National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties? – by DHS Fellows

On Thursday, March 24, 2011, two Department of Homeland Security Fellows at Syracuse University spoke on  National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties?  A PDF file of the slides that they used can be downloaded here.  Below is an outline of their presentation.

National Strategy for Trusted Identities in Cyberspace: Securing the Internet or Attacking Civil Liberties?

 Disclaimers

This presentation was developed under a DHS Science and Technology Assistance Agreement awarded by the U.S. Department of Homeland Security. It has not been formally reviewed by DHS. The views and conclusions contained in this presentation are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The Department of Homeland Security does not endorse any products or commercial services mentioned in this presentation.

 This presentation is not intended to advocate for or against the NS-TIC but to provide an overview of the issues surrounding it and identity management in general.

 About Us

  • Jeff Keesom – JD / MPA ’12 (Law / Maxwell)
    • BS – Computer Science; BA – Political Science
      University of Rochester (2008)
    • MS – Software Engineering
      Rochester Institute of Technology (2009)
    • 5 years software development experience for  various organizations, including the U.S. Department of Justice and Johnson & Johnson
  • Macy Cronkrite – MS ’11, MS’12 (iSchool)
    • BS – Computer Science
      SUNY Brockport (2009)
    • C.A.S Information Security Management
    • 7 years software development and management experience

 Outline

  • Cyber security in a nutshell
  • Identity management problem overview
  • NS-TIC
    • Goals / Key Aspects
    • Federated identity management
    • Issues
      • Legal / Policy
        • Civil liberties
    • Technical
  • Criticisms

Cyber Security Challenge

  • Multifaceted problem
  • Decentralized
  • Global in scope
  • Transcends traditional geo-political boundaries and jurisdictions
  • Technology changes faster than law and policy

 


Identity Management problem

  •  Internet is inherently anonymous
  • However, there are ways you can be identified:
    • IP addresses
    • Others:
      • Behavior patterns – tracking cookies
      • Computer information – given away by web browser
      • Socialized experiences – Facebook, Google, etc.
      • No standardized way to store users’ personal information

IP Addresses

  • Looks like: 1.2.3.4
  • Assigned to computers, not people
  • Several computers can share an IP address
  • Several people can share a computer
  • IP addresses change
    • Internet Service Providers do not always keep track of which customer is assigned to which IP address
    • Can be spoofed or hacked
    • Anonymizers like TOR can render IP addresses useless
    • Useless for identifying entities responsible for Distributed Denial of Service (DDOS) attacks

Storing Users’ Information

  • No standardized approach to storing users’ private information
  • Result: data breaches and security flaws
  • Example:
    • Amazon.com Password Flaw (January 2011)
      • For passwords over 8 characters, only the first 8 were checked.
      • Means the passwords ‘SyracuseRules’ and ‘SyracuseSucks’ would be treated as the same password

Lack of Identity Management Results

  • E-Commerce
    • Widespread fraud in online transactions
    • According to the NS-TIC (page 5):
      • Internet Crime Complaint Center (IC3) web site received 336,655 complaint submissions in 2009: 22.3% increase from 2008. Total dollar loss was $559.7 million up from 264.6 million in 2008.
      • Congressional Research Service estimated in 2004 cyber theft resulted in over $46 billion in economic losses
      • Attribution – Ability to attribute a cyber attack to a particular entity
        • Currently no way to do this with 100% accuracy
        • Example:
          • U.S. electric grid is destroyed using a computer virus designed to destroy the power plant
          • If we could find them how do we respond?
            • Individual or criminal / terrorist group – prosecution
            • Nation state – military attack

 Attempts to Fix the Problem

  • Certificates on client and servers
  • Two-factor authentication
    • User name & password
    • Other form of authentication:
      • Security questions, RSA token*, One-Time Passwords, etc.
      • Credit report based verification
        • Asks questions about information contained in your credit report
        • Used by:
          • Banks for new accounts opened online
          • eBay ID Verify Service
          • Single sign-on
            • Example: Syracuse Net ID
              • One username and password for all systems
              • User information stored centrally
  • Centralized identity management
    • Microsoft Passport
    • Facebook Connect
  • First generation federated identity management
    • OpenID, Google, Yahoo

