Archive for category NSTIC

NSTIC Identity Ecosystem Marketplace Roles and Concepts

This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Read the rest of this entry »

No Comments

NSTIC as a National ID

Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID

How NSTIC Might be Like a National ID

NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.

If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.

Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.

Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.

NSTIC is voluntary for the private sector and private citizens.

If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.

NSTIC credentials are not yet required to access government benefits.

Access to electronic government services may one day require an NSTIC credential.

NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.

NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.

Identity and Transaction Information is not stored in a single, centralized government database.

Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.

An NSTIC credential is designed for online transactions only.

With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

2 Comments

Why I Support Jeremy Grant, and Hope NIST Will Too

Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

No Comments

NSTIC’s Effect on Privacy

In May 2017, more than 230,000 computers around the world were taken hostage by the WannaCry malware worm. Known as ransomware, the unknown developers surreptitiously gained control of computers running the Microsoft Windows operating system, encrypted the users’ data, and demanded a payment of $300 in untraceable bitcoins to unlock the system and access information.

Cyber-attacks occur across borders and range from simple email “phishing” efforts to sophisticated software programs that quickly expand the attacks and hide the identity of the perpetrators. Motives of cyber criminals range from vanity (proving one’s technical expertise) to illegal profit. Some attacks are politically motivated while others are rarely publicized, state-sponsored sabotage. The attacks affect individuals, businesses, and governments.

According to a report by the Ponemon Institute, a successful hacker earns $14,711 for each attack and has 8.26 successful attacks per year. Sophisticated hacking tools are readily available on the Internet, especially the Dark Web. The criminals and the curious are stepping up their efforts to invade your privacy and steal your money. And the threats grow more diverse and sophisticated by the year. What actions can you take to harden the target and protect your assets? These are the best true wireless earbuds.

What actions can you take to harden the target and protect your assets?

Understand the Enemy
Malicious software can wreak havoc on your computer or operate covertly in the background. Malware (The Creeper Worm) was first detected on the ARPANET, the forerunner of the Internet, in the early 1970s. Since that time, spurred by the growth of personal computers and connected communication networks, many different types of malware have appeared, including:

Trojans: The most common malware is based on the Greek strategy to invade Troy: the Trojan Horse. In this case, users are tricked into allowing an outsider unlimited access to their computers by clicking on an unsafe Internet link, opening an email attachment, or completing a form. By themselves, Trojans are delivery vehicles, providing a “backdoor” into a computer or network. As a consequence, they open the door for malicious software to steal data, compromise operating systems, or spy on users. Trojans do not replicate themselves and spread to other devices like a virus or a worm.
Viruses: Just as a biological virus is transmitted to unsuspecting hosts, a computer virus replicates itself and infects new computers, then modifies operating programs to malfunction. Some have called viruses “diseases of machinery,” a term first coined in the 1972 futuristic film “Westworld.” One of the early viruses – Love Letter – delivered by an email with the subject line “I Love You” and an attachment “L0VE-LETTER-FOR-YOU.TXT” – attacked 55 million computers worldwide and caused an estimated $10 billion in damage, according to Wired magazine.
Worms: Unlike viruses, worms are software programs that travel from computer to computer on a network without any human action. A worm moves through the same network connections that computers use to communicate. For example, a worm could send a copy of itself to everyone listed in an email address book without knowledge of the sender and continue the cycle indefinitely with each new contact. The result can be an overloaded system, or worse, if combined with a virus – a blended threat. In 2008, one of the most notorious and widespread worms of all time, Conficker, appeared and created a worldwide botnet with millions of computers under its control. In 2009, Microsoft offered a $250,000 reward for the arrest and conviction of those who launched the worm on the Internet; the reward remains uncollected, and the purpose of the original authors is unknown. Nevertheless, versions of Conflicker continue to exist today and have appeared on connected MRI machines, CT scanners, dialysis pumps, and police body cameras.
Bots: Bots are automated processes that interact with other network services. These Internet robots are used to gather information and respond automatically to instant messaging, chat, and other web interfaces. Bots are used for beneficial or benign purposes, but can be exploited to self-propagate, connect throughout the network of connected devices, and remotely control attacks against vulnerable targets. Sometimes referred to as “zombies,” bots are more versatile than viruses or worms because they have the ability to log keystrokes, collect passwords, capture and analyze packets of information, gather financial information, launch DoS (Denial of Service) attacks, relay spam, and open backdoors on infected computers. They are more versatile, easily modified, and difficult to detect. Advertising Age reported in 2015 that Internet ad-fraud by bots mimicking human beings earned $18.5 billion annually.
Potential Attack Consequences
Potential Consequences of an Attack
The United States Congress is currently investigating several instances of alleged hacking by Russian agents that occurred during the 2016 presidential election. In the Philippines, a data breach by the hacker group Anonymous Philippines and the theft of encrypted and unencrypted biometric data affected 55 million voters. In 2017, newly elected French President Emmanuel Macron and his subordinates complained of cyber-attacks during the country’s presidential campaign.

