Government Cloud Authors: Elizabeth White, Pat Romanski, Dana Gardner, Liz McMillan, Gopala Krishna Behara

Related Topics: Government Cloud, Agile Computing

Government Cloud: Blog Feed Post

A National Strategy for Trusted Identities in Cyberspace

The White House has Issued a Draft for Comment of a New National Strategy for Cyberspace

The White House has issued a draft for comment of a new National Strategy for Trusted Identities in Cyberspace. The strategy draft was introduced by Howard Schmidt in a White House blog: A National Strategy for Trusted Identities in Cyberspace

Howard’s introduction included:

“Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.”

In a terrific move, the government is using the online social commenting structure of Ideascale.com to help enhance the dialog and comments on this draft. You can see the way these comments are shaping up at:  www.nstic.ideascale.com I can tell this document has already been well staffed and according to the White House release over 4000 comments were received on previous versions. I’m sorry to say I have not provided any input to date. I’m not sure how many other techie types did either.  Maybe some of my heros did and I hope I don’t say anything below that offends them if I did.

I also offer some CTO-type context below.

One thing I noted right away was that the first seven pages were little more than justification. This is clear indication that the drafters understand not all see a need for significant action here.

After those seven pages, the core of the document dives into:

  • Guiding Principles – Establishes the tenets that this Strategy must uphold in order to be successful. The Guiding Principles are necessary characteristics of the Identity Ecosystem.
  • Vision and Benefits – Presents the overarching vision the Strategy seeks to achieve along with the details of the Identity Ecosystem and the benefits for individuals, private sector, and Government.
  • Goals and Objectives – Defines what this Strategy intends to accomplish.
  • High Priority Action Plan – Introduces critical tasks that form the basis for realization of the Strategy Goals and Objectives.
  • Conclusion – Provides a high-level summary of the Strategy and a call to action for the public and private sectors.

The following are some personal opinions on those elements of the strategy:

Guiding Principles: This is perhaps the most important part of the document. I could certainly suggest re-wording a few, but that is not what is important here. What is important is capturing the key principles, and I don’t disagree with any of these. It is good to read them and clearly lots of thought was put into them.  I bet since this document has been widely staffed there is widespread agreement on these, but it is good to re-look principles, especially at the beginning of an effort like this. I hope dialog with citizens and academia and industry result in widespread acceptance. Perhaps there will be other principles captured in this interaction with the populace, but I personally cannot think of any.

Vision and Benefits: I’m sure onboard with the vision, which is: “Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.” I’m sorry to report, however, the entire rest of this section is not so impressive, at least from the standpoint of someone who likes to see progress on big issues like this. After introducing a vision the drafters immediately do a bit of a “bait and switch” and present ideas they seem to assert must be part of the solution, including a very detailed new vocabulary and a new approach for framing the future solution. This might be a solution. But there might be an infinite number of others. So how do we know this is the optimal one? What other options were considered? Is this option based on science of any sort? As a computer scientist I would like to know.

The strategy asserts that the vision will be accomplished by an ecosystem of three layers: one for execution, one for management, and one for governance. Each are then defined and new terms are proposed for each. But my sense is their are many other possible frameworks and I don’t see the level of academic rigor or practitioner’s sense I would expect in a framework like this. I want to see a framework written by masters of the art like the Carnegie- Mellon University’s Software Engineering Institute or the standard’s body OASIS. Then I’ll feel that serious thought has been put into optimizing a workable way to implement the vision.

There is certainly thought and serious attention paid to use-cases in this section, but this is supposed to be a section on vision.

But the section was titled “vision and benefits,” which underscores again that the drafters are making a point of underscoring why action is required. Three pages of solid benefits I think most of us would like to see are captured in this section. This is very useful to articulate and I hope the open dialog and comment period results in even more being captured. But it seems to be a logical flaw to suggest that the only way these benefits will be obtained is by accepting the drafter’s assertion that we must define an identify ecosystem the way it is written there.

Goals and Objectives: In a logically flowing strategy, a vision will be an endstate and the goals will be those things that must be accomplished to ensure success in reaching that endstate. Objectives contribute to achieving goals and will normally have responsible parties assigned and dates associated with when they must be completed. I’ve already mentioned the long assertion in the vision section regarding a particular approach to an ecosystem and that throws off the logic flow a bit. If that section were removed then it would probably help with the logic flow better and these goals would be in much better context. So pretend you didn’t read that part. Here are the four goals:

  • Goal 1: Develop a comprehensive Identity Ecosystem Framework.
  • Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.
  • Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.
  • Goal 4: Ensure the long-term success of the Identity Ecosystem.