NS-TIC

Timeline

  • June 2010 – White House releases NS-TIC draft
  • July 2010 – Department of Commerce’s Internet Policy Task Force publishes request for comment on “Cybersecurity, Innovation, and the Internet Economy”
  • September 2010
    • Syracuse Panel sponsored by INSCT and CISAT on NS-TIC
    • Syracuse files official comments on NS-TIC in response to DoC’s request for comment
    • January 2011 – White House announces NS-TIC National Program Office will be opened inside Department of Commerce within NIST (nist.gov/nstic)
    • March 2011 – Final NS-TIC still not released….

NS-TIC Goals

  • Develop “identity ecosystem”
    • Elimination of personal information “silos”
    • Adhere to eight Fair  Information Practice Principles (FIPPs)
      • Transparency
      • Individual Participation
      • Purpose Specification
      • Data Minimization
      • Use Limitation
      • Data Quality and Integrity
      • Security
      • Accountability and Auditing

NS-TIC Key Aspects

  • Federated Identity Management Systems
  • Not a national ID
  • Voluntary – you will not need ID to access Internet
    • As the system is adopted, it will become de-facto mandatory
    • Privately run with standards set by the federal government in consultation with private sector

Federated Identity Management

  • Instead of centralized identity management, distributed identity management
  • Key Actors:
    • Identity providers: Issue, manage, and store identity credentials. Control how much of an end-user’s information a relying party is able to see
    • Relying parties: Subscribe to various federations and then use identity providers to authenticate their users
    • End-users:  Acquire credentials from identity providers and use them to authenticate with relying parties. Tell the identity providers what information to share with relying parties.
    • Federation: Sets system standards and enforces them
    • Like a credit card system for identities:
      • Credit card networks = Federations
      • Banks = Identity providers
      • Merchants = Relying parties
      • Customers = End-users

Possible Applications

  • E-commerce
    • Both parties have assurance that the other’s identity has been verified
      • Reduce identity theft
      • Reduce “fly by night” merchants
      • E-government
      • Social networks
      • All Internet sites that require user accounts

Issues

  • Legal  / Policy
    • Liability – Who bears the cost when something goes wrong?
    • Civil liberties
      • Prevent abuse of personal information
        • Privately run system will create a buffer between the government and the data
    • Protect privacy
      • Private companies like to sell personal information
  • Implementation – How do we encourage entities to use the system if it is voluntary?
  • How do we pay for the system?
    • NS-TIC calls for federal funding of pilot systems but says nothing about how to fund the systems in general
    • Technical
      • Open vs. proprietary federation standards
      • Infrastructure
      • Implementation / Changeover
      • Database Security
      • Software Practices
      • Does nothing to improve attribution capability

Criticisms

  • Prof. Steven Bellovin of Columbia University – It's been tried before. If the system is voluntary, why does the federal government think it will be successful when others, attempting almost the exact same thing, have failed?
    -http://www.cs.columbia.edu/~smb/blog//2010-07/2010-07-11.html
  • Heritage Foundation – "Decreasing the security risks associated with multiple credentials may well be an important and worthwhile endeavor for the private sector. However, a government-run or government-directed Internet ID system presents a risk to liberty that simply outweighs the potential security benefits.”
    -http://www.heritage.org/Research/Reports/2011/01/National-Internet-ID-Calls-for-Caution
  • Electronic Frontier Foundation – "[W]hile the draft NSTIC ‘does not advocate for the establishment of a national identification card’ . . . , it’s far from clear that it won’t take us dangerously far down that road”
    -https://www.eff.org/deeplinks/2010/07/real-id-online-new-federal-online-identity-plan
  • ACLU – "[I]t's possible that if all the stars lined up perfectly, this ‘online identity ecosystem’ could be a good thing." However, national security interests will likely take over and the system will end up violating users' civil liberties.
    -http://www.aclu.org/blog/technology-and-liberty/dont-put-your-trust-trusted-identities/-

Tags: , , , ,

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories