Modernizing Authentication — What It Takes to Transform Secure Access
PALO ALTO, Calif. Speaking ahead of a panel of security experts and officials here at Stanford University, Commerce Secretary Gary Locke made an impassioned plea for government and the private sector to work together on solutions to better secure the Internet and allay consumer's privacy concerns.
Locke also announced that the Obama administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative will be coordinated by a National Program Office within the Commerce Department. The initiative is a push to establish identity and privacy solutions designed to make the online world more secure and convenient for consumers.
While details about what kind of solutions might emerge were sketchy, Locke emphasized one result it's not pursuing:
"We're not talking about a national identity card or government control, but enhancements that perhaps eliminating the need to remember a dozen passwords," said Locke.
The Secretary said to expect a final version of the administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative in the coming months.
"The reality is the Internet faces something of a trust issue and it won't reach it's full potential until users feel more secure," said Locke. "Identity theft and spam are just some of the most commonly known invasions of a user's privacy and security. People are worried about their personal information going out, and parents are worried about unwanted explicit material coming in to their children."
Locke was careful not to promise any all-encompassing solutions. "Security is not a destination, it's a journey," he said. "We all know that these pilot projects, any follow-on commercial deployments, and the emergence of an Identity Ecosystem itself will be no panacea. There is no magic bullet to solve all cybersecurity issues."
Speaking right after Locke, Howard A. Schmidt, Special Advisor to the President and Cybersecurity Coordinator at The White House, said he envisions multiple solutions, smart card tokens and other forms of multi-factor authentication and identity management fast becoming the norm.
On the privacy front he said there are too many instances where users have to provide more information than is necessary to complete a transaction. "We also seek to limit the amount of data that's being used, Locke said. "Why do I have to give up all this information for one small transaction and why does every site need it?
McAfee CEO Dave DeWalt said an effective partnership between industry and the government to tackle Internet security issues can't some soon enough.
A security pandemic
"I'm a huge fan and applaud what NSTIC doing and it's a bit of 'it's about time'," he said during a panel discussion. "I've been CEO of McAfee for four years and watched an exponential increase in crime and malware we get; it's a major pandemic . Not only is the volume of malware and attacks on identity theft on the rise, but the complexity has too. We need government step up. He later added that the private sector also has to "step up" to help meet the growing security threats.
DeWalt said McAfee alone sees 55,000 new pieces of malware every day. "About 90 percent of those are designed to do one thing, steal identity or money from consumers," he said. He also said about half the users on the Internet don't have any real security protection enabled at all making the Web "a low risk, high return" venture for the bad guys.
One practical suggestion DeWalt made was that more can be done at the domain registration level.
"It's pretty easy to register a domain and at McAfee we see about two million bad websites every month," he said. Without getting into specifics, he suggested the government might be well served to require that anyone starting a new website provide some kind of basic level of identity proving they are "good people" during the initial registration process.
While security companies try and be proactive and respond to security threats, DeWalt said it would helpful to get an earlier start. "You've go to hit them at both ends," he said.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.