The White House
Office of the Press Secretary

For Immediate Release June 25, 2010
Fact Sheet for National Strategy for Trusted Identities in Cyberspace

Today, June 25th, the draft National Strategy for Trusted Identities in Cyberspace is being released for public comment and input. Key facts and concepts about the strategy are provided below. For the report and blog post from the President’s Cybersecurity Coordinator, Howard Schmidt please visit http://www.whitehouse.gov/blog/.

. Impetus

• One of the near term action items of the President’s Cyberspace Policy Review is to develop a “cybersecurity-focused identity management vision and strategy.” The National Strategy for Trusted Identities in Cyberspace (NSTIC) answers that requirement.

• The need for such a strategy is due to the rising tide of identity theft, online fraud and cyber intrusions, the proliferation of usernames and passwords that individuals must remember, and the need to deliver online services more securely and efficiently.

II. Development Process

• The National Security Staff (NSS) has led an interagency writing team to develop the draft strategy through a very transparent, open, and collaborative process.

• The writing team has engaged with approximately 70 industry advisory councils and associations to collect input on drafts of the strategy. These stakeholder groups represent various communities, including privacy, state and local government, healthcare, and the financial sector. Nearly 4000 comments from industry and government have been collected and adjudicated.

• The current final draft is posted on www.nstic.ideascale.com for public review and input. The Department of Homeland Security is supporting the NSS in this public review period and is providing NSS with the use of an Open Government tool called IdeaScale to collect and prioritize comments. The document will be posted for a three week period (closing July 19th).

• NSS is aiming to finalize the document (including Presidential signature) in October 2010 to coincide with National Cybersecurity Awareness Month.

III. Scope

• The strategy is focused on improving our ability to identify and authenticate the organizations, individuals, and underlying infrastructure (e.g., routers, servers, desktops, mobile devices, software, data, etc.) involved in an online transaction.

• Online transactions can include everything from accessing electronic health records, to online banking, to making a purchase online, to sending an email.

• There are many ways to do this identification and authentication, ranging from less secure user names and passwords to more secure Public Key Infrastructure (or PKI).

IV. Organization

• The Strategy contains an introduction, a vision, guiding principles, goals and objectives, and a call to action.
• Accompanying the Strategy will be an implementation plan that lays out specific recommendations that align to the goals in the strategy. These recommendations call for development of new standards, new pilots, new grants, new programs, and new offices. The recommendations are where the rubber meets the road, and where we will be driving real change in our effort to build this identity ecosystem.

V. Goals of the Strategy

• We want to create an environment, or an Identity Ecosystem as we refer to it in the Strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on.

• End users in this Identity Ecosystem should be able to use strong (e.g., multifactor), interoperable credentials to authenticate themselves online for a variety of different transactions.

• In order to get to this future world the draft strategy lays out four goals. They are:

1. Design the Identity Ecosystem. This includes working with industry to develop and identify the standards and policies that govern the identity ecosystem. It also includes addressing legal issues in the Identity Ecosystem such as defining liability caps for identity providers.

2. Build the Identity Ecosystem infrastructure. This includes working with industry and state and local government to deploy strong, interoperable identity solutions. It also includes reinvigorating government efforts to encourage the deployment of device and object relative authentication protocols such as Domain Name Security (DNSSEC), Internet Protocol Security (IPSEC), and Border Gateway Protocol Security (BGPSEC).

3. Strengthen privacy protections for end users and increase awareness of risks. This includes formally adopting (perhaps through new laws) enhanced privacy protections for individuals in the Identity Ecosystem. For example, we are considering requiring identity providers to abide by the Fair Information Practice Principles. This goal also includes working with the interagency working group that has been established to create a national awareness campaign for cybersecurity and ensure that trusted identities messaging is included in that campaign.

4. Manage the Identity Ecosystem. This includes establishing the proper structures within government, including a program office to oversee implementation of the strategy and an industry advisory council, to ensure the long term success of the identity ecosystem. It also includes enhanced government participation in various international fora, including policy bodies and standards organizations.

To Comment on the report please visit http://www.nstic.ideascale.com.

The White House Blog
The National Strategy for Trusted Identities in Cyberspace
Posted by Howard A. Schmidt on June 25, 2010 at 02:00 PM EDT
Cyberspace has become an indispensible component of everyday life for all Americans. We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure. It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth. Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much -- has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

The Department of Homeland Security (DHS), a key partner in the development of the strategy, has posted the draft NSTIC at www.nstic.ideascale.com. Over the next three weeks (through July 19th), DHS will be collecting comments from any interested members of the general public on the strategy. I encourage you to go to this website, submit an idea for the strategy, comment on someone else’s idea, or vote on an idea. Your input is valuable to the ultimate success of this document. The NSTIC will be finalized later this fall.

