions will be done, and will only be done, online. Passwords aren’t broken; they’re simply not designed for the new and evolving cyber-economy. That I have an unbreakable and uncompromised password does not actually prove who I am – but NSTIC will do that.

The identity problem is not limited to the US. There is a similar problem with a similar solution in the UK. Here the solution is called ‘Verify’ rather than NSTIC. Verify is similar in application to NSTIC, but vastly different in development. While NSTIC is being developed outside of government, Verify is being developed by government. In the UK the private companies that will provide user attestation are selected by government – and one of the first four selected companies is Verizon.

Verizon, you may recall, is the US company at the heart of the first Snowden revelations. Verizon is required by the US PATRIOT Act to hand over any and all data requested by the NSA. The PATRIOT Act does not distinguish between the nationality of the users’ personal data – it only requires a US company, like Verizon.

So we have a strange dichotomy. The US is developing an identity ecosystem that has “Privacy-Enhancing and Voluntary” as a guiding principle, while the UK is quietly developing a similar system that seems designed to allow the US government access to UK identities on demand and secretly.

The real problem is that we have no choice. There is an absolute need for NSTIC/Verify if the potential of the internet is to be fulfilled. So it will, indeed must, happen.


Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights | Tags: , , , ,