I don’t see any huge problem with the goals as stated. But the lens we will just those goals are on how well they help us accomplish the vision. Remember the vision: “Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.” Keep that in mind as you think of those goals. Some of my comments are below:

Goal 1: Develop a comprehensive Identity Ecosystem Framework.

Wait a minute! An identity ecosystem framework was already asserted in the vision section. I think the goal can stand as it is but key objectives should include working with academia and the internet technology community (including standards boards) to coordinate enhanced identity management frameworks. The goal should not be to just develop and build the framework asserted by the drafters of this strategy, in my opinion. They have simply not provided any justification that their way has been thought out well enough. And with no justification they are not going to be able to compel the action required. The internet standards community works in a way where logic, trust and compelling arguments are key and collaboration is the preferred means to developing standards. I’ve seen no evidence of this occurring yet (although I have to admit it could have been, I can’t be everywhere at once!).   I have seen evidence of coordination with industry and industry bodies, but not with standards groups or academia.  I wonder about that.

So my issue is not the goal, but the means to get to it. I want to see objectives that focus on the great centers of computer science in America, like our universities and standards bodies.

Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.

This is a call for an infrastructure. I have to support this. I believe the nation needs to serve its citizens this way, like it did in serving us with canals, roads, interstate highways and other transportation systems. I can’t say the objectives listed will guarantee success. There are only three objectives presented: one on continuing government leadership, one on promoting speed in deployment, and one on promoting broad use of solutions. If we accomplish all three objectives do we have guaranteed success in the goal? I don’t think so. Seems like more work is required in this area.

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.

It is hard to argue with this goal. Government is about service to citizens. If this system is not for the use of citizens and if they do not trust it to enhance their privacy and economic and personal freedoms then it is doomed. I’ll reserve judgement on the objectives for these goals. They seem ok on their surface.

Goal 4: Ensure the long-term success of the Identity Ecosystem.

Finally we get into a goal and objectives which give a hat tip to the standards community. This goal brings up very important points about the fact that the Internet is global and not owned by any one provider or commanded by any one country. An objective is listed that calls for enhancing US participation in technical standards bodies. This is a great goal. I would only say that participation requires engagement by very smart, educated participants because the way these bodies work is by people injective good ideas and contributing to broadly understood goals. They do not work by groups or even countries coming in and thinking they can command. Every once in a while great corporations are able to muster the technical talent required to sway a standards body their way, but even then that is not a cake walk. You must build compelling arguments.

Following the goals and objectives section is a section titled “Commitment to Action” which provides a list of nine high priority actions. I think it would have been more sound and build a stronger argument if these had been in the goals and objectives section of the plan. This reads like it is “goals and objectives part two.” What was that goals and objective section I just read? Was that supposed to be just warming me up for the real actions?

Anyway, we seem to be finally getting into the meat of the document. The nine actions seem like good things to do. Who is against DNSSEC, IPSEC and PKI? And who is against enhancing privacy? This whole list is full of smart things like that.

The conclusion of the document says: “This Strategy provides a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions.” As for me, I didn’t see that. I saw a good vision, but the document really lacks in the “how” department. I also saw many good actions and some terrific context. But seems like much more work is needed before we can say this strategy provides a vision for “how” we can improve use of digital identities. I think we can get there. We can get there by tapping into the great thinkers who really know identity management. The great computer science thought leaders from American academia and the standard’s bodies that make the Internet work.

Maybe the way ahead is to have the government coordinate the vision and principles and let the standards community come back with goals and objectives. The government could facilitate that interaction and keep it on track. But my sense is from reading this document the government’s role should not be to assert they know the answer, yet.

I’m not asking that the government go back to the drawing board. In fact, I’d like to see things move faster and would like to see some new ideas injected into the process.

Here is one that might help. Since many folks (like me) can criticize but few can truly produce workable ideas that scale, why not pull together a venue of the greatest minds in technology and issue the challenge to them. If the government has a compelling vision I think this could be done. I would start with the list of Turing award winners, then add in the dean’s of computer science from our greatest academic institutions. The result: a body who knows technology will be informing and guiding the strategy. When combined with the great leadership of professionals from government and the continued contributions from industry, this could be the winning approach.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...