Beyond the Password: New Developments in Cyberspace Security

September 2011

Jennifer Windh: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today we're joined by Jeremy Grant, senior executive adviser and leader of the U.S. Department of Commerce National Program Office for the National Strategy for Trusted Identities in Cyberspace, or NSTIC. Jeremy will be speaking to us about NSTIC and its role in online security.

Jeremy, thanks for joining us.

Jeremy Grant: Thanks. My pleasure.

Windh: So, could you briefly explain for our audience what the National Strategy on Trusted Identities in Cyberspace is?

Grant: So, to give a little bit of background on it, the National Strategy for Trusted Identities in Cyberspace, or NSTIC, was signed by President Obama on April 15th of this year in an event that was hosted by the U.S. Chamber of Commerce. The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009, where 10 near-term action items were called for, one of which was the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties. So, there was a big interagency process that was led through the White House between that time and April of this year. A draft had been published in June of 2010, and a number of nongovernment stakeholders had a chance to comment on it and produce suggestions to improve it, and whatnot. And then the actual strategy was released, with his signature, as I mentioned, on April 15th.

What NSTIC is trying to do at the end of the day is essentially tackle three different challenges. The first is that passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online. The second is, now, 18 years after the famous New Yorker cartoon was published where the one dog says to his friend, who is a dog, "The great thing about the Internet is nobody knows you're a dog"—this still rings true today. And while there are plenty of situations where it's really not a problem, where anonymity or psuedonymity is a very good thing online. There are also a lot of transactions, certainly in the financial world, among others, where the risk model associated with certain types of transactions is so high because you don't know that the person on the other end of the transaction is in fact not a dog, that they can't be moved online, and so they are stuck in the "brick-and-mortar" world.

And the third objective of the NSTIC is really to create ways to enhance privacy for all individuals. You know, how can you build identity solutions that allow you to control what information you provide for different transactions, only providing the amount of information that is actually necessary to complete a transaction rather than all sorts of gobs of extraneous information about you. And so, giving people tools that they can use to securely authenticate and identify themselves online while also protecting their privacy is the third key objective of the NSTIC.

Windh: Great. Well, you've explained that NSTIC is an interagency initiative, but can you also talk about the role of private industry in NSTIC, or is this primarily a government initiative?

Grant: No, "interagency" was only the process that was really carried out by the White House for actually crafting the actually strategy. The NSTIC, of itself, as we implement it—and that's the job that I was hired for about six months ago here at NIST, was to stand up a national program office charged with implementing it—is very much focused on being private-sector-led. The government certainly wants to be an early adopter of solutions that come out of the NSTIC implementation, and there are a number of agencies that are already very interested in making sure that their online strategies align with the NSTIC. But our real role from the government is not to figure this out for the rest of the world, but to convene different private sector stakeholders, whether they be different players in industry, whether it's tech firms, or banks, or healthcare firms, or security firms, along with advocacy groups, you know, in the privacy and consumer communities, other interested individuals. We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. So, government will convene and we'll be an early adopter, but we are not going to actually lead this.

Windh: Let's talk about the payment implications of NSTIC. What benefits and innovations will the strategy offer consumers trying to make payments online?

Grant: Well, I don't want to get too far ahead of it in that we're still in the process of actually standing up the implementation group that will lead forward, but I think, in simple terms, what people can look forward to with NSTIC, whether it's in payments or in a variety of transactions that they engage in, is that they'll be able to obtain a stronger, more secure credential than they use today in most instances—once, that can then be used interoperably, whether it's in the payments world, in the health world, in the online commerce world. Right now there's certainly a marketplace for stronger credentials beyond passwords. However, most of the technologies that are issued tend to be single-use and thus prohibitively expensive. In the business case, for, say, an individual consumer like you or I to get one, unless you are particularly vigilant about your personal security, hasn't necessarily been very strong. So, by having something that is actually interoperable you could have a credential that could be something you carry, it could be something that could be bound to say your smartphone that could then be used, literally, everyplace you go online where you want to be securely identified.

Windh: This sounds like a really good high-level strategy, and obviously a lot of work has already gone into this. Can you give me an example of how NSTIC is working today? Is there any tangible implementation for Internet security already onboard?

Grant: So, at this point it's a strategy, and I tell people when we talk about NSTIC, "Keep in mind, it is a marathon and not a sprint." Where we're focused a lot this year, with the program just getting started, is really on trying to stand up a private-sector-led governance structure that can actually lead the implementation forward, and I'll talk a little bit more about that and why it's important.

If you want the private sector to lead, then you have to first figure out, well, who are the stakeholders in the private sector who actually are going to come to the table? And how do you actually ensure that you got the right people at the table and the ones who are there can actually be properly represented? So, for the government to actually establish this takes a bit of time. We actually put out a notice of inquiry back in June and held a workshop here in D.C. on the topic, where we solicited input from a lot of different stakeholders. And we're very heavily focused right now over these next few months on actually drafting our recommendations for what this governance structure should look like, with an eye on actually having it stood up by the end of the year. That is where we are spending the bulk of our time, in that it's really the longest pole in the tent in NSTIC. If you get the governance structure right, that positions you in 2012 and beyond to have some really good activity that goes forward in defining, whether it's the technical standards for interoperability, or the security protocols, or also defining a lot of the policies and operating rules, things like, what happens in liability when something goes wrong? Or, how are the privacy rules going to work? Or, how is risk going to be allocated between different parties in the transaction? These are all the sorts of things that we want the governance structure to work on, and it's that standards in operating rules that they produce is really what is going to be the foundation for NSTIC to be built on.

Beyond that, we are quite heavily focused right now on looking at pilots, both in the government as well as outside. For fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs. While those funds aren't appropriated yet, we are spending a lot of time trying to define criteria for pilots and talking to different interested stakeholders so that when those funds do come, we can actually have a competitive process that can get those dollars allocated quickly and really start to demonstrate some real progress towards implementation of the NSTIC vision into 2012.

In the governments, basically, I mentioned earlier, we want to be an early adopter, and...there are a number of agencies that are interested in aligning their online citizens facing strategies with the NSTIC. And, I will say, we are working with a number of well known agencies with some very high-profile applications that they want to move online, essentially trying to help them with some solutions that would align with the strategy, and, without saying too much, I would say, "Stay tuned." We think we can have some good announcements later this fall.

Windh: Well, I certainly look forward to hearing more about that. Thanks for joining us this morning, Jeremy.

Grant: My pleasure. Thanks so much.

Windh: Again, we've been speaking today with Jeremy Grant, leader of the U.S. Department of Commerce's National Strategy for Trusted Identities in Cyberspace. This concludes our Payments Spotlight podcast.

You can find more information about the Retail Payments Risk Forum by visiting our website at Thanks for listening, and please return for more podcasts. If you have comments or questions, please send us an email at