In February 2016, hackers stole records for almost 30,000 employees of the FBI and Homeland Security. In 2015, a data breach reported by the Internal Revenue Service exposed tax information on more than 700,000 individuals. That same year, the Federal Government’s Office of Personnel Management announced the theft of personal information for more than 21 million federal employees and contractors.

Governments are not the only targets. According to the Heritage Foundation, cyber intruders hacked multiple company databases in 2016, including Hyatt Hotels Corporation, Alliance Health, Wendy’s Restaurants, Citibank, and Banner Health. The victims also included leading social network companies, such as Yahoo, Dropbox, Myspace, and LinkedIn. The consequences of hacking affect all web visitors in a variety of ways.

Potentially Unwanted Programs
Potentially Unwanted Programs (PUPs) include adware and programs that slow your computer down, track you, and clutter your screen with advertisements. According to How-To Geek, all of the free Windows and Mac software download sites bundle PuPs with their freeware. Once installed, the software loads advertising that obstructs content or interrupts web browsing with unwanted pop-up and pop-under windows. It can also hijack search engines and home pages, install toolbars, redirect Web pages, alter search results, and display false ads.

Distributed Denial of Service
In 2016, Distributed Denial of Service (DDoS) attacks affected some of the major technology companies on the Internet, limiting access to websites like Twitter, PayPal, and Spotify. According to Al Jazeera, that particular attack focused on the web traffic processor Dyn and used hundreds of thousands of connected devices, including webcams and digital video recorders that had previously been infected with malware. Even WikiLeaks founder Julian Assange’s Internet connection was affected.

The danger of DDoS attacks cannot be overstated since critical infrastructure – power systems, hospitals, air traffic systems, police and fire units, money transfer systems – could go offline and be unavailable to provide necessary services. An Incapsula survey estimates that the average DDoS attack costs its victim $40,000 per hour, with a median cost per incident of $500,000. Over 90% of the 270 U.S. companies that responded to the survey reported a DDoS attack over the last year, while two-thirds of the companies had been targeted two or more times.

Spyware
Spyware is software that is secretly loaded on an electronic device and can track keystrokes typed on a computer or phone keyboard, monitor data entered into digital forms, or record audio and video information covertly. Adware – while less intrusive than most malware – is another form of spyware and is used by advertisers and web hosts to target advertising content.

Software downloaded from the Internet often includes spyware. It can also be covertly downloaded while visiting certain Web pages, especially pornographic sites. The pages contain scripts that automatically trigger a spyware download that opens as soon as the page is accessed.

In a case involving the Lower Merion School District of Pennsylvania, 2,300 MacBooks issued by the District contained spyware that secretly snapped thousands of webcam pictures of students at home, in bed, and partially dressed. According to Wired magazine, the District agreed to pay $610,000 to two students and their attorneys. Another case involved pictures of Miss Teen USA that were taken using her webcam as she changed.