Thank you for your input!

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

From White House Blog - National Security Council

President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure.

In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans.

The activities under way to implement the recommendations of the Cyberspace Policy Review build on the Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23) in January 2008. President Obama determined that the CNCI and its associated activities should evolve to become key elements of a broader, updated national U.S. cybersecurity strategy. These CNCI initiatives will play a key role in supporting the achievement of many of the key recommendations of President Obama’s Cyberspace Policy Review.

The CNCI consists of a number of mutually reinforcing initiatives with the following major goals designed to help secure the United States in cyberspace:

* To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
* To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
* To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

In building the plans for the CNCI, it was quickly realized that these goals could not be achieved without also strengthening certain key strategic foundational capabilities within the Government. Therefore, the CNCI includes funding within the federal law enforcement, intelligence, and defense communities to enhance such key functions as criminal investigation; intelligence collection, processing, and analysis; and information assurance critical to enabling national cybersecurity efforts.

The CNCI was developed with great care and attention to privacy and civil liberties concerns in close consultation with privacy experts across the government. Protecting civil liberties and privacy rights remain fundamental objectives in the implementation of the CNCI.

In accord with President Obama’s declared intent to make transparency a touchstone of his presidency, the Cyberspace Policy Review identified enhanced information sharing as a key component of effective cybersecurity. To improve public understanding of Federal efforts, the Cybersecurity Coordinator has directed the release of the following summary description of the CNCI.
CNCI Initiative Details

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. The Trusted Internet Connections (TIC) initiative, headed by the Office of Management and Budget and the Department of Homeland Security, covers the consolidation of the Federal Government’s external access points (including those to the Internet). This consolidation will result in a common security solution which includes: facilitating the reduction of external access points, establishing baseline security capabilities; and, validating agency adherence to those security capabilities. Agencies participate in the TIC initiative either as TIC Access Providers (a limited number of agencies that operate their own capabilities) or by contracting with commercial Managed Trusted IP Service (MTIPS) providers through the GSA-managed NETWORX contract vehicle.

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise. Intrusion Detection Systems using passive sensors form a vital part of U.S. Government network defenses by identifying when unauthorized users attempt to gain access to those networks. DHS is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology. Associated with this investment in technology is a parallel investment in manpower with the expertise required to accomplish DHS’s expanded network security mission. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data. Due to the capabilities within EINSTEIN 2, US-CERT analysts have a greatly improved understanding of the network environment and an increased ability to address the weaknesses and vulnerabilities in Federal network security. As a result, US-CERT has greater situational awareness and can more effectively develop and more readily share security relevant information with network defenders across the U.S. Government, as well as with security professionals in the private sector and the American public. The Department of Homeland Security’s Privacy Office has conducted and published a Privacy Impact Assessment for the EINSTEIN 2 program.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise. This Initiative represents the next evolution of protection for civilian Departments and Agencies of the Federal Executive Branch. This approach, called EINSTEIN 3, will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks. The goal of EINSTEIN 3 is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response. It will have the ability to automatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense. EINSTEIN 3 will assist DHS US-CERT in defending, protecting and reducing vulnerabilities on Federal Executive Branch networks and systems. The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions. This initiative makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats and use this insight to inform EINSTEIN 3 systems in real time. DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions for use in the EINSTEIN 3 system in support of DHS’s federal system security mission. Information sharing on cyber intrusions will be conducted in accordance with the laws and oversight for activities related to homeland security, intelligence, and defense in order to protect the privacy and rights of U.S. citizens.

DHS is currently conducting a exercise to pilot the EINSTEIN 3 capabilities described in this initiative based on technology developed by NSA and to solidify processes for managing and protecting information gleaned from observed cyber intrusions against civilian Executive Branch systems. Government civil liberties and privacy officials are working closely with DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of EINSTEIN 3.

Initiative #4: Coordinate and redirect research and development (R&D) efforts. No single individual or organization is aware of all of the cyber-related R&D activities being funded by the Government. This initiative is developing strategies and structures for coordinating all cyber R&D sponsored or conducted by the U.S. government, both classified and unclassified, and to redirect that R&D where needed. This Initiative is critical to eliminate redundancies in federally funded cybersecurity research, and to identify research gaps, prioritize R&D efforts, and ensure the taxpayers are getting full value for their money as we shape our strategic investments.

