Last week, President Obama signed a new Executive Order calling for “all agencies making personal data accessible to citizens through digital applications” to “require the use of multiple factors of authentication and an effective identity proofing process.” The President set a deadline of 18 months for agencies to comply.
Since the release of this Executive Order, the press has focused quite a bit on how it will improve the security of government sites, and help better protect the security and privacy of citizens’ data. It’s an important point – especially because the vast majority of data breaches are executed by exploiting the weaknesses of passwords. However, the benefits of improving identity go well beyond security. What is most exciting about this new Executive Order is how it will enable government to more effectively serve the American people through a wide array of new citizen-facing digital government applications.
Since the advent of the Internet in the 1990s, the vast majority of government websites have focused on low-value or passive applications – sharing general information about government activities and answering common questions about programs. But higher-value applications that enable citizens to have a truly personalized experience (e.g. transacting business with government or obtaining personal data) have largely been mired in the offline world.
The reason has been simple: higher value applications come with higher risk, so agencies will only offer a service online if there’s an easy way to ascertain whether the “person” on the other end of a transaction is really who he or she claims to be. Twenty-one years after the New Yorker proclaimed, “On the Internet, nobody knows you’re a dog,” we’re still dealing with certain services being stuck in the paper world because agencies can’t reliably authenticate identities online.
There’s nothing wrong with being a “dog” on the Internet, per se – the ability to be anonymous or pseudonymous online has been a hallmark of the Internet, and must continue to be. Conversely, there are times when the ability to assert your true identity online is essential to enabling high-value services – and ensuring that someone else cannot impersonate you.
Three and a half years ago, President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). Targeted at the growing array of cybersecurity problems caused by passwords and other weak identity solutions, NSTIC called for the private sector to partner with government on the creation of an Identity Ecosystem – essentially a marketplace of stronger identity solutions that Americans could use in lieu of passwords to not only better protect their privacy and security online, but also to engage in new types of trusted transactions.
Identity is the great enabler here – if we have easy-to-use identity solutions that enable secure and privacy-enhancing transactions, we can enable citizens to engage with government in more meaningful ways. With a vibrant Identity Ecosystem – where citizens can use the same credential to access services at multiple sites – we can enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.
In the three and a half years since the NSTIC was first signed, the market has responded. Many private firms have started offering multi-factor authentication (MFA) to their customers, ensuring that the most commonly executed, password-centric attacks are no longer viable. And, through more than a dozen NSTIC pilots, the private sector has demonstrated material progress in advancing more secure, privacy-enhancing, easy-to-use identity solutions. It’s time for the government to make sure our own services are embracing the best the market now has to offer.
Last week’s Executive Order calls on three parts of the White House – the Office of Management and Budget, the Office of Science and Technology Policy, and the National Security Council – to craft a plan over the next 90 days detailing how agencies will comply with the Order. We at the NSTIC National Program Office (NPO) look forward to supporting the White House however we can as they move forward.