1 Comment

Crossroads

Many people don’t think of obesity as a disease, but rather as a moral failing. But Dr. Fatima Cody Stanford, instructor of medicine at Harvard Medical School and researcher and practicing physician at the Massachusetts General Hospital Weight Center, points out that obesity is a complex, chronic disease. Stanford’s recent fascinating and informative presentation explains how the body uses and stores energy, and describes the complex interplay of the genetic, developmental, hormonal, environmental, and behavioral factors that contribute to obesity. Learn how to easily treat this condition with leptoconnect.

Obesity isn’t just “calories in versus calories burned”
Obesity isn’t just about energy balance, i.e., calories in/calories out. “That’s simplistic, and if the equation were that easy to solve we wouldn’t have the prevalence of obesity that we have today,” Dr. Stanford explains. She goes on to say that not only is the energy balance theory wrong, but the focus on that simplistic equation and blaming the patient have contributed to the obesity epidemic. Stigma, blame, and shame add to the problem, and are obstacles to treatment. Indeed, over 36% of adults in the United States have obesity, and the world is not far behind.

She describes her research and experience in the treatment of obesity, including several cases from her own clinic. These are the cases that capture my attention, as they demonstrate most clearly the effects of different treatment approaches (and combinations) to obesity: diet and lifestyle (i.e. behavioral), medications, and surgery. Stanford has seen remarkable, long-lasting positive results with all, but she always emphasizes diet and lifestyle change first and foremost. The program (called Healthy Habits for Life) offered at the MGH Weight Center is a huge commitment, but it can help reframe a person’s relationship with food, emphasizing a high-quality diet, and not calorie-counting.

The components of a successful treatment for obesity
Abeer Bader is a registered dietitian and the lead clinical nutrition specialist at the center. She described the program to me in more detail: it’s a 12-week group-based education and support program with a structured curriculum and frequent contact with patients. The classes are 90 minutes long and led by a registered dietitian, and cover everything from the causes of obesity to healthy eating to debunking popular diet myths, plus recommendations for dining out, grocery shopping, meal prep, physical activity, and more. “The goal of the HHL program is to provide patients with the education, support, and tools to lead a healthy lifestyle.”

The diet they promote is loosely based on the DASH diet and the Mediterranean diet, as these eating plans are rich in vegetables, fruit, lean protein, and whole grains. They use the Harvard Healthy Plate to illustrate a healthy, well-balanced meal.

But it’s also a highly individualized program. “We work closely with the patient to put together realistic goals. I think the most important part of approaching goal-setting and behavior change is to first determine what it is that they would like to improve. Often as providers we tell patients what they need to do, but when you allow the patient to highlight an area that they would like to work on, you may see better adherence,” says Bader.

Other similar comprehensive programs have been shown to help patients achieve lasting diet and lifestyle change, lose weight — and avoid diabetes. The Diabetes Prevention Program helps those with obesity and risk of developing diabetes lose 5% to 7% of their body weight, and decreases their risk of diabetes between 58% and 71%. Diabetes usually lead to hearing loss conditions, read these Sonus Complete reviews.

As Bader states, “I think it’s important to note that the diet that “works” is the diet that a person will adhere to for the rest of his or her life. We really emphasize the importance of lifestyle change versus short-term diet fix in order to have the greatest success in achieving a healthier weight.” This statement is evidence-based, as a recent review of multiple research studies looking at different weight loss diets found that all worked about equally as well.

Medications to treat obesity
What can surprise people (including doctors) is how helpful weight loss medications can be, though it can take some trial and error to figure out what will work for someone. “These medications affect the way the brain manages the body’s weight set point, and how the brain interacts with the environment. But sometimes there’s no rhyme or reason why one medication works for someone, but another doesn’t.” Unfortunately, as research shows, weight loss medications aren’t prescribed often enough.

In summary, obesity is a complex, chronic disease with many contributing factors. Primary care doctors and obesity specialists can guide treatments that include lifestyle approaches like diet, exercise, and addressing emotional factors that contribute to obesity. For some people weight loss surgery may be an option (a subject for another post).

8 Comments