Initiative #5. Connect current cyber ops centers to enhance situational awareness. There is a pressing need to ensure that government information security offices and strategic operations centers share data regarding malicious activities against federal systems, consistent with privacy protections for personally identifiable and other protected information and as legally appropriate, in order to have a better understanding of the entire threat to government systems and to take maximum advantage of each organization’s unique capabilities to produce the best overall national cyber defense possible. This initiative provides the key means necessary to enable and support shared situational awareness and collaboration across six centers that are responsible for carrying out U.S. cyber activities. This effort focuses on key aspects necessary to enable practical mission bridging across the elements of U.S. cyber activities: foundational capabilities and investments such as upgraded infrastructure, increased bandwidth, and integrated operational capabilities; enhanced collaboration, including common technology, tools, and procedures; and enhanced shared situational awareness through shared analytic and collaborative technologies.

The National Cybersecurity Center (NCSC) within the Department of Homeland Security will play a key role in securing U.S. Government networks and systems under this initiative by coordinating and integrating information from the six centers to provide cross-domain situational awareness, analyzing and reporting on the state of U.S. networks and systems, and fostering interagency collaboration and coordination.

Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan. A government-wide cyber counterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyber intelligence threat to U.S. and private sector information systems. To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government. The Cyber CI Plan is aligned with the National Counterintelligence Strategy of the United States of America (2007) and supports the other programmatic elements of the CNCI.

Initiative #7. Increase the security of our classified networks. Classified networks house the Federal Government’s most sensitive information and enable crucial war-fighting, diplomatic, counterterrorism, law enforcement, intelligence, and homeland security operations. Successful penetration or disruption of these networks could cause exceptionally grave damage to our national security. We need to exercise due diligence in ensuring the integrity of these networks and the data they contain.

Initiative #8. Expand cyber education. While billions of dollars are being spent on new technologies to secure the U.S. Government in cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success. However there are not enough cybersecurity experts within the Federal Government or private sector to implement the CNCI, nor is there an adequately established Federal cybersecurity career field. Existing cybersecurity training and personnel development programs, while good, are limited in focus and lack unity of effort. In order to effectively ensure our continued technical advantage and future cybersecurity, we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge.

Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems. The Federal Government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require ‘out of the box’ thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.

Initiative #10. Define and develop enduring deterrence strategies and programs. Our Nation’s senior policymakers must think through the long-range strategic options available to the United States in a world that depends on assuring the use of cyberspace. To date, the U.S. Government has been implementing traditional approaches to the cybersecurity problem—and these measures have not achieved the level of security needed. This Initiative is aimed at building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses for both state and non-state actors.

Initiative #11. Develop a multi-pronged approach for global supply chain risk management. Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the lifecycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices. This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.

Help Change the Game in Cybersecurity - from White House Office of Science and Technology Policy

by Aneesh Chopra and Howard A. Schmidt on May 19, 2010 at 02:48 PM EDT - White House Office of Science & Tech Policy Blog

Today marks the launch of a new web forum to discuss your research and development ideas to “change the game” in cybersecurity. To inaugurate this forum, public session will be webcast live today from 1:30 to 4:30pm PDT, from the IEEE Security and Privacy Conference in Oakland, California.

Comprising the broadband and wireless networks that connect us, the smart devices that enable us, and the digital information that informs and inspires us, cyberspace touches every part of our daily lives. This includes enabling entrepreneurship through e-commerce, enhancing health care and education through online information technologies, achieving efficient energy use through smart grids, and many other uses.

The ability to use cyberspace securely and with confidence is key to society realizing its full benefits. As President Obama said last May: “America’s economic prosperity in the 21st century will depend on cybersecurity."

Yet today, those who would abuse the system often hold the advantages of time (systems change only slowly), opportunity (an attacker needs to succeed only once while defenders must succeed always), and targets (a single vulnerability may be found in many locations).

In a challenge to the research and development community, the President’s Cyberspace Policy Review (near-term action item #9) called for a strategy for new, game-changing technologies that give the advantage to beneficial use. This challenge complements and extends the call in the Comprehensive National Cybersecurity Initiative (CNCI goal #9) for “leap-ahead” technologies, strategies, and programs.

The National Cyber Leap Year responded to this challenge, gathering input from the community through concept papers and a national summit. The first three game-changing concepts to emerge from this process are:

* Moving Target – Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
* Tailored Trustworthy Spaces – Security tailored to the needs of a particular transaction rather than the other way around.
* Cyber Economic Incentives – A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

Join in and help refine these concepts and chart a path forward. Visit the web forum, share your ideas, learn what others are thinking, and explore how you might collaborate with innovators across the private and public sectors. Also, stay tuned as we will be looking for your advice on how to continue the game-change process to stay ahead of those who would abuse the system. Working together we can ensure that cyberspace is safe and secure for commerce, learning, innovation, interaction, and discovery.

Aneesh Chopra is the U.S. Chief Technology Officer

Howard A. Schmidt is the President’s Cybersecurity Coordinator